Windows 7 : Protecting Your Data from Loss and Theft - NTFS File Permissions

10/18/2012 4:08:12 AM
All versions of Windows 7 use the NTFS (NT File System) directory structure, including Home Basic and Home Premium. NTFS enables you to assign control of who is permitted to access files and folders on a per-user or per-group basis. NTFS permissions can be used to control access for either local folders or network shares.

Windows XP Home Edition and Professional supported installation on disks formatted with the FAT32 file system or the NTFS file system. Many users of XP did use NTFS formatted disks, either by choice or because their computer manufacturers set their computer up that way. The user-based file permission system was in effect, but usually without the users even knowing it—on XP Home Edition, NTFS permission settings were hidden from the user, and on XP Professional, you had to disable Simple File Sharing to see them.

On the other hand with Windows 7 NTFS is mandatory for installation (and also restoration), and the security settings are available to see and modify on all versions of Windows 7. Therefore, all Windows 7 users should understand how NTFS file permissions work.

To display or modify NTFS permissions, select a file or folder in Computer or Windows Explorer, right-click Properties, and select the Security tab. You can use the NTFS Permissions dialog box to designate a folder to restrict access toc both network and local users.

In the top part of the Security tab is the list of users or user groups with access to the file or folder. You can select any of the names in the list to view their associated permissions in the bottom half of the tab.

To add users to a file’s or folder’s permissions list, follow these steps:

Right-click the file or folder in explorer and choose Properties, then open the Security tab.

Under the Group or User Names list, click the Edit button. The Permissions dialog box opens to a new Security tab.

Under the Group or User Names list, click the Add button. The Select Users or Groups dialog box appears.

Enter the desired username(s) into the input box provided. You can check your names against the computer’s user accounts by clicking the Check Names button. Hint: Use full names like “Bob Cowart” instead of just “Bob.” Click OK.

With the newly added user account(s) highlighted in the Group or User Names list, select the desired permissions. You can choose to allow or deny a variety of actions for a given user or group. Click Apply and then click OK.

Click OK again to close the Properties dialog box.

The permission properties can each be granted or revoked individually. The permissions and their properties are listed in Table 1.

Table 1. NTFS File Permission Settings and Their Functions
Full ControlGives all the rights listed below, plus lets the user change the file’s security and ownership settings.
ModifyAllows a user to modify a file’s contents or delete a file.
Read & ExecuteAllows a user to read a file’s contents and/or run an executable file as a program.
List Folder ContentsAllows a user to view the contents of the folder.
ReadAllows a user to read a file’s contents only.
WriteAllows a user to create a new file, or write data in an existing file, but not read a file’s contents. For a folder, allows users to add new files to the folder but not view the folder’s contents.

Note that each permission has both Allow and Deny check boxes. To get access to a given resource, a user must be explicitly listed with Allow checked or must belong to a listed group that has Allow checked, and must not be listed with Deny access or belong to any group with Deny marked. Deny preempts Allow.

All these permissions are additive. In other words, Read and Write can both be checked to combine the properties of both. Full Control could be marked Allow but Write marked Deny to give all access rights except writing. (This permission would be strange but possible.)


If you edit Permissions, before you click OK or Apply, click the Advanced button and view the Effective Permissions tab. Enter a few usernames to see that the permissions work out as you expect. If they do, only then should you click OK.

The most productive use of NTFS file permissions is to assign most rights by group membership. One exception is with user home directories or profile directories, to which you usually grant access only to the Administrators group and the individual owner.

Editing NTFS file permissions is protected by UAC (unless you’ve disabled it). So, expect to see a lot of prompts to Continue (if you’re an Administrator) or to provide an Administrator password (if you’re a standard user) when you perform these operations.

Administrator Can’t Delete File or Folder

You might encounter files or folders that can’t be deleted even by the Administrator account. They don’t have the Read-Only attribute set, but Windows informs you that access is denied.

