NTFS and Share Permissions in Windows

Before you start

Objectives: Learn what are NTFS permissions, what are Share permissions, and why are they used.

Prerequisites: you have to know what a file system is.

Key terms: permissions, share, users, NTFS, folder, HomeGroup, sharing, files, network, control, read, public, Administrative Share


Permissions in General

In general, permissions enable users to perform specific actions on computer resources like files or folders. Permissions are always assigned to resources, and not users. Permissions are given by users, typically administrators, which have a permission to edit permissions. If some user created the object (file or folder), he is the owner of that object. Object owner can give permission to other users for that object. Owners have a permission to give permissions to other users for their objects.

Resources like files and folders have Access Control Lists (ACLs) which are used to control user and group access. ACLs on files and folders are sometimes called file or folder permissions. File and folder permissions define the type of access that is granted to a user, group or computer.

In general, there are two types of permissions. First we have a shared folder permissions which are assigned to a folder that is shared on the network. These permissions are only used when the folder is shared and the user access that folder over the network. The second level of permissions are NTFS permissions which are part of the file system. NTFS permissions are always on. They are set for users which connect to resources over the network and also for local users.

NTFS Permissions

In order to use NTFS permissions we have to have the NTFS file system applied on our storage devices. As you know, Windows OS basically supports FAT and NTFS file systems. FAT is still used for backward compatibility, but it is not preferred. FAT partitions don’t have file or folder permissions, but they do support share permissions. We should use NTFS as our file system whenever we can. The reason for this is that NTFS provides file and folder level permissions, and Encrypting File System (EFS).

NTFS permissions are implemented by using an Access Control List which is stored as an attribute of the file or the folder. Permissions are set for individual users or groups of users, and in that way control the access to the files or folders. NTFS permissions are inherited, which means that permissions set on a parent folder are automatically set to all sub-folders and files in that folder. If we want, we can block the inheritance of permissions.

There are two types of NTFS permissions. We have Standard NTFS permissions and Special NTFS permissions. Special NTFS permissions are more granular than standard permissions.

Standard NTFS Permissions

Standard NTFS Permissions are:

  • Full control – allows reading, writing, changing and deleting of files, folders and subfolders. It also allows user to take ownership or change permissions for other users on the object.
  • Modify – allows reading, writing, modifying, and deleting objects. It doesn’t allow changing permissions or taking ownership. This permission is the biggest permission we should give to standard users. Only administrators should have full control over on the object, because standard users should not be able to take ownership and change permissions on files and folders.
  • Read & execute – allows users to read and execute files and folders, ie. it allows users to open a file by double clicking it. If we give user this permission, the “List folder content” and “Read” permission will automatically be set as well.
  • List folder contents – applied to folders, enables users to see the content of the folders but it doesn’t allow them to open that content.
  • Read – allows to read files in folder. It doesn’t allow execution of files and programs. We can’t double click the file to open it. To read file with read permission, we have to go to the specific application and then open the file from the application, since we can’t double click it.
  • Write – allows to modify the content of files, and to add files and folders to specific folder. We can’t delete a file or folder with this permission.

These specific permissions are also called Access Control Entries (ACEs). ACEs can be set to allow or deny specific permission, and can be explicit or inherited. Explicit permissions are set directly on the object, while the inherited permissions are set on the parent object. The “allow” permission will grant specific permission for specific user, group or computer. The “deny” permission will do the opposite. The “deny” permission will override the “allow” permission, except when the deny permission is inherited and the allow permission is explicitly set on the object. Because of this fact, we have to be careful when setting NTFS permissions. In general, explicit permissions take precedence over inherited permissions, even inherited deny permissions.

The great thing about inherited permissions is that it allows us to set permissions on some folder, and that permissions will automatically be applied to all object in that folder. In that way we can manage NTFS permissions from a single point. When new files and folders are created, they inherit permissions of the parent folder. We can disable this feature by unchecking the “Allow inheritance” checkbox on the NTFS permissions properties tab (Security tab). After unchecking this box, we will be asked to copy existing permissions (and then manipulate them), or to delete all existing permissions. If we select to copy existing permissions, we can see which permissions were set on the object. Another thing we can do is reset permissions of all child objects by selecting the “Replace permissions of child objects” option under the advanced window in the Security tab. This way the permissions of parent folder will overwrite permissions of all child objects.

NTFS permissions are accumulative. For example, if some user belongs to multiple groups, permissions for that user will be combined together from all those groups. Once the NTFS permissions are set, we can check the Effective Permissions tab to see what access a user actually has to particular folder or file. Effective permissions are the combined inherited and explicit permissions, but doesn’t take into account the share permissions.

The file owner can always change the NTFS permissions, even if we specifically deny access to the file itself. We have to take ownership of the file, which allows us to become the owner of the affected files. Then we can deny access to the file to the previous owner, if we need to.

