The Difference Between Share and NTFS Permissions

The Difference Between Share and NTFS Permissions

Last week when I wrote about managing privileged accounts, I knew I had to write about share and NTFS permissions.

Understanding the difference is critical to sharing local resources with others on the network.  They function completely separate from each other but serve the same purpose – preventing unauthorized access.

Share

When you share a folder and want to set the permissions for that folder – that’s a share. Essentially, share permissions determine the type of access others have to the shared folder across the network.

To see what kind of permissions you will be extending when you share a folder

  • Right click on the folder
  • Go to “Properties”
  • Click on the “Sharing” tab
  • Click on “Advanced Sharing…”
  • Click on “Permissions”

And you’ll navigate to this window:

share-permissions

You can see, there are three types of share permissions: Full Control, Change, and Read.

  1. Full control – enables users to “read,” “change,” as well as edit permissions and take ownership of files.
  2. Change –  means that user can read/execute/write/delete folders/files within share
  3. Read – allows users to view the folder’s contents

A Caveat on Share Permissions

Sometimes, when you have multiple shares on a server which are nested beneath each other, permissions can get complicated and messy.

For instance, if you have a “Read” folder in a subfolder share permission but then someone creates a “Modify” share permission above it at a higher root, you may have people getting higher levels of access then you intend.  For more on downsides using only share permissions, click here.

There’s a way around this, which I’ll get to below. But first, let’s talk about NTFS permissions.

NTFS

NTFS permissions determine who has access to files and folders. To see what kind of permissions you will be extending when you share a file or folder:

  • Right click on the file/folder
  • Go to “Properties”
  • Click on the “Security” tab

And you’ll navigate to this window:

ntfs-permissions

Unlike share permissions, NTFS offer a few more permissions besides Full Control, Change, and Read that can be set for groups or individually.

  1. Full control: allows users to read, write, change, and delete files and subfolders.  In addition, users can change permissions settings for all files and subdirectories.
  2. Modify: allows users to read and write of files and subfolders; also allows deletion of the folder
  3. Read & execute: allows users to view and run executable files, including scripts.
  4. List folder contents: Permits viewing and listing of files and subfolders as well as executing of files; inherited by folders only
  5. Read: allows users to view the folder and subfolder contents
  6. Write: allows users to add files and subfolders, allows you to write to a file.

When Share and NTFS Permissions Mingle

When you’re configuring security, a common question is, what happens when share and NTFS permissions interact with each other?

When you are using share and NTFS permissions together, the most restrictive permission, wins.

Consider the following examples:

If the share permissions are “Read”, NTFS permissions are “Full control”, when a user accesses the file on the share, they will be given “Read” permission.

share-1

If the share permissions are “Full Control”, NTFS permissions are “Read”, when a user accesses the file on the share, they will still be given a “Read” permission.

share-2

Best Practice: Managing Share and NTFS Permissions

If you find working with two separate sets of permissions to be too complicated or time consuming to manage, you can switch to using only NTFS permissions.

When you look at the examples above, with just three types of permissions setting, shared folder permissions provide limited security for your folders. Therefore, you gain the greatest flexibility by using NTFS permissions to control access to shared folders.

Moreover, NTFS permissions apply whether the resource is accessed locally or over the network.

To do this, change the share permissions for the folder to “Full Control.”

You can then make whatever changes you want to the NTFS permissions without having to worry about the share permissions interfering with your changes.

Get the latest security news in your inbox.