The New Technology File System, commonly abbreviated as NTFS, is the standard file system used in Windows NT and later versions of Windows operating systems. It is used to store, organize, access and find files and folders. It was developed to overcome the shortcomings of previous file systems such as File Access Table (FAT) and High- Performance File System (HPFS)
,
and focuses on improving performance, access control, storage space utilization, security and reliability.
What are NTFS Permissions?
NTFS allows users to share drives or folders within the network
by means of
permissions. These NTFS permissions determine who can access the files, folders and
drives. Besides t
his, security for local and network access to the file system is provided by permissions. However, NTFS permissions are different from shared
folders
.
For instance, by permitting the HR and Finance groups to perform Read and Write on the Payroll folder, only members belonging to those groups are
verified
access to read and modify the contents of the folder containing payroll information of the employees.
These permissions are usually defined in the
Access Control List (ACL)
, which determines the users or groups that can access a specific object. This comprises the Access Control Model, which in turn consists of Access Tokens and Security Descriptors. The access tokens contain information about
the
user and their privileges. The security descriptors contain a Security Identifier (SID), Discretionary Access Control List (DACL) and a System Access Control List (SACL). When a user tries to access an object, the identity of the user is verified by means of the access token. This is compared against the Access Control Entries for the object. The object also compares the SID of the user with the entries in the DACL. If there is a match found during the comparisons, the user is given the specified permissions for the object.
Types of NTFS Permissions
Permissions in NTFS may be classified into two types namely
-
Explicit Permissions
-
Inherited Permissions.
Explicit permissions are those that are set by default upon creation of the object, or through user action.
Inherited permissions however,
are
propagated from a parent object to a child object. These permissions are inherited by all the objects in the folder from the respective parent folder. This enables consistency of permissions among all the objects within a particular folder.
File and Folder Permissions
There are another set of NTFS permissions known as File permissions and Folder permissions.
NTFS permissions may be applied to a specific file for a user or a group and they are known as NTFS File Permissions. They are prioritized over the folder permissions. For instance, if a user is given access to a folder, but not to a file within the folder, the file cannot be accessed. The list of file permissions is given as follows.
-
Full Control
-
Modify
-
Read and Execute
-
Read
-
Write
-
Special permissions
NTFS permissions that are applied to a specific folder to be accessed by a user or group are known as NTFS Folder Permissions. They can be inherited by sub-folders and files within the parent folder. The list of folder permissions is given as follows.
-
Full Control
-
Modify
-
Read and Execute
-
List Folder Contents
-
Read
-
Write
-
Special Permissions
The special permissions can be used in various combinations to create customized permissions based on the user’s requirements. The different levels of special permissions provided by NTFS are listed as follows.
-
Read
-
Write
-
Execute
-
Delete
-
Change Permissions
-
Take Ownership
What are Effective Permissions in NTFS?
Effective permissions are a combination of explicit and inherited permissions. They are the cumulative permissions for a user
,
which are defined based on the user’s individual and group permissions .These permissions are applied by default.
When there are conflicts in assigning permissions based on two different groups,
certain rules
are used to resolve the issue.
How to view NTFS effective permissions on files and folders
The following steps describe how to view effective permissions on files and folders in NTFS.
-
Open Windows Explorer and navigate to the file or folder for which the effective permissions need to be viewed.
-
Right click on the file or folder and click on Properties.
-
Click on the Security tab.
-
In the Security tab, click on the Advanced button and then the Effective Permissions tab.
-
In the Effective Permissions tab, click on Select.
-
The Select User or Group dialog box appears.
-
Enter the name of the user or group in the required field and click OK.
-
The checkboxes that have been selected indicate the effective permissions of the specified object or group for the selected file or folder.
Using PowerShell commands
Effective permissions in NTFS can also be viewed using PowerShell commands. The
Get-Acl
cmdlet can be used to get permissions on files, folders and other objects. For example, the following command can be used to get permissions on the sample folder present in the C: drive:
(Get-Acl –Path C:\sample).Access