Admin’s Advice: No to ‘Deny’ Permission

In this article, we will bring you some solutions that can help resolve an incorrect grant of a User’s rights. These solutions may also make an Administrator’s life easier by dealing with the consequences brought about by the misuse of the “Deny” permission.

Take this scenario as an example. The user changed Folder Permissions to Deny everyone. The Administrator then reverted these changes. It may appear that the situation has been fixed but the permissions show that the reverting of the settings is meaningless. Everyone still got the permission to read and write in the aforementioned folder. For an Administrator, the first step for this scenario is to check the perspective of Sharing and Security on a top-level folder. In our scenario, the sharing is set as follows: Domain Users, Administrators, and Domain Admins have read/write permissions; NTFS is set to give full control to System, Domain Users, and Domain Admins. The subfolders, meanwhile, have inheritance disabled since each subfolder has its own set permissions.

As we can see, the system in our imaginary scenario is a mess. But don’t lose hope yet, the situation can still be fixed. In fact, there is more than one solution that can fix the issue.

Before we go deeper into the solutions, the Administrator should keep in mind that ‘Everyone’ applies to all users, whether they are logged in or not. It also applies to those on or off the domain.

Let’s clarify some terms first. Authenticated Users are users that logged in the domain or forest. Domain Users are those that are on the current server’s domain. Make sure to keep this in mind because a ‘Deny’ on any of these may also mean a ‘Deny’ on the Administrator!

SOLUTIONS

Solution 1 – All users can log off then log back in again. This action enforces new NTFS permissions to the folder. If not all Users can log off simultaneously, the new settings can be set to standby until they do.

Solution 2 – Backups can be used to roll out the old settings and revert the permissions to the way they were before. Keep in mind that performing a Backup may take time so it is not recommended to do this during work hours, or if there are Users logged on to the system.

Solution 3 – The Administrator can get some insights into the User Permissions by clicking ‘Advanced’ in the Permissions window and then going to the Effective Access Tab. The Users and their individual access is shown in this tab. Although not an exact solutions, the Administrator can find answers to what permissions are set and being used.

Solution 4 – The easier solution is to crate new folders with the correct permissions applied to it and make these servings apply to the current folder and all the subfolders and files. Once all this is set, everything can then be moved to the folder with the corrected permissions. The Administrator has the option to take full ownership, rewrite permissions, and give full access to Domain Admins. After that, it is possible to decide who can have read/write permissions.

The administrator can give Authenticated Users Read/Write permissions and they can be used to handle access with shared files and folders at the NTFS level. This is a better situation that trying to limit access to sharing at the Share Access Control Layer. Using ’Deny’ permission is always the worst and last solution as it has a broad scope and it denies ‘Everyone’ by default.

Overview: Resilient File System (ReFS)

Resilient File System (ReFS) is Microsoft’s latest file system that is an alternative to the New Technology File System (NTFS). ReFS has been introduced for implantation of systems with large data sets to give more functionality in terms of efficiency, scalability, and availability.

An outstanding feature of ReFS is data integrity which protects data from common errors that may lead to data loss. In case of an error in the file system, ReFS has the ability to recover from data loss without compromising the volume availability. On the other hand, ReFS is a robust file system with proven reliability and it is time and cost efficient when used on servers.

The Key Elements of ReFS

The key elements of a Resilient File System are dependent on the amount of data the server system manages.

  • Allocate on Write
    The main reason behind this feature is to avoid data corruption because of its ability to provide cloning of course database simultaneously without straining available storage space. All forms of torn writes are eliminated using the Allocate on Write method. This implies that the file stored on ReFS partition can be read and written on a single instruction.
  • B+ Trees
    The servers store a lot of information and limitless sizes of files and folders. The ReFS scalability element means that the file servers can handle large data sets efficiently. A B+ Tree file structure also enables data to be stored and retrieved in a tree structure with every node acting as keys and pointers to low level nodes in the same tree.

Why Use Resilient File System

  • Resilience
    From its name, the ReFS partition will automatically detect and fix detected errors while the file is in use without compromising file in integrity and availability. Resiliency relies on the following four factors:

    • Integrity Streams
      Integrity streams allow for the use of checksums on stored data enabling the partition to query the reliability and consistency of the file. Fault tolerance and redundancy is maintained through data striping. Power shell commands such as Get-FileIntegrity and Set-FileIntegrity can be used to manage file integrity streams.
    • Storage Space Integration
      ReFS allow for repair of data files with an alternate copy found in the storage space. This is made possible when used alongside disk mirroring. The repair and replacement takes place online without the need to unmount the volume.
    • Data Recovery
      When data is corrupted and no original copy of it exists in the database, ReFS will remove the corrupt data from the namespace while keeping the volume online.
    • Preventive Error Correction
      The Resilient File System allows for data integrity check in addition to validation before any read or write action. The integrity check will occasionally scan through volumes to identify potential errors and trigger a repair action.
  • Compatibility
    Working with ReFS can be used alongside volumes using the New Technology File System (NTFS) because it still has support for key NTFS features.
  • Time Saver
    When backing up data or transferring files from partitions using ReFS, the time taken during read/write actions is reduced compared to backing up data in an NTFS partition.
  • Performance
    ReFS performance ranks on new features like virtualization, cloning volume blocks, real time optimization, etc. All are to enhance dynamic and multiple workloads. Performance on any ReFS is made possible through:

    • Mirror Accelerated Parity
      The parity mode ensures that the system delivers both efficient data storage and high performance. The volume is divided into two logical storage sectors, each with its own drive properties and resilient types.
    • Accelerated VM Operations
      In an effort to improve functionality when implementing virtualization, ReFS allow for the creation of partitions that support block cloning to allow for multi-tasking. ReFS also reduces the time needed to create new fixed-size Virtual
      Hard Disk files from minutes to seconds.
    • Varied Cluster Sizes
      The ReFS allows for the creation of both 4K and 64K file cluster sizes. In other file systems, 4K is the recommended cluster size. But the ReFS accommodate the 64K because of its large and sequential input /output file requests.
    • Scalability
      The ability to support large data sets without having a negative impact on system performance is by far the best file deployment system in terms of scalability. Shared data storage pools across the network enhance fault tolerance and load balancing.