Sometimes a file or, more often, a folder is set with access controls such that even Administrator can’t access or delete it. To erase such a file or folder, take ownership of it . Give Administrator full access rights. Use the Advanced Security button to view Advanced Permissions, and check Replace Permission Entries on All Child Objects. Click OK or Apply (then click OK), and then try to delete the folder again.

Inheritance of Permissions

Normally, permissions are assigned to a folder (or drive), and all the folders and files within it inherit the permissions of the top-level folder. This makes it possible for you to set permissions on just one object (folder), managing possibly hundreds of other files and folders contained within. If necessary, explicit permissions can be set on a file or subfolder to add to or override the inherited permissions. Permissions displayed in the Security tab will be grayed out if they have been inherited from a containing folder.

You can view or change the inheritance setting for a file or folder by clicking the Advanced button on the Security tab. In Figure 1, the folder has a check in Include Inheritable Permissions from This Object’s Parent.

Figure 1. The Advanced Permissions dialog box lets you control the inheritance of permissions and set detailed permissions for user and groups.

To change inheritance settings, click Change Permissions. You can then uncheck the Include Inheritable Permissions from This Object’s Parent box. If you uncheck the box, Windows gives you the option of starting with a blank permissions list (Remove) or keeping a copy of the settings it had before (Copy). In either case, the item now has its own independent list of access rights, which you can edit at will.


Changing the permissions of the root folder of the drive containing Windows may make your system unusable. It’s best not to mess with the permissions of your boot (usually C:) drive.

When you change permissions on a folder, you may want to cancel any manually added permissions set on the files and folders it contains. Checking the Replace All Child Object Permissions With Inheritable Permissions From This Object option will reset the permissions on all files in this folder and in subfolders, and will force all subfolders to inherit permissions from this folder.

Advanced Security Settings

If you edit access permissions in the Advanced Security Settings dialog box, you can exercise more “fine-grained” control over permissions. It’s rarely necessary, but for your reference, Table 2 lists the available permission settings.

Table 2. NTFS Advanced File Permission Settings and Their Functions
Traverse Folder/Execute FileFor folders, this special permission allows a user the right to move through a folder to which he or she doesn’t have List Folder access, to reach a file or folder to which he or she does have access. For files, this permission allows the running of applications. (This permission is necessary only if the user wasn’t granted the Group Policy Bypass Traverse Checking.)
List Folder/Read DataFor folders, allows the user to view the names of files or subfolders inside a folder. For files, allows the user to read the data in a file.
Read AttributesAllows the user to view the attributes of the file or folder (that is, Hidden, Read-Only, or System).
Read Extended AttributesAllows the user to view extended attributes of files or folders as defined by another program. (These attributes vary depending on the program.)
Create Files/Write DataFor folders, allows the user to create new files inside the folder. For files, allows the user to add new data or overwrite data inside existing files.
Create Folders/Append DataFor folders, allows the user to create new subfolders. For files, allows the user to append data to the end of an existing file. This permission does not pertain to deleting or overwriting existing data.
Write AttributesAllows the user to change the attributes of the file or folder.
Write Extended AttributesAllows the user to change the extended attributes of a file or folder.
Delete Subfolders and FilesFor a folder, allows the user to delete subfolders and their contents. This permission applies even if the Delete permission has not been expressly granted on the individual subfolders or their files.
DeleteAllows or denies the user the ability to delete the file. Even if Delete is denied, a user can still delete a file if he or she has Delete Subfolders and Files permission on the parent folder.
Read PermissionsAllows the user to view the file’s or folder’s permissions assigned to a file or folder.
Change PermissionsAllows the user to change the file’s or folder’s permissions.
Take OwnershipAllows the user to take ownership of a file or folder.

Viewing Effective Permissions

The Effective Permissions tab of the Advanced Security Settings dialog box lets you enter a username and see what privileges the user will have as a result of the current security settings on the file or folder, as shown in Figure 2.

Figure 2. Effective Permissions shows you how edited Permissions settings will work before they’re actually applied to the file.

This dialog box displays the effective permissions as edited, before they are applied to the file folder. This lets you verify that the permissions you have set operate as desired before committing them to the file by clicking OK or Apply.

