Both share and NTFS permissions serve the same purpose within Windows environments; namely, to help you prevent unauthorized access to your critical folders. However, there are some critical differences between the two that will determine which one you use.
In this blog we will learn about what share permissions and NTFS permissions are, what the differences between the two are, and the best practices for using them.
What Are Share Permissions?
Simply put, share permissions allow you to control who accesses folders over the network (they will not apply to those users who are accessing locally). In share permissions, you cannot control access to individual subfolders or objects on a share. Instead, share permissions apply to all of the files and folders within the share. Share permissions can be used with NTFS, FAT, and FAT32 file systems and allow you to determine the number of users who can access the shared folder.
Share Permission Types
- Full Control: Allows users to create, read, update and delete files and folders in a directory, as well as NTFS files and folders. By default, the “Administrators” group is granted “Full Control” permissions.
- Change: Allows users to read files, as well as add, edit and delete files and folders. “Change” permissions are not assigned by default.
- Read: Allows users to read content in files and folders, as well as execute programs. The “Everyone” group is assigned “Read” permissions by default.
What Are NTFS Permissions?
New Technology File System (NTFS) is used to manage data stored on NTFS file systems and is the de facto file system for Windows NT and later operating systems. Unlike share permissions, NTFS permissions affect both network and local users. The types of NTFS permissions available are similar to share permissions but go into a bit more detail.
The basic types of access permissions for NTFS are Full Control, Modify, Read & Execute, Read and Write. Most of these are self-explanatory, and similar to share permissions. Read & Execute rights allow users to run executables, including scripts. The basic types of access permissions are described in more detail below.
NTFS Permission Types
- Full Control: Allows users to create, read, write, edit and delete files, folders and sub-folders. Users can also change the permissions for all files and folders in a directory.
- Modify: Allows users to modify and delete the files, file properties and folders in a directory.
- Read & execute: Allows users to read files and run executables, including scripts.
- List folder contents: Allows users to view a list of all files, folders and sub-folders in a directory. They can also view folder attributes and permissions, and even execute files, but they cannot view file contents.
- Read: Allows users to read files, file properties and folders in a directory.
- Write: Allows users to write to a file and add files to directories.
Differences Between NTFS and Share Permissions
The type of permissions you choose to use will depend on what you’re looking to achieve and the resources you have available to you. Before deciding which permissions to use, there are a number of important differences between NTFS and Share permissions that you should be aware of. These differences are described below;
- NTFS permissions provide more granular control over shared folders and their contents than Share permissions
- When Share and NTFS permissions are used together, the most restrictive permissions are chosen by default. For example, if NTFS permissions are set to “Everyone Modify Allow”, and Share permissions are set to “Everyone Read Allow”, the Share permissions will override the NTFS permissions as they are more restrictive.
- Unlike NTFS permissions, Share permissions can be applied to FAT and FAT32 file systems.
- Unlike Share permissions, NTFS permissions apply to users who are logged on to the server locally.
- , Unlike NTFS permissions, share permissions allow you to restrict the number of concurrent connections to a shared folder.
- Share and NTFS permissions are configured in different locations. Share permissions are configured in the “Advanced Sharing” properties in the “Permissions” settings, while NTFS permissions are configured on the Security tab in the file or folder properties.
Best Practices for Using Permissions
Your entire objective when using permissions should be to operate on a policy of least privilege, where users only have access to the files and folders they need to do their job. To help achieve this, there are a number of things you can do:
- Don’t assign permissions to user accounts: Permissions should be assigned only to groups in order to simplify the management of access to shared resources. If an employee in your organization changes roles and requires a new set of permissions, you can simply remove them and add them to the most appropriate groups.
- Use the Administrators group wisely: Users in this group will be able to do anything with your files and folders, including changing permissions. There are very few users who warrant this kind of control, and those that do need to be audited and monitored closely. You should use a third-party File Server audit solution to audit, monitor, and alert on changes administrators are making to your files and folders.
- Group objects together depending on security requirements: If there is a load of folders that apply to one particular department in the organization, group them into a parent folder and share that parent folder. This will save you from having to go through and share each folder individually.
How To Manage Permissions
If you find working with two separate sets of permissions too difficult to manage, you are probably better off using only NTFS permissions, as the added granularity will provide more flexibility and thus better security. Not only that, but NTFS permissions can be applied whether the resource is accessed locally or over the network. To use NTFS permissions by default, simply change the Share permissions for the folder to “Full Control.” That way, any changes you make to NTFS permissions will override the Share permissions.
If you want to get the NTFS permissions reports using PowerShell, please check this article.
If you want to better understand the permissions and privileges in your organization and ensure that you are operating on a principle of least privilege, see how Lepide File Server Auditor can help you.