Points to Note

ReFS cannot be used on a boot file system (the drive containing bootable Windows files). The ReFS partition is best used exclusively on storage volumes.

Removable volumes such as USB flash drives cannot accommodate the ReFS partition because there is no available mechanism to convert a ReFS partition to another file system.

ReFS, like NTFS, was built on the foundation of compatibility to make it easier to move data from NTFS to ReFS because of the inherited features like access control list, BitLocker, mount points, junction points, volume snapshots, symbolic links, and file IDs.

Some of the lost features likely to be encountered when moving to ReFS are Object IDs, short names, extended IDs, compressions, quotas, hard links, user data transactions, and file level encryption.

Some files or installed programs may not function as intended when ReFS is used on a non-server operating system.

In the even that a ReFS partition fails, recovering the partition is not possible; all that can be done is data recovery. Presently, there is no recovery tool available for ReFS.

Conclusion

The Resilient File System has unique advantages over the existing file system. It may have its own drawbacks, but that does not take away its self-healing power, file repairs without downtimes, resilience in the event of power failure, and its ability to accept huge file sizes and names longer that then usual 255 characters. File access on ReFS uses the same mechanisms NTFS uses.

Most of the implementations of ReFS are to be used on systems with huge storage and rapid input/output demands. The ReFS cannot fully replace the NTFS because its design was intended for a specific work environment. Some of its features do not have full support, therefore system administrators aspiring to use ReFS may still have to wait for its full implementation.

Enforcing NTFS Permissions on A File Share

One of the most important functionalities in Microsoft Windows Server is access control over files and folders. That important function is controlled by File and Folder security permissions framework.

NTFS (New Technology File System) permissions are usable to drives formatted with NTFS. NTFS permissions affect local users as well as network users and they are based on the permission granted to each user at system login, no matter where the user is connecting.

NTFS Structure

NTFS File System is a hierarchical structure, with disk volume on top and folders as branches. Each folder can contain numerous files or folders, as leaves in that node. Folders are referred as containers or objects that contain other objects.

In that hierarchy, of course, there is need to define access rights and permission per user or group. For that, permissions are used.

Managing Permissions

Each permission that exists can be assigned in two ways: explicitly or by inheritance.

Permissions set by default when the object is created, or by user action are called. Explicit permissions and permissions that are given to an object because it is a child of a parent object is called inherited permissions.

Permissions are best managed for containers of objects. Objects within the containers inherit all the access permissions in that container. The first thing to specify when establishing permissions is granting access to the resource (Allow) or not (not Allow).

After setting up permission, resource assets are controlled by the Local Security Authority (LSASS), and it checks the security of user that tries to access it. If SID (security identifier) is valid, LSASS allows usage of an object and all inherited objects in the structure.

Permission Rules

Due to many different permission settings per user in a bigger structure, there is a possibility of conflicting permission settings. So here are some rules that were made to resolve possible issues:

  • Deny permissions are superior to allow
  • Permissions applied directly to an object (explicit permissions) are superior to permissions inherited from a parent (for example from a group).
  • Permissions inherited from near relatives are superior to permissions inherited from distant predecessors. So, permissions inherited from the object’s parent folder are superior to permissions inherited from the object’s “grandparent” folder, and so on.
  • Permissions from different user groups that are at the same level are cumulative. So, if a user is a member of two groups – one of which has an “allow” permission of “Read” and other has an “allow” or “Write”, the user will have both read and write permission depending on the other rules above.

Permission Hierarchy

File permissions are superior to folder permissions unless the Full Control permission has been granted to the folder.

Deny permissions generally are superior to allow permissions, it is not always the matter. An explicit “allow” permission can take precedence over an inherited “deny” permission. The hierarchy of precedence for the permissions can be set as follows, starting from higher to lower:

  1. Explicit Deny
  2. Explicit Allow
  3. Inherited Deny
  4. Inherited Allow

NTFS Permissions and Shared Folder Permissions

When NTFS permissions are used alongside Share permission, there could be a conflict in the configuration. In those cases, an option that is applied is one that is most restrictive.

It is possible to combine both permission sets to access the resources on an NTFS volume. First, it is needed to share folders with the default shared folder permission and then assigns NTFS permission to a shared folder and to secure files that way.

This way, an effect is the usage of NTFS permissions to control access to shared folders, and it is more secure and flexible than usage of shared folders permission only. Plus, NTFS permissions are enforced, regardless if the resource is accessed locally or via the network.

NTFS permissions can be applied to files and subfolders in a shared folder, and different permissions can be applied to each file and subfolder inside shared folder. That means that NTFS functionality is added to a shared folder.

So, in the hypothetical situation of moving or copying files or folders from NTFS permissions to a shared folder. The question is, is it possible to force files and folders to inherit permissions from the parent, regardless of how they get in a shared folder (copied or moved)?

The short answer is yes.

When files are copied or moved, all permissions are inherited from the destination. This makes things much easier to administer and gives users less chance to accidentally create file/folder structures with incorrect permissions without knowing.