Access Auditing

The Advanced Security Settings dialog box provides a way for you (if you are an Administrator) to monitor access to files and folders through the Event Log. The Auditing tab lets you specify users and access types to monitor, and decide whether to record log entries for successful access, failure to access, or both. Auditing can be set for the use of each access attribute that you can set with Permissions: List Folder, Write Data, and so on.

Auditing is useful in several situations:

  • To determine what files and folders an errant application program is attempting to use

  • To monitor users for attempts to circumvent security

  • To keep a record of access to important documents

To enable auditing, locate the folder or file you want to monitor, view the Security tab of its Properties dialog box, click Advanced, view the Auditing tab, click Continue, and click Add. On the Object tab of the Auditing Entry dialog box, select a specific user or group (or Everyone), click OK, and check the desired events to audit from the Access options, and click OK again. You can prevent a new audit setting from propagating into subfolders by checking Apply These Auditing Entries to Objects and/or Containers Within This Container Only. You can enable the resetting of audit properties of all subfolders and files by checking Replace All Existing Auditing Inheritable Auditing Entries on All Descendants With Inheritable Auditing Entries From This Object on the Auditing tab of the Advanced Security Settings dialog box.

An entry is made in the Security Event log for each audited access, so be careful if you are enabling auditing on the entire hard drive!

Taking Ownership of Files

Sometimes files or folders have security attributes set so stringently that even Administrator can’t read or modify them. Usually this occurs when the file has permissions set only for its owner and not the usual list: Owner, Administrator, System. This can occur when a user account is deleted. It can also happen when you have reinstalled Windows or are using a disk drive taken from another Windows computer. Whatever the cause, the symptom is that even an Administrator user is not able to access the files in some folder. If you absolutely need to access such files, you can take ownership of the file or folder, and then assign permissions to read and write as appropriate. To take ownership of a file or folder:

Log on as Administrator.

Right-click the file or folder in Explorer and choose Properties.

View the Security tab and click Advanced.

View the Owner tab, and click Edit.

Select Administrator (the user) or Administrators (the group) from the list. You may want to check the Replace Owner on Subcontainers and Objects box to change subfolders as well.

Click OK.

Add privileges as necessary to grant access to the desired user(s).

Assigning Permissions to Groups

It’s common in an office environment to want shared folders that are accessible by some users and not by others. For instance, you may wish to put payroll information in a shared folder and grant access only to certain administrative employees. In a school environment, you might want some folders that are accessible only by teachers, and others accessible only by members of a particular class. At home, you might want to prevent the children from getting access to the parent’s folder. The best practice in this case is to create local user groups, which are collections of users that can be given privileges that carry over to the group’s members. You can add the group and assign permissions for specific folders and files without having to list each of the qualified users separately. Another benefit is that you can add and remove users from the group later on without having to modify the settings of the various folders.


You cannot create local user groups with Windows Home Basic, Home Premium (or Starter Edition) using the Local Users and Groups tool. If you’re a hard-core Windows hacker, you can use the command-line technique explained in the tip at the end of this section. This applies equally to Windows 7 and Windows Vista computers.

To create local user groups, follow these steps:

Right-click Computer, click Manage, and open Local Users and Groups; or, on a domain computer, click the Advanced button on the Advanced tab of the User Accounts Control Panel applet.

Right-click the Groups entry in the left pane and select New Group.

Enter a name for the new group, such as Accounting.

Click Add and select users to add to the group.

Click create, and then click Close.

To grant the group permissions to specific folders:

Right-click the folder or file in Windows Explorer and select Security.

On the Security tab and click Edit, and then click Add.

Select the group name (on a domain computer you may select domain groups or local groups by selecting Location and choosing a domain name or the local computer name).

Click OK, and then check the appropriate permissions for the group to have under Permissions.


On Windows 7 Home versions, if you’re willing to work with the command-line interface, you can create local groups. Open a Command Prompt window and type the command net localgroup groupname /add, but in place of groupname type the name of the group you’d like to create. Then, to add a user to the group, type the command net localgroup groupname username /add and again, in place of groupname, type the name of the group you created, and in place of username, type the name of a user on your computer. Repeat this command as necessary to add other users. The same command with /delete at the end instead of /add removes a user from the group.

