NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

Managing shared resources

Introduction

When sharing resources in a common network, the biggest concern is delegating access levels to those resources. Permissions management is a critical security process since any pitfalls can make the organizations prone to data breaches. For example, consider a scenario where a new sales employee joins an organization. They need to be provided with access to things like sales volumes, past sales data, sales forecasts but they don’t need to be able to access HR documents. In cases like this, it’s necessary to establish the levels of access granted to each user to limit their accessibility on an as-needed basis. Defining multiple levels of access for different users also ensures data security.

NTFS permissions  

New Technology File System (NTFS) is the standard file management system provided by Microsoft. Access to any data stored in the NTFS is governed by NTFS permissions. These permissions can be enforced for both local and network users and are granted at the logon stage.

Types of NTFS permissions

There are two types of NTFS permissions: basic and advanced. Access to NTFS objects is controlled by marking each listed permission as Allow or Deny.

The following are the basic types of access permissions:

  • Full control: When users are provided with this access permission, they can perform all functions, including adding, moving, modifying, and deleting files and directories. These users can also change permissions settings for all files and subdirectories.
  • Modify: When users are provided with this access permission, they can perform functions related to viewing and modifying the files and their properties. This also includes adding or deleting files from a directory.
  • Read & execute: Users provided with this access permission can run executable files and scripts.
  • Read: This permission only allows users to view the files, file properties, and directories.
  • Write: This permission allows users to perform functions like writing to a file and adding files to directories.

The following are the advanced types of access permissions:

  • Traverse folder/execute ile: The traverse folder permission allows or denies movement through restricted folders to reach other files or folders. This permission is only considered if the group or user isn’t granted the Bypass traverse checking user right in the Group Policy snap-in. The execute file permission grants or denies access to run program files.
  • List folder/read data: The list folder permission allows or denies viewing the names of the subfolders and files within a folder. The read data permission allows or denies viewing the data located within a file.
  • Read attributes: This permission allows or denies viewing the attributes of a folder or a file, like read-only and hidden. These attributes are defined by default by NTFS.
  • Read extended attributes: This permission allows or denies viewing the extended attributes of a folder or a file. The extended attributes are defined by the respective programs.
  • Create files/write data: The create files permission allows or denies creating files within a folder. The write data permission allows or denies overwriting the data in a file and making changes to the file itself.
  • Create folders/append data: The create folders permission allows or denies creating subfolders within a folder. The append data permission allows or denies changing the end of the file without modifying, deleting, or overwriting the existing data.
  • Write attributes: This permission allows or denies modifying the attributes of a folder or a file, such as hidden or read-only. These attributes are defined by default by NTFS. This permission only allows or denies making changes to the attributes of a file or folder, not to create or delete files and folders.
  • Write extended attributes: This permission allows or denies changing the extended attributes of a folder or a file. The extended attributes are defined by the respective programs. This permission only allows or denies making changes to the extended attributes of a file or folder, not to create or delete files and folders.
  • Delete subfolders and files: This permission allows or denies deleting the subfolders and files in a folder, even if the Delete permission hasn’t been granted to the subfolder or file.
  • Delete: This permission allows or denies deleting a folder or a file. Even if the Delete permission isn’t allowed on a file or folder, it can still be deleted if access to Delete Subfolders and Files is allowed on the parent folder.
  • Read permission: This permission allows or denies reading the permissions of a folder or a file.
  • Change permission: This permission allows or denies changing the permissions of a folder or a file.
  • Take ownership: This permission allows or denies taking ownership of a folder or a file. The owner of a folder or a file can always change permissions on it, regardless of any of the existing permissions that protect it.

Changing NTFS permissions

Follow these steps to change the basic NTFS permissions:

  1. Right-click the file or folder that needs to be modified. Click Properties > Security.
  2. Select Edit from the Properties dialog box.
  3. Select any user or group from the list to modify its share permissions.
  4. Select either Allow or Deny for all the settings.
  5. Select Apply and the changes will be implemented.

Follow these steps to change the advanced NTFS permissions:

  1. Right-click the file or folder that needs to be modified. Click Properties > Security.
  2. Select Edit from the Properties dialog box.
  3. Click the Advanced option. The Advanced Security Settings dialog box will open.
  4. Select any user or group from the list to modify its share permissions.
  5. Select either Allow or Deny for all the settings.
  6. Select Apply and the changes will be implemented.
How to change the NTFS and share permissions

Share permissions  

Share permissions govern access to folders shared over a network. It’s not possible to modify permissions for the subfolders or objects in a particular share because these permissions are commonly applied to all its files and folders. These permissions aren’t applicable to users logged on locally, and the number of users with access to the shared folder can be defined. Share permissions can be used with multiple file systems, like NTFS, FAT, and FAT32.

Types of share permissions

There are three types of share permissions: Full control, Read, and Change. Access to shared files, folders, and drives is controlled by marking each listed permission as Allow or Deny.

  • Read: With this permission, users can only view and read data stored in the files, folders, and subfolders and run programs. All Everyone groups are granted this permission by default.
  • Change: With this permission, users can perform all the functions allowed by the Read permission. Additionally, they can add files, folders, and subfolders and also modify them by changing their data or deleting them.
  • Full control: With this permission, users are granted all the functionalities from the Read and Change permissions. Additionally, they can change the permissions for NTFS files and folders. The Administrators group is granted this permission by default.

Changing share permissions

Follow these steps to change the share permissions:

  1. Right-click the shared folder that needs to be modified and select Properties > Sharing.
  2. Select Advanced Sharing.
  3. Choose Permissions.
  4. Select any user or group from the list to modify its share permissions.
  5. Select either Allow or Deny for all the settings.
  6. Select Apply and the changes will be implemented.

The difference between NTFS and share permissions

  • NTFS permissions are complex in nature but allow more control over a shared folder and its content. Share permissions are comparatively easy to use with limited control.
  • In the case of FAT and FAT32 file systems, only share permissions can be used.
  • When using both NTFS and share permissions, the more restrictive permission will be considered by the system. For instance, if the NTFS permission is set to Everyone Modify Allow and the shared folder permission is set to Everyone Read Allow, the system will apply the share permission due to its restrictive nature and the user won’t be allowed to make any changes.
  • A restriction can be placed on the number of concurrent connections that can be added to a shared folder only by share permissions.
  • The configuration location for NTFS permissions is the Security tab in the file or folder properties. The configuration location for share permissions is the Advanced Sharing properties in the Permissions settings.
Related posts
Active Directory Fundamentals

How to seize FSMO roles

Active Directory Fundamentals

How to transfer FSMO roles

Active Directory Fundamentals

Securing administrator accounts in Active Directory

Active Directory Fundamentals

How to install the PowerShell Active Directory module

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from IAMRoundup.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.