NTFS Tutorial #4: Daily Operations

Download “NTFS #4 – Daily Operations” as an eBook


NTFS Permissions vs. Share Permissions

Difference between NTFS Permissions and Share Permissions

Share permissions are applied when a shared folder is accessed over a network. It is a common misconception to think that share permissions works in a different way. When you log in locally to a Windows machine (even if a file or folder is shared to other users within your network), every time you access an object locally, NTFS permissions apply and share permissions do not apply. It does not matter how restrictive share permissions have been set up on your network, if you have access to the object and you are logged into the workstation or server that “owns” the file or folder, you will be granted access.

Combining NTFS Permissions and Share Permissions

When using share permissions and folder permissions please keep in mind, that you can apply different NTFS permissions to each folder within a shared folder. Working this way will ensure a permission strategy for each kind of data located in an appropriate folder structure.

A frequently asked question when managing Windows Server environments is: once you combine share permissions with NTFS permissions, how do these two types of permissions work together? The answer is rather simple and helps you determine the most effective form of permission for a shared folder. Both sets of permissions get applied and the more restrictive of the two takes precedent. To give you a better idea, take a look at the below example.

You give “Full Control” NTFS permissions to the “FileShare-Operatoren” group for a folder called MyFolder, as seen in the image below:

Full Control Permissions for MyFolder

If you share MyFolder within the Windows Network to the “FileShare-Operatoren” group using “Read” permissions and a user that belongs to this group tries to access the folder from the network, that user will only have “Read” access and not “Full Control”. However, if that user then goes to the workstation or server where MyFolder is allocated, he will be granted “Full Control” permissions.

Read Only Share Permissions for MyFolder

3 Examples of Combining Share Permissions with Folder Permissions

In the next two examples we have shared folders on NTFS volumes. These shared folders contain subfolders that have also been assigned NTFS permissions.

EffectivePermissions

Combined Share and NTFS Permissions

First example:

  • Accounting folder is shared.
  • The Accounting group has the shared folder “Read” permission for this folder and the NTFS “Full Control” permission for the Orga subfolder.

The effective permissions for any member of the Accounting group for the subfolder called Orga is Read.

Second example:

  • Users folder contains home folders for each user, here John and Maly.
  • Both home folders contains data accessible only to the user for whom the folder is named.
  • The Users folder has been shared and the Users group has “Full Control” permission for the Users folder.
  • John and Maly have the NTFS “Full Control” permission for their home folder only and no NTFS permissions for other folders.
  • Boths are members of the Users group.

The effective permissions for John and Maly for their own home folder are Full Control. But John has no access to Maly’s home folder and Maly has no access to John’s home folder.

Third example:

The group Sales has these permissions:

  • NTFS Permissions Full Control for shared folder Sales
  • NTFS Permissions Read for File1
  • NTFS Permissions Full Control for File 2

The effective permissions are:

  • The member of this group are granted only Read access to File1 because it is the most restrictive permission.
  • And they are granted Full Control to File2 because both permission assignments are at the same level.

Effective NTFS Permissions


Copying and Moving Files and Folders

Now that we know how to manage permissions for folders or files, it’s a good time to ask ourselves a question: What happens to permissions if I copy or move the files or folders? The answer is: it depends.

To give you a clearer explanation, consider the following three scenarios. Let’s assume that you are going to copy “D:\MyFolder” and let’s assume that “D” has an NTFS format.

Scenario A:

Copy D:\MyFolder to E:\ (E:\ is a FAT volume)

Results:

  • When you copy files or folders to FAT volumes, the folders and files lose their NTFS permissions because FAT volumes don’t support NTFS permissions.

Scenario B:

Move D:\MyFolder to D:\MyFiles

Results:

  • The file or folder retains its original permissions.
  • You must have the “Write” permission set up for the destination folder to move files and folders into that folder.
  • You must have the “Modify” permission set up for the source file or folder. The “Modify” permission is required to move a file or folder because Windows 2000 deletes files and folders from the source folder after they are copied to the destination folder.
  • You become the creator and owner.

Moving Files

Scenario C:

Copy D:\MyFolder to F:\MyFolder (F:\ is an NTFS volume)

Results:

  • The file or folder inherits the permissions of the destination folder.
  • You must have the “Write” permission set up for the destination folder to move files and folders into that folder.
  • You must have the “Modify” permission set up for the source file or folder. The “Modify” permission is required to move a file or folder because Windows XP Professional deletes files and folder from the source folder after they are copied to the destination folder.
  • You become the creator and owner.

Copying Files


Powershell and NTFS Permissions

Automation and scripting become more important for system administrators with every Windows Server version. One of the key concepts behind Windows Server 2012 is the capability to do almost everything you can do on a GUI. Using Powershell scripts and NTFS permissions are no exception.

The following table lists the most common use case scenarios that a system administrator can have and how to perform operations such as using scripts without going to the common graphical user interface (GUI). This is just to get you started on managing ACL’s with Windows Powershell. Remember, these scripts can become as complicated as you want them to be.