NTFS permissions can change if we relocate the file or folder, depending on if the files or folders are copied or moved between two volumes or on the same volume. Basically, there are to things that can happen. Objects can keep the set permissions, or inherit new permissions of the destination folder. If we copy or move a file to a non-NTFS partition, all permissions are removed. If we move the file within the same NTFS volume, it will keep its explicit permissions. All other combinations will result in inheriting new permissions from the destination folder. So, if we copy the file within the same volume, existing explicit permissions will be lost. Also, if we move or copy the file to another volume, current explicit permissions will also be lost . There are ways to retain current permissions. We can use command line tools like Robocopy.exe or XCopy.exe to retain NTFS permissions, even when we move or copy file to another volume.

To set permissions in the command line we can use the “icacls” tool. With “icacls” command we have to specify the file or folder on which we want to modify permissions. We also have to specify if we want to grant (/grant switch), or deny (/deny switch) permission.

Special NTFS Permissions

Standard NTFS permissions are actually collections of special NTFS permissions. For most users, standard NTFS permissions are enough granular. If we need more specific permissions, we can use special permissions. Special permissions can be configured on the Advanced section on the Security tab. Special permissions are:

  • Traverse Folder / Execute file
  • List Folder / Read Data
  • Read Attributes
  • Read Extended Attributes
  • Create Files / Write Data
  • Create Folders / Append Data
  • Write Attributes
  • Write Extended Attributes
  • Delete Subfolders and Files
  • Delete
  • Read Permissions
  • Change Permissions
  • Take Ownership

We can also use special permissions to specify the level of propagation. For example, we can select to apply permissions to all files, folders and subfolders or to only to files in the current folder.

Share Permissions

To share files and folders with with other users on the network we can set up File Sharing (Shared Folders). This means that we share the existing folder on our computer, and by doing that we create a network share. With Shared Folders feature in Windows, we can create multiple network shares (shared folders) which are visible to other computers on the network (if Network Discovery is turned on). Each shared folder can have different share permissions. We can also configure which users or groups have access to shared folder and then define their permissions. We can also configure cache settings and define the share name (it can be different from the name of the folder which is shared). Shared folders can be configured for local users users and groups and also for domain users and groups. Shared folders can then be accessed using the UNC path to the share. The UNC syntax is \computernamesharename.

We can configure shared folders in three different ways: Basic, Advanced and Public folder sharing. Basic folder sharing is the simple form of folder sharing. It allows us to quickly share folders. In this case, Windows creates the share name automatically from the folder name, but we must manually define the Share and NTFS permissions. In Basic sharing, we have three permission levels:

  • Read – users can read files, but they can’t modify or delete them.
  • Read / Write – users can read, modify, add new, and delete existing files.
  • Owner – users can read and modify files, and also change Share permissions on the share. In this case, the owner is the person who created the share. Keep in mind that we can have only one owner on the shared folder.

With Advanced sharing, we have more flexibility when configuring shares and is intended for more experienced users. In this mode, we can set the custom share name, configure the cache settings, and define the maximum connected users to the share. Advanced Share permissions are named a bit different then Basic share permissions. Advanced Shared permissions are:

  • Read – users can only read files (same as Read in Basic mode).
  • Change – users can read and modify files (same as Read / Write in Basic mode).
  • Full control – users can read and modify files, and also change Share permissions on the share. The difference between the Owner permission in Basic mode is that we can have multiple users with Full control permission, while in Basic mode only the owner can have the Owner permission.

Only members of the Administrators group can change and define shared folders. By default, Everyone group has Read permissions for a shared resource. Keep in mind that Share permissions are also accumulative, just like NTFS permissions. If a user is a member of several groups, the group membership permissions will be combined. Permissions set on a shared folder apply to all files and folders inside the share. Also, Share permissions and NTFS permissions are also combined when a users connects to a share. The effective permission will be the most restrictive permission between the share and the NTFS permission. For example, if Marko has only Read share permission, but Modify NTFS permission, he will only be able to read files since Read share permission is more restrictive. To make things easier, administrators will often give Full share permissions, and then configure and manage more restrictive NTFS permissions.

In Windows Vista, we can also assign share permissions by using roles. Available roles for shared folders are:

  • Owner – has Full control share permissions
  • Co-owner – has Full control share permissions
  • Contributor – has Change and Read share permissions
  • Reader – has Read share permissions

Different roles will apply different restrictions for users for our shared folders. This method of share configuration is intended for end users who need a simple way to share files. We can always use advanced share permissions if we want to.

Remember that share permissions only apply to users connected to the share over the network. For shared  folder which is located on NTFS partition, both NTFS and Share permissions are applied. To identify the effective permissions, always bare in mind that the more restrictive set of permissions is used.

