What is the least file and folder permission necessary to open and run an application?

Symptoms

Article Summary: This article discusses NTFS permissions and share permissions in Windows and how they work together to regulate access to files and folders.

Nội dung chính Show

Get the Free Pen Testing Active Directory Environments EBook
What is NTFS?
NTFS Permissions
Share Permissions
A Caveat on Share Permissions
How to Use Share and NTFS Permissions Together
Consider the following examples:
Managing NTFS Permissions and Share Permissions
What is the minimum permission needed to change the attributes of a file?
Which type of permission is granted directly to a file or folder?
Which NTFS permission for a folder is defined as enabling you to read write and delete both files and subfolders?
Which of the following best describes share permissions?

Windows provides two sets of permissions to restrict access to files and folders: NTFS permissions and share permissions.

NTFS permissions are applied to every file and folder stored on a volume formatted with the NTFS file system. By default, permissions are inherited from a root folder to the files and subfolders beneath it, though this inheritance can be disabled. NTFS permissions take effect regardless of whether a file or folder is accessed locally or remotely. NTFS permissions, at the basic level, offer access levels of Read, Read and Execute, Write, Modify, List Folder Contents, and Full Control, as shown below:

There is also an advanced set of NTFS permissions, which divides the basic access levels into more granular settings. These advanced permissions vary depending on the type of object to which they are applied. The advanced permissions on a folder are shown below:
Share permissions are only applied to shared folders. They take effect when a shared folder is accessed across a network from a remote machine. The share permissions on a particular shared folder apply to that folder and its contents. Share permissions are less granular than NTFS permissions, offering access levels of Read, Change, and Full Control:

The most important thing to remember about NTFS permissions and share permissions is the manner in which they combine to regulate access.
The rules for determining a user's level of access to a particular file are as follows:

If the file is accessed locally, only the NTFS permissions are used to determine the user's level of access.
If the file is accessed through a share, NTFS and share permissions are both used, and the most restrictive permission applies. For example, if the share permissions on the shared folder grant the user Read access and the NTFS permissions grant the user Modify access, the user's effective permission level is Read when accessing the share remotely and Modify when accessing the folder locally.
A user's individual permissions combine additively with the permissions of the groups that the user is a member of. If a user has Read access to a file, but the user is a member of a group that has Modify access to the same file, the user's effective permission level is Modify.
Permissions assigned directly to a particular file or folder (explicit permissions) take precedence over permissions inherited from a parent folder (inherited permissions).
Explicit Deny permissions take precedence over explicit Allow permissions, but because of the previous rule, explicit Allow permissions take precedence over inherited Deny permissions.

One of the most critical security concepts is permissions management: ensuring that proper permissions are set with users – and that usually means knowing the difference between share and NTFS permissions.

Share and NTFS permissions function completely separately from each other, but ultimately serve the same purpose: to prevent unauthorized access.

Get the Free Pen Testing Active Directory Environments EBook

However, when NTFS and share permissions interact or when a shared folder is in a separate shared folder with different share permissions, users might not be able to access their data or they can get higher levels of access than security admins intend.

Here are key differences between share and NTFS permissions so you’ll know what to do.

What is NTFS?

A file system is a way of organizing a drive, indicating how data is stored on the drive and what types of information can be attached to files, such as permissions and file names.

NTFS (NT File System) stands for New Technology File System (NTFS). NTFS is the latest file system that the Windows NT operating system uses for storing and retrieving files. Prior to NTFS, the file allocation table (FAT) file system was the primary file system in Microsoft’s older operating systems, and was designed for small disks and simple folder structures.

NTFS file system supports larger file sizes and hard drives and is more secure than FAT. Microsoft first introduced NTFS in 1993 with the release of Windows NT 3.1. It is the file system used in Microsoft’s Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP, Windows 2000, and Windows NT operating systems.

NTFS Permissions

NTFS permissions are used to manage access to the files and folders that are stored in NTFS file systems.

To see what kind of permissions you will be extending when you share a file or folder:

Right click on the file/folder
Go to “Properties”
Click on the “Security” tab

All then you’ll navigate this window:

Besides Full Control, Change, and Read that can be set for groups or individually, NTFS offer a few more permission options:

Full control: Allows users to read, write, change, and delete files and subfolders. In addition, users can change permissions settings for all files and subdirectories.
Modify: Allows users to read and write of files and subfolders; also allows deletion of the folder.
Read & execute: Allows users to view and run executable files, including scripts.
List folder contents: Permits viewing and listing of files and subfolders as well as executing of files; inherited by folders only.
Read: Allows users to view the folder and subfolder contents.
Write: Allows users to add files and subfolders, allows you to write to a file.

If you’ve ever involved in permissions management within your organization, you’ll eventually encounter ‘broken’ permissions. Rest assured, they’re repairable.

When you share a folder and want to set the permissions for that folder – that’s a share. Essentially, share permissions determine the type of access others have to the shared folder across the network.

To see what kind of permissions you will be extending when you share a folder:

Right click on the folder
Go to “Properties”
Click on the “Sharing” tab
Click on “Advanced Sharing…”
Click on “Permissions”

And you’ll navigate to this window:

There are three types of share permissions: Full Control, Change, and Read.

Full Control: Enables users to “read,” “change,” as well as edit permissions and take ownership of files.
Change: Change means that user can read/execute/write/delete folders/files within share.
Read: Read allows users to view the folder’s contents.

Sometimes, when you have multiple shares on a server which are nested beneath each other, permissions can get complicated and messy.

For instance, if you have a “Read” folder in a subfolder share permission but then someone creates a “Modify” share permission above it at a higher root, you may have people getting higher levels of access then you intend.

There’s a way around this, which I’ll get to below.

One of the common questions that comes up when you’re configuring security is “what happens when share and NTFS permissions interact with each other?”

When you are using share and NTFS permissions together, the most restrictive permission wins.

Consider the following examples:

If the share permissions are “Read”, NTFS permissions are “Full control”, when a user accesses the file on the share, they will be given “Read” permission.

If the share permissions are “Full Control”, NTFS permissions are “Read”, when a user accesses the file on the share, they will still be given a “Read” permission.

If you find working with two separate sets of permissions to be too complicated or time consuming to manage, you can switch to using only NTFS permissions.

When you look at the examples above, with just three types of permissions setting, shared folder permissions provide limited security for your folders. Therefore, you gain the greatest flexibility by using NTFS permissions to control access to shared folders.

Moreover, NTFS permissions apply whether the resource is accessed locally or over the network.
To do this, change the share permissions for the folder to “Full Control.”

You can then make whatever changes you want to the NTFS permissions without having to worry about the share permissions interfering with your changes.

Michael Buckbee

Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.

What is the minimum permission needed to change the attributes of a file?

Which of the following is the minimum permission needed to change the attributes of a file? D - The Write permission allows the identity to write to a file, append to the file, and read or change the file's attributes.

Which type of permission is granted directly to a file or folder?

Permissions assigned directly to a particular file or folder (explicit permissions) take precedence over permissions inherited from a parent folder (inherited permissions).

Which NTFS permission for a folder is defined as enabling you to read write and delete both files and subfolders?

Full control: Allows users to read, write, change, and delete files and subfolders. In addition, users can change permissions settings for all files and subdirectories. Modify: Allows users to read and write of files and subfolders; also allows deletion of the folder.

There are three types of share permissions: Full Control, Change and Read. You can set each of them to “Deny” or “Allow” to control access to shared folders or drives: Read — Users can view file and subfolder names, read data in files, and run programs.