Data Security in Windows 10: NTFS Permissions (Standard)
“I don’t have anything to hide.” “What about your credit card numbers?” “Well yeah, okay but…” “Bank account number? Social Security Number? Social Media Passwords?” “Well yes but besides all that…” When most people say that they don’t have anything to hide, they are not actually saying they have zero pieces of information that need protecting. Rather, while they have very little information that is exclusive to them, they have a considerable amount of information that can be considered “privileged information”- information that is shared with a select group of people.
When we take a similar idea like that up to an organizational level, information that only a single person knows can be a tricky topic. On the one hand, it means that you have an expert in a particular field that can be called on to fix a problem reliably each time. However if that person isn’t available on a given day- whether it be vacation, they are out sick, or they have left the company, it can be exceedingly difficult to find the information necessary to fix a particular issue. In the case of sensitive information as well, such as external accounts for the organization, this data needs to be shared but also protected- not the sort of thing you would just want to have on a random share with everyone having read/write access to it. Fortunately, Microsoft recognized this early on in the game and was able to bake into their NTFS file system permissions not only for allowing and forbidding access outright, but also giving selective access such as read-only to particular users. Today we’re going to be going over the standard NTFS permission scheme, but please remember that there are a LOT of options available for NTFS that go outside of the scope of this particular article.
What is NTFS?
NTFS, or the NT File System, has been around since 1993 with its introduction in Windows NT 3.1. The current version of NTFS has been in use since the release of Windows XP in 2001, with NTFS version 3.1 (or 5.1 per the Operating System version depending on who you ask). This is the File System that is used across all modern versions of Windows by default, and in many different ways is far more secure than other alternatives such as FAT32. We can check to see what version of NTFS is currently being used by Windows by opening an Administrative Command Prompt and then typing in the following command: fsutil fsinfo ntfsinfo <drive letter>.
Depending on the version of the Operating System, NTFS can support individual volumes as large as 8 Petabytes (8 Million Gigabytes) while FAT32 allows for partitions up to 2 Terabytes (2 Thousand Gigabytes).
Using NTFS Permissions
In most use cases, users will be viewing and modifying NTFS permissions via Windows Explorer, but it is also possible via Command Line via both the Command Prompt and Powershell through the use of commands such as icacls. For the purposes of this article however, we are going to be sticking with administration in Windows Explorer. To view NTFS Permissions on a particular directory for example, we can right-click on said directory and select ‘Properties’. From here, we will want to click on the ‘Security’ tab, in order to view the currently assigned permissions.
Just to give a quick breakdown of the functionality of these options:
|List Folder Contents||Allows the selected user/group to view the contents of the directory|
|Read||Allows the selected user/group to access files located in the directory|
|Read & Execute||Allows the selected user/group to run files located in the directory|
|Write||Allows the selected user/group to create new files in the directory|
|Modify||Allows the selected user/group to add/remove content in the directory|
|Full Control||Allows the selected user/group to modify permissions in the directory|
This screen allows us to view current permissions, but if we need to alter what has been assigned we can click on the ‘Edit’ button.
By default, NTFS inherits permissions assigned from above the current location in the tree- if you have a directory with particular permissions assigned, that will trickle down to all files and directories below that. This is signified by the grayed out checkboxes visible in the above image. If we were to remove inheritance, these would then be able to be modified in the same way that explicitly assigned permissions are. If we wanted to add on a new user to this directory and grant them ‘Modify’ permissions, we could do this by clicking on the ‘Add’ button.
We could then select any user, group or other relevant account that is located either locally on this particular system or on our network via Active Directory by clicking on ‘Locations’. We can also start typing in a particular name, then click on the ‘Check Names’ button, to run a query so that the system can verify who we are actually referring to. Once a line appears under the name, it is confirmed to be an existing object. After we are satisfied with who we want to add to this directory, we can click ‘OK’ and the name will appear in the previous screen, but we aren’t done yet.
Because these permissions are explicitly assigned here, we see black checkboxes available to us- signifying that they can be modified. By default, a new user being added in this way will then receive ‘Read-only’ permissions- granting them basic access and no more. If we want to give them ‘Modify’ access however, and check the box for this, the user is automatically also granted the ‘Write’ permission- this is because in order to modify files, you first have to be able to write to them. Once you have decided on your permissions, you can click on ‘Apply’ and ‘OK’ to commit the changes.
If we decide that we no longer want to have inherited permissions on this folder, such as in the case of a set of User Directories, we would want to right-click on the folder and select ‘Properties’ and go to the Security tab as before. This time however, we would want to click on the ‘Advanced’ tab at the bottom of the screen.
In the Advanced Security Settings area here, we will want to click on the ‘Disable Inheritance’ button at the lower left corner of the screen.
We have two choices here- either keep all of the existing permissions but make them explicit so we can edit them individually, or remove them all and we can start from scratch. In most cases converting to explicit is a good place to start, and then you can work backwards to clean things up.
NTFS permissions are extremely versatile and very powerful with the proper administration. In most cases it is far easier and faster to use Group permissions instead of Individual, but there are still potential situations where we would want to make sure that only one person has access to sensitive data. As we mentioned at the outset, there are still additional options such as Encryption, Alternate File Streams and Quotas to name a few. It is well worth your time investment to get to know what can be done at the File System level for Data Security, as this is one of the most powerful Industry Standard tools at our disposal that you most likely already have access to.
https://docs.microsoft.com/en-us/windows-server/storage/file-server/ntfs-overview – NTFS Overview
https://en.wikipedia.org/wiki/NTFS – NTFS
https://www.howtogeek.com/72718/how-to-understand-those-confusing-windows-7-fileshare-permissions/ – How to Understand Those Confusing Windows 7 File/Share Permissions
https://www.thomasmaurer.ch/2011/05/check-ntfs-version/ – Check NTFS Version
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-fsinfo – Fsutil fsinfo
https://www.varonis.com/blog/ntfs-permissions-vs-share/ – NTFS Permissions vs Share: Everything You Need to Know
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls – icacls
https://support.microsoft.com/en-us/help/154997/description-of-the-fat32-file-system – Description of the FAT32 File System