Whether you’re in the planning phase or have already implemented NTFS permissions, following some best practices ensure smooth administration and aid in resolving access issues quickly.
Here are seven practices we find effective in managing NTFS permissions.
#1 Grant Full Control on the Share and Specific NTFS Permissions on Folders
It’s a good practice to give “everyone” full control privileges on the Share Permission and then define specific permissions on the NTFS level—just as Microsoft has recommended it.
We’ve established that this is the best way of combining Share Permissions and NTFS Permissions.
You can visit this post to read more about it.
#2 Share folders with Groups not Users
This makes administration easier. Imagine sharing the “Sales” folder with 10 sales people.
Okay, how about sharing it with 100 sales people?
Of course, the task is doable, but it would be a lot simpler if you just put them all in one group (such as Sales Group), then share the folder with that group.
The same logic can be used when applying NTFS permissions.
#3 Organize your Resources
To ease administration, it’s important to keep application files and data files on their own individual folders. Furthermore, consolidating folders with the same security requirements will assist in managing their access rights.
For instance, if users require “Read” permissions for several application folders, store those folders within a single folder. This will allow you to grant the permission to that larger folder, instead of doing that for each application folder.
It’s also easier to manage the permissions of application or data folders when they are stored on their own, rather than when mixed with other file and data types.
Additionally, backups will also be less complex since you can choose which folders to backup without worrying if other file types will be included.
#4 Use “Read & Execute” for Application folders
When you assign permissions for working with application folders, assign the “Read & Execute” permission to the Users group and Administrators group.
“Read & Execute” permits only viewing, accessing, and executing the file. This way, it’ll prevent application files from being accidentally deleted or damaged by users or viruses.
#5 Assign minimum permissions only
Assign minimum permissions that allow users to perform the required tasks.
For example, if a user needs to read information in a folder, and should never delete or create files, assign only the “Read” permission.
Doing so prevents unauthorized access to critical data, making your environment more secure.
In a complex environment, however, over-privileging can happen especially when users belong to multiple groups, causing users to have access they shouldn’t have.
By using tools such as FolderSecurityViewer or Effective Permission tool, you can examine and see the permissions each user has and act upon them accordingly.
#6 Use intuitive naming convention
Using intuitive share names allow users to easily recognize and locate resources. For example, for the Application folder, use “Apps” as the share name.
Although this is a basic practice, which is often ignored, following an intuitive naming convention can save you from unnecessary calls or emails from employees asking which one is the right folder.
Also, use share names that can be used across all client operating systems.
#7 Document everything
And we mean everything, even the slightest changes. It’s always good to have something to go back to when you forget who has access to what.
This not only serves as your guide but also as something you can share with other admins in your group to ensure everyone is on the same page.
Also, since changes in the organization are inevitable, whatever method you use for documentation, ensure it can easily be modified and expanded.
Do you want to learn about NTFS Permissions and Share Permissions, and how to use them?
Grab your free course here (no signup, with downloadable eBooks):
Prevent Unauthorized Access to Sensitive Windows Folders!
Get your free edition of the easiest and fastest NTFS Permission Reporter now!