If Everyone or other groups are listed as having rights to this folder, you may want to select the group(s) and uncheck any undesired privileges. If the entry is grayed out, the privileges are inherited from a containing folder. In this case, when you’re finished applying group permissions for this folder go back to the Folder Permissions dialog box and select Advanced, select the desired group, click the Change Permissions button, uncheck Include Inheritable Permissions From This Object’s Parent, and click Remove. Click Apply, then click OK. After that, you can remove the permission entries you don’t want.

Important: Before you click OK to commit the changes, use the Effective Permissions tab in the Advanced Security Settings dialog box to check the effective rights of a few different users to be sure that the rights are what you intend. Be sure that Administrator has at least taken ownership privileges.

A User Has Access to a Restricted Object

A user in the Users local group has access to an object that the Users local group is not assigned permissions for.

Check to see whether the user belongs to any other groups that have been assigned permissions. Remember that permissions accumulate through groups. If necessary, you can remove groups from those listed as having access to the file, or you can list specific users and/or groups and check the Deny boxes to remove access rights.

Securing Your Printers

If you have a printer that uses expensive paper or ink, and are concerned that guests, kids, or unauthorized persons might use your printer, you should know that printers can be secured in the same way that access is controlled for files and folders: through user and group privileges. In the case of printers, the privileges allow users to add jobs to the printer, delete other people’s jobs, and so on.

On a domain network, the network manager usually takes care of this. And on a workgroup it’s generally not important to restrict access to printers. If you are using Simple File Sharing, it’s not even possible to set up specific printer access privileges.

If you decide to, however, you can set printer access permissions by right-clicking a printer in your Printers folder and selecting Properties. The Security tab resembles the Security tab for files and folders, and can be modified in the same way.

Most View
Not Bad For A Monkey (Part 3) : What's a Fusion Drive?
Microsoft Exchange Server 2010 : Configuring Anti-Spam and Message Filtering Options (part 4) - Preventing Internal Servers from Being Filtered
Review : Panasonic Lumix DMC-LX100
Sony Xperia Tablet S - Slimmer Design And Faster Guts (Part 3)
Share Webpages From Safari
Dell Ultrasharp U2913WM Ultra-Wide Screen Review
Linux vs Windows 8 (Part 1)
What Can We Expect From The New Mac Pro (Part 1)
GeForce GTX 660 Graphics Cards Roundup (Part 4)
A Trio From HIS: 7970 IceQ X² GHz Edition, 7950 IceQ X² Boost Clock And 7850 IceQ Turbo X Graphics Cards Review (Part 7)
Top 10
Windows 8 : Storage Spaces (part 4) - Advanced Storage Spaces: Three-Disk Configurations
Windows 8 : Storage Spaces (part 3) - A More Resilient Space: Two Disks, Two-Way Mirroring
Windows 8 : Storage Spaces (part 2) - The Most Basic Storage Spaces Configuration of All: One Disk, One Space, No Resiliency
Windows 8 : Storage Spaces (part 1) - Getting Ready for Storage Spaces
Microsoft Exchange Server 2007 : Components of a Secure Messaging Environment (part 5) - Using Email Disclaimers
Microsoft Exchange Server 2007 : Components of a Secure Messaging Environment (part 4) - Establishing a Corporate Email Policy, Securing Groups
Microsoft Exchange Server 2007 : Components of a Secure Messaging Environment (part 3) - Hardening Windows Server 2003 - Running SCW
Microsoft Exchange Server 2007 : Components of a Secure Messaging Environment (part 2) - Hardening Windows Server 2003 - Using the Microsoft Baseline Security Analyzer
Microsoft Exchange Server 2007 : Components of a Secure Messaging Environment (part 1) - Hardening Windows Server 2003 - Auditing Policies
Microsoft Exchange Server 2007 : Server and Transport-Level Security - Considering the Importance of Security in an Exchange Server 2007 Environment