How to Use NTFS Advanced Permissions to Restrict Access to Parent Folders
Consider a scenario where the parent folder named A consists of child folders B1 and B2. The employees belonging to a certain group need to access only folders B1 and B2. Hence the administrator can restrict access to the parent folder, and allow only folders B1 and B2 to be accessed. This is used to maintain security, as users need to be given access to only the specific resources required for their work.
To allow Read & Execute access to the child folders while restricting access to the parent folder, the inheritance of permissions has to be disabled. Once the inheritance of permissions is disabled, the Traverse Folder/ Execute File permission from the list of NTFS File and Folder Advanced Permissions can be applied for the parent folder. The Traverse Folder permission is used to allow or deny permission to move through a restricted folder in order to reach the files or folders that are beneath the restricted folder in the hierarchy. This can be enabled only when the Bypass Traverse Checking is not granted to the user in the Group Policy settings. This process of disabling inheritance and setting Traverse Folder permission ensures that the parent folder is not accessed by the user while navigating to one of the child folders.
Disabling NTFS Permission Inheritance
The first step in this process is to disable the inheritance of permissions from the parent folder to the child folder. The instructions given below can be followed to disable the inheritance of NTFS permissions for a file or folder. The prerequisite to perform this action is to be signed in from an administrative account.
- Open File Explorer and locate the folder for which inherited permissions need to be disabled.
- Right-click on the desired folder and click on Properties and select the Security tab.
- Click on the Advanced button at the bottom of the Security tab.
- In the Advanced Security Settings window, click on the Disable Inheritance button.
- When prompted by the Block Inheritance window, select the Remove all inherited permissions from this object option.
- This allows only explicit permissions on the folder. Enable the Read & Execute permission on the folder.
- Click OK to complete the process.
Setting the Traverse Folder Permission
Once the inheritance of permissions from the parent folder is disabled, the next step is to set the Traverse Folder permission on the parent folder. This enables a user to traverse through a restricted parent folder in order to reach the child folder. To enable the Traverse Folder/ Execute File permission, follow the steps given below.
- Open the File Explorer and select the folder for which the NTFS Advanced permissions need to be configured.
- Right-click on the desired folder and click on Properties and select the Security tab.
- Click on the Advanced button at the bottom of the Security tab.
- In the Advanced Security Settings window, select an existing object and click OK.
- Click on Change Permissions and Show Advanced Permissions.
- To add a new permission, click on the Add button and select the Select a Principal option. Here the desired group or object can be selected.
- Select the Only apply these permissions to objects and/ or containers within this container option. This ensures that the permissions are applied only to that folder.
- Click OK.
The Bypass Traverse Check policy must not be granted because this is a user right that is used to determine which users possess the required permissions to navigate an object path in the NTFS file system even if they do not have permissions on the traversed directory. It is recommended to use the default settings of this policy in order to avoid any difficulties.
Thus the user is given Read & Execute access to only the child folder while the access is restricted to the parent folder.