Basic Powershell Scripts to Manage NTFS Permissions:

Task Powershell Script
Reading Permissions of a Single File or Folder ((Get-Item D:\MyFolder).GetAccessControl(‘Access’)).Access
Modifying User Permissions on a Folder $HomeFolders = Get-ChildItem C:Homefolders -Directory
foreach ($HomeFolder in $HomeFolders) {
$Path = $HomeFolder.FullName
$Acl = (Get-Item $Path).GetAccessControl(‘Access’)
$Username = $HomeFolder.Name
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, ‘Modify’,                 ‘ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)
$Acl.SetAccessRule($Ar)
Set-Acl -path $Path -AclObject $Acl
}

Best Practices

  • A common practice by many businesses is to share a folder by giving full access to a group made up of everyone, then control who can access that folder using NTFS permissions.
  • Always try to share folders with groups instead of individual people, as this makes administration tasks far simpler.
  • To consolidate administration and group files into application, data, and home folders, centralize all home and public folders separately from your applications and operating system. Doing so provides the following benefits: a) permissions may only be assigned to folders, not individual files and b) backing up will be less complex because you will not need to back up application files, as all home and public folders will be consolidated in one location.
  • When you assign permissions for working with data or application folders, assign the “Read & Execute” permission to the Users group and Administrators group. This will prevent application files from being accidentally deleted or damaged by users or viruses.
  • Always assign the most restrictive permissions that still allow users to perform required tasks. For example, if users only need to read information in a folder and should never delete or create files, assign the “Read” permission.
  • Organize your resources so that folders with the same security requirements are located within one folder. For example, if users require “Read” permission for several application folders, store those folders within a single folder. This will allow you to share that larger folder instead of sharing each individual application folder.
  • Use intuitive share names so that users can easily recognize and locate resources. For example, for the Application folder, use “Apps” as the share name. You should only use share names that can be used across all client operating systems.

Download “NTFS #4 – Daily Operations” as an eBook

 

 

 

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!

NTFS Tutorial #3: Share Permissions

Download “NTFS #3 – Share Permissions” as an eBook


Understanding Share Permissions

Shared folders are used to provide other users, on your Windows network, access to the contents of those folders. You can only share folders, not individual files.

Share permissions are only applied when a shared folder is accessed over the network. It is a common misconception to think the process works in a different way. When you log into a Windows machine locally (even if a file or folder is shared to other users within the network), every time you access an object, NTFS permissions apply and not share permissions. It does not matter how restrictive share permissions have been set up, if you have access to the object and you are logged into the workstation or server that “owns” the file or folder, you will be granted access.

There are three types of share permissions:

  • Full Control: Allows the user to read/execute/write/delete the contents of the folder and manage the folder permissions.
  • Change: Allows the user to read/execute/write/delete the contents of the folder, but does not allow the user to modify its permissions.
  • Read: Allows the user to read the contents of the folder and its files.

Share Permissions for MyFolder


How to Share Folders

Although the concept behind sharing folders has not changed, there are now two ways to share folders after the release of Windows Server 2012. In previous versions of Windows, the process was isolated and you had to access the folder first or login to the server that owned the folder in order to share it. Windows Server 2012 provided a new interface and a more centralized way of achieving this goal by using the Server Manager. This section will cover both options.

Sharing Folders – The Traditional Way

Right click the folder. Then click on Share with followed by Specific people.

“Share with” Windows Menu

Next, you will be presented with the following form, in which you select which users will be granted permission to access the folder. Click on the arrow, followed by Find people.

File Sharing Properties Page

Now you can select the users who will have access to the folder. Type their name and click on the Check Names button. Once you are done adding users, press the OK button. For this example, we will use the group “Everyone”.

Select users or groups

Click on the Share button.

File Sharing Properties Page

Your folder is now shared to the users/groups that you chose during the previous steps. You can email the link to this folder to the respective users or copy and paste the link as you please.

Shared Folder Confirmation

This is the link we obtained for our example folder after clicking copy:

MyFolder (file://WS2012R2/MyFolder)

Sharing Folders – The Server Manager Way

The Server Manager, a graphical interface that integrated many tasks initially done in separate and unorganized ways, was first introduced as a concept in Windows Server 2008. However, it wasn’t until the release of Windows Server 2012 that this concept was fully implemented and improved. Now, the Server Manager is frequently the starting point for any task that needs to be performed on the server.

Sharing folders are now fully integrated into the Server Manager, which provides a more centralized means of sharing folders among different users and from different servers, although the concept remains the same.

First, open the Server Manager. On the lefthand side, you will see all the roles your server provides. Click on File and Storage services. (Note: you need to have previously installed this role using the “Add roles or features” assistant.)

Server Manager

Then click on Shares, followed by Tasks, followed by New Share.

New Share Option in the File and Storage Services Manager

Now you will choose what you want to share. Each option has a description on the righthand side. For the purpose of this article, choose SMB Share – Quick and click Nextbutton.

New Share Wizard

Now select the volume and/or the path for the folder that you want to share and click the Next button.

Selecting Server and Path

Type a name for your shared folder. By default, the share name is the name of the actual folder, but you can choose any name that fits your purposes. Click the Next button.

Specify Share Name

You are now presented with the Other settings form. Here you can choose some new features to use with your share that were not present in previous Windows Server versions (or that were only available by downloading separate Windows Server packages). The form contains a brief description of each setting, which will be summarized below to provide better understanding. Keep in mind that these options were made to improve security and reliability, thus it is best to choose all of them as we have done in our example.

  • Enable Access-based Enumeration: Use this setting when you want to prevent users from seeing other folders besides those they have access to. For example, if you create a folder that contains all “Home” directories containing their personal files for several users, you might want to allow each user to only see the list of folders within their own folder.
  • Allow Caching of Shares: Use this setting to provide users with an offline copy of their folder. This is particularly helpful if you run into network issues that prevent users from accessing the network path for their folder.
  • Encrypt Data Access: This setting improves the security of your network shares by encrypting all data in transit. In the case that it is intercepted while being transferred to or from the user workstation to the shared folder, the content will be encrypted and become inaccessible to other sources.

Once you are done selecting these options, click the Next button.

Share Settings

The next step is to configure permissions. This step centralizes the setup for both NTFS and share permissions to a single screen.

Remember that, by default, your folder is shared to the group “Everyone” with “Full Control”. This is shown in the tab “Share permissions: Everyone Full Control”.

Next, you can see a list of the current NTFS permissions for the folder. Remember that, by default, the folder will inherit permissions from its parent folder.

To change these settings, click the Customize permissions button.

Setting Share Permissions

Notice this is the same Advanced Security Settings properties page that we saw in previous chapters under theShare tab, where you can set share permissions for users or groups, thus combining NTFS and share permissions in a single graphical user interface. Once you are ready to set up your permissions, click the OK button followed by the Next button.

Advanced Security Settings Properties Page

Finally, you are provided with a summary of the share you just set up. To finish the process, click the Create button.

Create Share Confirmation Page


How to List Shares

In previous editions of Windows (both for Servers and Workstations), once you shared a folder, a hand would be displayed next to that folder’s icon.

This changed in Windows Server 2012 for Windows 8 and Windows 10.

For workstations, there is now only one way to list your shared folders. For servers, there are two different options.

  • For workstations/servers: Go to Windows File Explorer. Click on Network followed by the name of your server/workstation to display all shared folders.

List of Shares in Windows Explorer

  • For servers: Go to the Server Manager. Click File and Storage Services followed by Shares to list all shared folders.

List of Shares in Server Manager


Download “NTFS #3 – Share Permissions” as an eBook

 

 

 

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!

NTFS Tutorial #2: Working With NTFS Permissions

Download “NTFS #2 – Working with NTFS Permissions” as an eBook


In previous chapters, we covered how to visualize an ACL (the current permissions of a filer or folder). Now you are going to learn how to manage these permissions. Throughout this section, we will continue to use MyFolder as our example folder.

How to Assign or Remove NTFS Permissions

First, locate the folder or file you want to grant permissions to. Right click that folder. Then click on Properties.

Menu options relating to a file or folder in Windows

Click on the security tab to view the ACL for the folder. Under Groups or user names click the Edit button.

MyFolder ACL Properties Page

To remove a user, simply click on that user and press the Remove button followed by the OK button.

To add a user, click the Add button:

An access control list (ACL) in the Windows Server 2012 R2 / 2016

Now you can select the User/Groups you wish to grant access to MyFolder. The options within the Select Users or Groups form are as follows:

  • Object Types: Allows you to filter what type of object you want to assign, in order to narrow your search.
  • Locations: If you are on a Windows Network, you can choose between the local computer or Active Directory to search for network users in your organization.

For our example, we are going to type “FileShare-Operatoren” in the Enter the object names to select textbox and then click the Check Names button, followed by the OK button.

Adding users or groups to ACL

“FileShare-Operatoren” now appears on the “Permissions for MyFolder” page. Here you can choose which permissions to grant the user. Once you assign these permissions, click the OK button. For this exercise, we assigned the “Full Control” permission to the user from the “FileShare-Operatoren” group. You can also deny permissions using the “Deny” column. As a reminder, we do not recommend denying permissions to users. Instead, it is best to control user access through the groups which they belong to.

Assigning Permissions to the FileShare-Operatoren Group

Group now has “Full Control” permissions within the ACL.

MyFolder ACL After Assigning Permissions to FileShare-Operatoren


How to Assign Special Permissions

First, locate the folder or file you want to grant permissions to. Right click that folder. Then click on Properties.

 

Menu options relating to a file or folder in Windows

Click on the security tab to view the ACL for the folder. Then click on Advanced.

This is the Advanced Security Settings tab, which changed in Windows Server 2012 to provide an interface that is easier to understand and manage.

In the permissions tab, click on the Add button.

Advanced Security Settings for MyFolder

On the permissions entry page, click on Select a principal.

Permission Entry Property Page for MyFolder

Choose the user or group you want to grant special permissions to. We will use group “FSV_Change” for our example. Then click the OK button.

Adding users or groups to ACL

Once you have selected your user or group, by default, you are presented with the list of basic permissions. To see the list of advanced permissions, click on Show advanced permissions.

Enabling Advanced Permissions in the Permission Entry for the MyFolder Property Page

Select the proper advanced permissions for the user and click the OK button. For more details about each advanced permission type, please refer to the previous chapter.

Choosing Advanced Permissions

You will now see the advanced permissions assigned on the Advanced Security Settings page. Click the OK button to complete the process.

View of Advanced Permissions Set for FSV_Change group


How to Disable Inheritance

You can disable inheritance for any given file or folder by going to the Security tab within the properties of that file/folder and clicking on Advanced followed by Disable inheritance.

Disabling inheritance and replacing child object permissions in the Advanced Security Settings tab

In next step you have to choose one of the following options. The first option Convert inherited permissions into explicit permissions on this object will copy all inherited permissions and set them explicitly on this level. This would be the same as if you set all of these permissions manually.

The second option Remove all inherited permissions from this object will remove any permissions. You must be aware that you have to set permissions now by your own. Otherwise no permissions will be set on this folder anyway.

Block Inheritance Settings

When administrators and users start changing permissions regularly, some files or folders can become inaccessible to users and groups that should have access. For this reason, you can, at any time, go back to the default inherited state by choosing Replace all child object permission entries with inheritable permission entries from this object as seen in next image.

Advanced Security Settings


How to Override Folder Permissions with File Permissions

It is possible to override access to a file within a folder that you do not have access to. In our example, let’s say that you do not have access to “MyFolder”, but there is a specific file within MyFolder called “MyFile” that you need access to. You can receive access to only this specific file if you use the “Bypass Traverse Checking” security setting permission.

Bypass Traverse Checking is a setting that is assigned through Group Policy Settings. Therefore, we won’t cover it in detail in this article.


How to Override Folder Permissions with Deny Permission

It is possible to override any permissions with a Deny Permission. In our example, lets say that you do have modify access to “MyFolder” because of your membership in a specific security group, and you are a member of a group that is denying permissions to a specific file in that folder, you will not get access to this file.

Denying permissions overrides any other permissions a user might have. Consider, this is not the recommended method of controlling access to resources.

Example with Deny Permissions

In Figure above:

  • John is member of Group Sales_W and Group Sales_File2_DW.
  • For folder Sales John will inherit Write permissions from Group Sales_W.
  • And John will inherit Deny Write permissions for File2 from Group Sales_File2_DW.

The results are:

  • John can read and write to File1.
  • He can also read File2, but cannot write to this file because he is a member of Group Sales_File2_DW, which grants Deny Write permission to this file.

Download “NTFS #2 – Working with NTFS Permissions” as an eBook

 

 

 

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!

NTFS Tutorial #1: Understanding NTFS Permissions

Download “NTFS #1 – Understanding NTFS Permissions” as an eBook


Basic Concepts

NTFS

NTFS, which stands for New Technology File System, is Microsoft’s current file system for the Windows NT operating system. NTFS is the successor of Microsoft’s previous systems, FAT and HPFS, and contains a wide range of improvements in terms of performance, extendibility, and security.

The main differences between NTFS and its predecessors are:

  • FAT32 only supports individual files of up to 4GB in size. On the other hand, NTFS supports files of up to 16 EiB (16 × 10246 or 264 bytes).
  • The most important difference you need to understand in order to follow this tutorial is that NTFS supports file permissions and introduced the concept of the access control list (ACL), a concept we will be explaining in more detail as we proceed.

NTFS Permissions

NTFS permissions determine who have access to files or folders. These permissions can be assigned to individual users or groups, but the best practice is to assign them to groups whenever possible. Permissions are set in the ACL.

Access Control List (ACL)

The access control list (ACL) is the list of users or groups that have access to a certain object. An object can be a file or folder. Each entry in the ACL is known as an access control entry (ACE).

The users or groups in the ACL are known as trustees. Permissions can be allowed, denied, or audited.

To create, edit, or view access control lists, you right click on a file or folder then select Properties from the options displayed:

Menu options relating to a file or folder in Windows

Next, click on the Security tab to display the access control list (ACL) for the chosen file or folder.

An access control list (ACL) in the Windows Server 2012 R2 / 2016


Understanding Permissions

Windows allows you to assign different types of permissions to an object. You can allow or deny such permissions. The types of permissions change depending on if you are working with a file or folder.

NTFS Folder Permissions

You can assign permissions to a user or group for a specific folder and, thus, control their access level. How these permissions are propagated to subfolders and their respective files is controlled by inheritance, a concept we will explain in more detail as we proceed. Next table lists and describes all permissions that can be allowed or denied for a certain user or group.

List of NTFS folder permissions:

Permission Description
Full Control Specifies whether a user or group has all available permissions for a folder.
Modify Specifies whether a user or group can modify the contents of a folder. It is more restrictive than full control, as it does not allow users/groups to change permissions or take ownership of said folder.
Read and Execute Specifies whether a user or group can read the data within a folder and execute the programs said folder contains.
List Folder Contents Specifies whether a user or group can list the content of a folder. This does not allow users/groups to run any of the programs or read any of the data within the folder.
Read Specifies whether a user or group can read the data within a folder. As opposed to “Read and Execute”, if there is an executable file within the folder, the user or group will be unable to run it.
Write Specifies whether a user or group can create files and folders, write data, and write attributes for a folder. The write permission implies the ability to read all data within the folder.
Special Permissions Refer to TABLE 3 for the list and description of special permissions.

 

NTFS File Permissions

You can assign permissions to a user or group for a specific file and, thus, control their access level. Next table lists and describes all permissions that can be allowed or denied for specific users or groups. NTFS file permissions take priority over NTFS folder permissions. For example if you have access to a folder, but an administrator denies access for a file within that folder, you cannot access that file even if you have the necessary permissions for its parent folder.

List of NTFS file permissions:

Permission Description
Full Control Specifies whether a user or group has all available permissions for a file.
Modify Specifies whether a user or group can modify a file. It is more restrictive than full control, as it does not allow users/groups to change permissions or take ownership of said file.
Read and Execute Specifies whether a user or group can read the contents of a file and execute the programs of said file.
Read Specifies whether a user can read a file’s data. As opposed to “Read and Execute”, if the file in question is an executable file, the user or group will be unable to run it.
Write Specifies whether a user or group can change the content or, in other terms, write data to a file. The write permission implies the ability to read all the data contained in a file.
Special Permissions Refer to next table for the list and description of special permissions.

Special permissions:

Permission Description
Traverse Folder/Execute File Traverse Folder allows a user or group to access a folder nested within a tree, even if parent folders in that tree deny said user/group access to the contents of those folders. Execute File allows a user or group to run a program.
List Folder/Read Data List Folder allows a user or group to see objects (files and folders) inside a folder. Read Data allows a user or group to open and view a file
Read Attributes Allows a user or group to view basic attributes of an object (read-only, system, archive, and hidden).
Read Extended Attributes Allows a user or group to view the extended attributes of an object. For example: the summary, author, title, and so on for a Word document. These attributes vary from program to program.
Create Files/Write Data Create Files allows a user or group to create new objects within a folder. Write Data allows a user or group to overwrite an existing file.
Create Folders/Append Data Create Folders allows a user or group to nest folders. Append Data allows a user or group to add data to an existing file, but not delete data within that file or delete the file itself.

 

NTFS Access Limitations

Microsoft provides the following table to offer a more detailed understanding of what each permission can allow you to do. You should always refer to this table when assigning permissions. Try to assign the most restrictive possible permissions for each use case. A common bad practice in many IT business environments is to assign “full control” every time a user or group requests access to a file or folder.

NTFS access limitations:

Special Permissions Full Control Modify Read and Execute List Folder Contents Read Write
Traverse Folder/Execute File x x x x
List Folder/Read Data x x x x x
Read Attributes x x x x x
Read Extended Attributes x x x x x
Create Files/Write Data x x x
Create Folders/Append Data x x x
Write Attributes x x x
Write Extended Attributes x x x
Delete Subfolders and Files x
Delete x x
Read Permissions x x x x x x
Change Permissions x
Take Ownership x
Synchronize x x x x x x

Permission Inheritance

There are two types of permissions in Windows NT environments:

  • Explicit: Permissions that are applied by default to an object upon its creation or by user action.
  • Inherited: Permissions that are propagated to a child object. Inherited permissions facilitate the management tasks related to permissions assignment and ensure consistency among all the objects within a folder.

You must take into account that, by default, all objects created within the same folder inherit permissions from its respective parent folder. For example, if you create a folder called MyFolder, all subfolders and files within MyFolder will inherit its permissions automatically. In this order of ideas, MyFolder has explicit permissions and all subfolders and files in MyFolder have inherited permissions.

Inherit and prevent inheritance of Permissions

 

You can disable inheritance for any given file or folder by going to the security tab of its properties (as explained above) and clicking on Advanced and Disable Inheritance.

Disabling inheritance and replacing child object permissions in the Advanced Security Settings tab

When administrators and users start changing permissions and making regular changes, some files or folders can become inaccessible and users/groups that should have access to an object can lose their access. That’s why you can go back, at any time, to the default inherited state of any prior time by choosing the option “replace all child object permission entries with inheritable permission entries from this object”.


Effective Access

The Effective Permissions tab, found in the Advanced Security Settings Editor in earlier versions of Windows, was replaced with a tab called Effective Access in Windows Server 2012 R2 and Windows Server 2016, which lets you choose not only the user or group accessing the file or folder, but also the device accessing that file or folder.

Tis tab provides an overview of all the permissions assigned to a user or group in regards to accessing a certain object. For example, if John has “read” permissions for MyFolder and belongs to a group with “write” permissions, the effective access tab will show you that John has both “read” and “write” permissions for MyFolder.

Effective access in Windows Server 2012 R2 and Windows Server 2016


Dynamic Access Control (DAC)

Though the interface has been improved, many of the underlying concepts of NTFS permissions have not changed over the years. The most notable changes are that the effective permissions tab has changed and dynamic access control (DAC) has been introduced.

DAC does not replace NTFS permissions, but does extend the capabilities offered by NTFS permissions and share permissions.

For example, a user might have different permissions when they access a resource from their office computer than when they access that same resource using a laptop or over a virtual private network (VPN). In addition, access can be granted to a specific user only if said user’s device meets the security requirements defined by administrators.


Download “NTFS #1 – Understanding NTFS Permissions” as an eBook

 

 

 

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!

ReFS vs NTFS

ReFS vs NTFS

When discussing backup solutions for data on Windows fileservers, most of the discussion would go around exceeding 3-2-1 backup rule, or backup (all in one) appliance solutions.

Not so much attention is given to local storage formatting and file systems used in the process, of course, in case you prefer local storage over file based share.

An interesting topic was shared lately on Novosco’s Technical Architect Craig Rodgers, under the title “ReFs vs. NTFS, Calm Seas vs. Stormy Waters” regarding exactly the point.

As a part of his role in Novosco (technical validation of projects and solutions), Mr. Rodgers tested the ReFS and NTFS capabilities and differences in 8 week period, with daily copy of 8 virtual servers to 8 different repositories.

Test goal was a direct comparison between the various block sizes, file systems, compression and deduplication settings, which are often used in backup copy jobs

His team created 2TB LUNs from SAN ( Storage Area Network) and presented it to the server as drives.

Data flow from host to repositories used BaaS node, copied varied roles and change rated VM’s data to another location via backup copy jobs, then copied from the Baas note do the test repositories outside of the normal backup window.

Testing was made with Veem backup platform configured to create backup copy jobs that targeted servers, with 7 incremental and 8 weekly backup copies configured via GFS retention policy on 8 different type of servers :

  • Application
  • Web Application
  • Database
  • Domain Controller
  • Exchange Hybrid
  • Web Server
  • Light Application
  • Network Services

8 Week period test results came very interesting. According to Mr. Rodgers;  64K ReFS formatted drives have an additional file system overhead once formatted when compared to 4K.

Veem made solid results on data reduction, especially on DB server, which structured data achieved the best reduction in space. Raw uncompressed data achieved the best levels of deduplication, with ReFS repository data included for comparison, there was no post process operation on the ReFS repositories.

Initially, the capacity savings of processed data in the NTFS uncompressed repositories is impossible to ignore, however, the additional space required to ingest the data cannot be ignored too.  If a long-term retention repository is a goal, then within the constraints of NTFS deduplication, (1TB officially, seen 4TB restored without issue in testing) uncompressed offers huge gains regarding data reduction, 20:1, with Windows.

The big flaw of ReFS is a disability for the RAID, which Microsoft is working on, so keep in mind usage of hardware virtualized RAID alternative, if you want to use ReFS in a future deployment.

ReFS, for the most part, is working well now and is probably the best bet for a primary or indeed secondary backup repository. With regards to a second copy, ReFS is great for fast transforms however you may be happy trading performance for retention, in which case backup copies can target an NTFS volume.

In conclusion, although ReFS has some major advantages over NTFS filesystem, like Automatic integrity checking, data scrubbing techniques, better protection against data degradation, built-in drive recovery, and redundancy, etc., by comparison to NTFS, it still has flaws: cannot be used with Clustered Shared Volumes, no conversion capability between NTFS and ReFS, no file-based deduplication, and no disk quotas. Regarding that flaws, and Microsoft announcement to move it just to windows workstation distribution, It doesn’t look like ReFS, in a state that is now, can threaten NTFS’ position as the main system.

 

 

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!

7 Best Practices in Managing NTFS Permission

Whether you’re in the planning phase or have already implemented NTFS permission, following best practices ensures smooth administration, and it also aids in resolving access issues. Here we listed seven practices we find effective in managing NTFS permissions.

 

7 Best Practices in Managing NTFS Permission

#1 Full Control on the Share and specific NTFS permissions at folders

In this post, we’ve established that this is the best way of combining Share Permission and NTFS Permission. This is Microsoft’s way, and there’s no one more qualified to give “best practice” advice on how to do something with Microsoft but Microsoft themselves. If you’re quite unsure about this topic, pay this post a visit and get ready to be enlightened!

#2 Share folders with Groups not with Users

The logic is quite simple why this is recommended. It’s simply because it makes administration easier. Imagine if you’re sharing the “Sales” folder to 10 sales people. Sounds Easy? Okay, how about 100 sales people? Of course, the task is doable, but it would be a lot simpler if you just put them all in one group (i.e., Sales Group) then share the folder with that group. The same logic can be applied when applying for permissions.

#3 Organize your Resources

As the saying goes, don’t put all your eggs in one basket. Keep application files and data files on their own individual folders, and consolidate folders with the same security requirements to ease administration.

For instance, if users require “Read” permission for several application folders, store those folders within a single folder. This will allow you to share that larger folder instead of sharing each application folder.

It’s also easier to manage permissions to application or data folders when they are stored separately rather than mixed with other file types and lastly, doing backups will be less complex too since you can choose which folders to backup without worrying if other file types will be included.

#4 “Read & Execute” for Data or Application folders

When you assign permissions for working with data or application folders, assign the “Read & Execute” permission to the Users group and Administrators group. “Read & Execute” permits only viewing, accessing, and executing of the file so this will prevent application files from being accidentally deleted or damaged by users or viruses.

#5 Minimum permission only

Assign minimum permission that still allows users to perform required tasks. If users only need to read information in a folder and should never delete or create files, assign only the “Read” permission. Doing so prevents unauthorized access to critical data thus making your environment more secure.

In a complex environment, however, over-privileging can happen especially when users belong to multiple groups, causing users to have access they shouldn’t have. By using tools such as FolderSecurityViewer or Effective Permission tool, you can examine and see the permissions each user has and act upon them.

#6 Intuitive naming convention

Use intuitive share names so that users can easily recognize and locate resources. For example, for the Application folder, use “Apps” as the share name. Basic as it may be but this will save you from unnecessary calls or emails from employees asking which one is the right folder. Also, use share names that can be used across all client operating systems

#7 Document everything

And I mean everything, even the slightest changes. It’s always good to have something to go back to when you forget who has access to which. This not only serves as your guide but something you can share with other admin in your group to make sure everyone is on the same page. Also, changes in the organization are inevitable so whatever method you used to document, make sure it can easily be modified and expanded.

Useful Resources

Want to learn about NTFS Permissions, Share Permissions, and how to use them, get your free course HERE!

 

 

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!

Planning before implementing NTFS Permissions

If you’re a Windows Administrator, you’ve probably experienced the nightmares in managing folder permissions. This is common in large or even small environment where no proper planning is made before giving the permissions. Such negligence could lead to complication and exposes the environment to security risk. Below are some examples:

  • Users or groups having access to folders not intended for them (e.g., Sales Group can view Management’s folders)
  • Applications fail to run because of lack of permission (e.g., Backup Software unable to perform tasks on specific folders)
  • Or just too convoluted folder permission that Admins are better off doing them from scratch.

Why Planning is a Crucial Step Before Implementing NTFS Permissions

 

All above examples are all due to incorrect planning (or the lack of it) before the implementation of NTFS permissions. One may point out that it can also be due incompetency of the person doing the task. I agree that could also happen, but if there is proper planning, documentation, and layout, these problems can be avoided even if you let your junior admin do the task.

As part of the Planning phase, here are some of the things an Admin can do:

Design a Folder Structure

Before creating the actual folders, you must know what folders are to be created. Whether you prefer digital or physical board, list the shares that will be created for each department or group. Work with the knowledge you already have of your current environment. There will be changes along the way (e.g. new department or new projects) but this would be a good start.

Identify who has access

After listing the shares to be created, map out the users or groups that have access to specific folders. You may List down the users or groups and draw a line to connect them to the appropriate shares. How ever you want this done, make sure to have fun doing it!

Plan the Permissions

This one is critical so take your time going through the shares and groups and write down the appropriate permission. If you use naming conventions such as R for Read-only or F for Full Control, make sure to be consistent to avoid confusion along the way.

Proper Documentation

A good planning always has good documentation. It’s always good to have something to go back to when you forget. This not only serves as your guide but something you can pass down to your junior staff or even to your boss. With that said, documentation must be clear and concise. Also, changes in the organization are inevitable so whatever method you used to document, make sure it can easily be modified and expanded.

Being an Admin can be stressful, but if you have proper planning, implementation, and clear documentation, it smoothens administration and helps you focus on other areas.

A more detailed guide on Planning and Managing NTFS Permissions can be found here. Download your free course now!