Whether you’re in the planning phase or have already implemented NTFS permission, following best practices ensures smooth administration, and it also aids in resolving access issues. Here we listed seven practices we find effective in managing NTFS permissions.
7 Best Practices in Managing NTFS Permission
#1 Full Control on the Share and specific NTFS permissions at folders
In this post, we’ve established that this is the best way of combining Share Permission and NTFS Permission. This is Microsoft’s way, and there’s no one more qualified to give “best practice” advice on how to do something with Microsoft but Microsoft themselves. If you’re quite unsure about this topic, pay this post a visit and get ready to be enlightened!
#2 Share folders with Groups not with Users
The logic is quite simple why this is recommended. It’s simply because it makes administration easier. Imagine if you’re sharing the “Sales” folder to 10 sales people. Sounds Easy? Okay, how about 100 sales people? Of course, the task is doable, but it would be a lot simpler if you just put them all in one group (i.e., Sales Group) then share the folder with that group. The same logic can be applied when applying for permissions.
#3 Organize your Resources
As the saying goes, don’t put all your eggs in one basket. Keep application files and data files on their own individual folders, and consolidate folders with the same security requirements to ease administration.
For instance, if users require “Read” permission for several application folders, store those folders within a single folder. This will allow you to share that larger folder instead of sharing each application folder.
It’s also easier to manage permissions to application or data folders when they are stored separately rather than mixed with other file types and lastly, doing backups will be less complex too since you can choose which folders to backup without worrying if other file types will be included.
#4 “Read & Execute” for Data or Application folders
When you assign permissions for working with data or application folders, assign the “Read & Execute” permission to the Users group and Administrators group. “Read & Execute” permits only viewing, accessing, and executing of the file so this will prevent application files from being accidentally deleted or damaged by users or viruses.
#5 Minimum permission only
Assign minimum permission that still allows users to perform required tasks. If users only need to read information in a folder and should never delete or create files, assign only the “Read” permission. Doing so prevents unauthorized access to critical data thus making your environment more secure.
In a complex environment, however, over-privileging can happen especially when users belong to multiple groups, causing users to have access they shouldn’t have. By using tools such as FolderSecurityViewer or Effective Permission tool, you can examine and see the permissions each user has and act upon them.
#6 Intuitive naming convention
Use intuitive share names so that users can easily recognize and locate resources. For example, for the Application folder, use “Apps” as the share name. Basic as it may be but this will save you from unnecessary calls or emails from employees asking which one is the right folder. Also, use share names that can be used across all client operating systems
#7 Document everything
And I mean everything, even the slightest changes. It’s always good to have something to go back to when you forget who has access to which. This not only serves as your guide but something you can share with other admin in your group to make sure everyone is on the same page. Also, changes in the organization are inevitable so whatever method you used to document, make sure it can easily be modified and expanded.
Want to learn about NTFS Permissions, Share Permissions, and how to use them, get your free course HERE!
Prevent Unauthorized Access to Sensitive Windows Folders!
Get your free edition of the easiest and fastest NTFS Permission Reporter now!