We can usually share a folder even when file and printer sharing is not enabled in the Network and Sharing Center, since sharing a folder will turn this on automatically. However, turning file and printer sharing off in the Network and Sharing Center will not remove existing shares and does not prevent access to those shares over the network. The only way to effectively prevent access is to stop sharing the folder manually. Turning file and printer sharing or public folder sharing on opens the File and Printer Sharing port exception in Windows Firewall automatically. When the setting is turned off, the firewall port is closed.

Public Folder Sharing

Starting from Windows Vista and in later versions, we have to keep in mind that we have a special Public folder on our computer which is accessible by all users on our computer. The intention of the Public folder is to make file sharing easier for end users. In Windows Vista, Windows 7 and Windows 8.1, the path to the public folder is C:UsersPublic. This folder is shared by all users on the computer. There are many sub-folders inside the Public folder intended for file organization. Public folder sharing provides a simple way for users to share files with other users, but it is not enabled by default.

We can use the Network and Sharing Center to configure the settings for Public folders. With Public folder sharing we can use two configurations. In the first configuration we can set the sharing only on the local computer. When Public folder sharing is off, network users cannot access our Public folder on our computer. This means that users won’t be able to access the Public folder over the network, but this folder will be accessible by other users on the local computer. The other way is to share the Public folder over the local network. To do that we have to turn Public folder sharing on. This configuration is more typical.

With Public folder sharing there are only two permissions:

  • Read – everyone can read and execute files
  • Full control – everyone has full control on files

Public folder sharing is great if we want to quickly share information with other users on our computer or on our local network, and when we don’t want to worry about custom permissions for individual users.

Administrative Shares

When configuring shared folders, we can add a dollar sign ($) to the end of a share name to create an administrative share. Administrative shares are not visible when browsing the network. We can only use the UNC path to connect to an administrative share. By default, Windows automatically creates an administrative share for every volume, with the sharename being the volume letter plus the dollar sign (such as C$). Default administrative shares can only be accessed by a member of the Administrators group.

Libraries

Sometimes we want to share several folders from one location, but those folders are located in different locations. In Windows versions prior to Windows 7 and Windows 8, we had to create a shared folder manually and then create shortcuts to all those different folders that we want to share. Starting from Windows 7, we can use Libraries feature for that purpose. Library is a collection of links (virtual folders) to existing local or network folders.

Libraries enable us to collect folders that exist in different locations locally, and also on the network, into a single location. By default, when we view a library, we will see all files and folders from different locations. Each library can hold multiple folders, and a single folder can be added to multiple libraries. When we choose to save something to the library, it will be saved only to the one folder in the library. By default, new content is added to the library in the first folder that was added when the library was defined. To change where new files are saved in a library, we can use Set save location in the library’s properties.

Keep in mind that library is not a folder. We can’t locate library folder on the hard disk. If we go to the CMD and check out our files in our library, we will see that links in the library have .library-ms extension.
We mention Libraries here because we can share a library to make its contents available on the network.

HomeGroup

Starting from Windows 7, we also have a HomeGroup feature. HomeGroup feature is a simple way of sharing resources and managing authentication to resources on a home or small business network. This feature can only be used on networks that have been designated as Home networks. They can not be created on a Domain network, but computers from the domain can join existing HomeGroup.

HomeGroup will show up as a separate node in Windows Explorer, under Libraries. They are displayed by user name and computer name because resource sharing can be controlled on a per user basis, allowing different users to share different resources to the HomeGroup. Only users with administrative privileges can create and enable HomeGroup, while ordinary users can choose which of their libraries will be shared on the HomeGroup.

For HomeGroup to work properly, computer that hosts the HomeGroup must be turned on and connected to the network. HomeGroups are created automatically when we designate our network connection as a Home network, if another HomeGroup already doesn’t exist on the network.

The HomeGroup wizard will allow us to select which libraries to share (music, movies, pictures, documents). When we make the selection, we will be prompted for the password. This password will be used by other computers on the network to join our HomeGroup. Keep in mind that we can only have one HomeGroup per network (subnet). Other computers will automatically detect the available HomeGroup and try to connect to it. When joining the existing HomeGroup we will be asked for HomeGroup password. We will also have to select libraries that we want to share on that HomeGroup.

Media Sharing

We can also decide to share our media content (pictures, movies or music), over the network. We can select the specific type of media to share. With Media Sharing, our media content is streamed to other devices, it is not copied. Media Sharing in Windows can be configured trough Media Player or trough Network and Sharing Center. In order for media sharing to work, all devices have to be on the same network (subnet). We also have to configure firewall ports (they have to be opened). Necessary firewall ports are opened automatically when we enable media sharing. Those ports are named the Windows Media Player Network Sharing Service.

We can share our media with all devices on the network, or we can explicitly identify specific devices to share with.

Example Configurations

We have separate articles in which we describe how to configure permissions in different versions of Windows: