Windows: How to Create Folders Without Permissions

Sometimes you may need to work without worrying about encountering access restrictions. You can overcome this scenario by using some automation tools or adopting other means of achieving your objective.

You’ll find some useful informations about Microsoft’s security vulnerability patch, coded CVE-2018-1036 | NTFS, which addresses the Elevation of Privilege Vulnerability.

You can assign “special permissions” to folders that allow users to create files inside the folders and deny them the rights to create folders.

For example, in the C:\Windows \Tasks\ folder, you can create files and fail to create a folder due to Access List Control (ACL) restrictions.

However, as an administrator, you can bypass this through setting permissions. You can also use specific programs that give such permissions and allow the creation of folders inside such files.

You can bypass the ACL immediately you create the files by adding “::$INDEX_ALLOCATION” after the filename.

This action will create a folder, and not a file, because Windows does not include checking names with corner cases.

It is evident that you can create a directory and let users create more files or folders within the same directory.

This action is possible because of privilege escalation, especially when the system administrator assumes there is no other way of bypassing the missing permissions.

The ::$INDEX_ALLOCATION code can delete directories, if the particular application allows file deletion.

Microsoft released a security vulnerability patch, coded CVE-2018-1036 | NTFS, which addresses the Elevation of Privilege Vulnerability.

This security patch is meant to counter an attacker who exploits a system’s weakness and attempts to run a process through it as an administrator.

Exploiting the system means the attacker would have to log into the system and run a specific crafted program that will take over the system.

The update addresses the vulnerability by correcting how the NTFS file system reviews its access credentials.


Protect yourself! Discover all security holes in the folder hierarchy on your Windows fileservers!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

7 Best Practices in Managing NTFS Permissions

Whether you’re in the planning phase or have already implemented NTFS permissions, following some best practices ensure smooth administration and aid in resolving access issues quickly.

Here are seven practices we find effective in managing NTFS permissions.

#1 Grant Full Control on the Share and Specific NTFS Permissions on Folders

It’s a good practice to give “everyone” full control privileges on the Share Permission and then define specific permissions on the NTFS level—just as Microsoft has recommended it.

We’ve established that this is the best way of combining Share Permissions and NTFS Permissions.

You can visit this post to read more about it.

#2 Share folders with Groups not Users

This makes administration easier. Imagine sharing the “Sales” folder with 10 sales people.

Sounds Easy?

Okay, how about sharing it with 100 sales people?

Of course, the task is doable, but it would be a lot simpler if you just put them all in one group (such as  Sales Group), then share the folder with that group.

The same logic can be used when applying NTFS permissions.

#3 Organize your Resources

To ease administration, it’s important to keep application files and data files on their own individual folders. Furthermore, consolidating folders with the same security requirements will assist in managing their access rights.

For instance, if users require “Read” permissions for several application folders, store those folders within a single folder. This will allow you to grant the permission to that larger folder, instead of doing that for each application folder.

It’s also easier to manage the permissions of application or data folders when they are stored on their own, rather than when mixed with other file and data types.

Additionally, backups will also be less complex since you can choose which folders to backup without worrying if other file types will be included.

#4 Use “Read & Execute” for Application folders

When you assign permissions for working with application folders, assign the “Read & Execute” permission to the Users group and Administrators group.

Read & Execute” permits only viewing, accessing, and executing the file. This way, it’ll prevent application files from being accidentally deleted or damaged by users or viruses.

#5 Assign minimum permissions only

Assign minimum permissions that allow users to perform the required tasks.

For example, if a user needs to read information in a folder, and should never delete or create files, assign only the “Read” permission.

Doing so prevents unauthorized access to critical data, making your environment more secure.

In a complex environment, however, over-privileging can happen especially when users belong to multiple groups, causing users to have access they shouldn’t have.

By using tools such as FolderSecurityViewer or Effective Permission tool, you can examine and see the permissions each user has and act upon them accordingly.

#6 Use intuitive naming convention

Using intuitive share names allow users to easily recognize and locate resources. For example, for the Application folder, use “Apps” as the share name.

Although this is a basic practice, which is often ignored, following an intuitive naming convention can save you from unnecessary calls or emails from employees asking which one is the right folder.

Also, use share names that can be used across all client operating systems.

#7 Document everything

And we mean everything, even the slightest changes. It’s always good to have something to go back to when you forget who has access to what.

This not only serves as your guide but also as something you can share with other admins in your group to ensure everyone is on the same page.

Also, since changes in the organization are inevitable, whatever method you use for documentation, ensure it can easily be modified and expanded.

Useful Resources

Do you want to learn about NTFS Permissions and Share Permissions, and how to use them?

Grab your free course here (no signup, with downloadable eBooks):

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!

NTFS Allow and Deny Permissions

NTFS (New Technology File System) permissions provide an essential way of maintaining a good level of control to your critical IT infrastructure.

These permissions are normally granted to groups as a way of determining the users able to access the files and folders.

Understanding NTFS Allow and Deny Permissions

When assigning permissions, you will need to specify whether a group or an individual user has access (Allow) or do not have access (not Allow) to the system.

Even though it’s recommended to use the Deny permission sparingly because it can enhance the complexity of administration, there are some situations where its use is necessary and more beneficial.

For example, you can apply explicit Deny permissions to a specific user only when it is essential to overrule the permissions that are otherwise granted for the group to which the user has been added.

In this article, we are going to talk about how to comfortably combine NTFS Allow and Deny permissions.

Permissions Precedence

When different permissions settings have been applied on an object, the system usually tries to resolve the various permissions to establish which ones should take precedence.

Here are some guidelines for solving permissions precedence issues:

1. The “Deny” permissions usually override “Allow” permissions (in most cases).

For example, let’s say that you have a user called Agnes, and in this case explicit permissions have been applied. The first permission is a Deny permission that denies Agnes from accessing the object. And, the second permission allows Everyone to enjoy access.

When permissions are applied to files or folders, the Deny permission will always take precedence. As such, if the system checks the permission list from top to bottom, it first notices that Agnes has been denied, and will not grant her access.

2. Explicit permissions usually override inherited permissions.

Explicit or direct permissions refer to those permissions that are applied automatically after the object is made while inherited or indirect permissions refer to those permissions that are extended to an object for being a child of a parent object.

When explicit permissions and inherited permissions are combined together, the former usually takes precedence.

Let’s say that this time Agnes has been allowed access. Next, inherited permissions have been set to Deny Everyone access. In this case, will Agnes still have access?

Of course, yes.

Even though there is a Deny permission, Agnes will still be given access. Why does it happen this way?

Deny permissions are usually sorted towards the top of the NTFS permissions list. However, explicit permissions are predominant.

In this example, since Agnes has been granted explicit permissions that allow access and inherited permissions that deny access, she will still enjoy access. This is because explicit permissions usually take precedence over the rest.

Also, it’s important to note that if the explicit permissions allow access, then the inherited permissions will never be checked.

As such, if the inherited permissions have Deny permissions applied, and explicit permissions have Allow permissions applied, then the inherited permissions will never be checked, making the Deny permissions irrelevant.

Here is an example that demonstrates how an explicit allow permission will take precedence over an inherited deny permission.

  • On the Windows explorer, right click on the folder named “Agnes” and select the “Properties” option. (Note that the folder has a subfolder named “Templates”).

  • On the properties window, select the “Security” tab.

  • To change permissions, click on the “Edit” button and then press the “Add” button.

  • On the window that pops up, add “Everyone” to the list of permissions.

Once Everyone has been added to the list of permissions, everyone will be granted other permissions, including “Read & execute” permissions—this takes place by default.

  • Consequently, to prevent all users from writing to the folder, uncheck the default Allow permissions and click the Deny permissions for “Write”.

If you press the “Apply” button, a warning dialog box will appear stating that Deny permissions will take precedence over other permissions.

Click “Yes” to continue.

  • After the permissions have been set, if you try to create a new file or folder in the folder or its subfolder, you will see an error message, indicating that access has been denied.

  • The next step is to right click on the “Templates” subfolder and select the “Properties” option.

  • On the subfolder’s properties, select the “Security” tab.

In the permissions list, notice that “Everyone” is present and the Deny permission for “Write” is inherited.

  • For example, if you want to add explicit “Write” permissions to HomeUsers, click the “Edit” button.

Then, on the Window that pops up, click the Allow “Write” permissions, and apply the settings.

Therefore, the subfolder will have Everyone Deny Write permissions that are due to inheritance and the HomeUsers will have Allow Write permissions that are explicit.

  • With these permissions set, you will now be able to create files and folders in the subfolder but not in the parent folder, as shown below.

3. Access permissions that are inherited from neighboring relatives override those inherited from faraway predecessors.

For example, if access permissions have been propagated from the object’s parent folder, then they will be prioritised above those rights propagated from the object’s grandparent’s folder, and to others.

4. Permissions privileges from multiple same-level user groups are cumulative.

If user groups are created at the same level–relating to having the same explicit or inherited permissions or Deny or Allow permissions—then the permissions can be aggregated.

Let say that Agnes belongs to two security groups. One of the groups has given her the Allow permission of “Read” while the second one has given her the Allow permission of “Write”.

Consequently, she will enjoy read as well as write privileges, if the other guidelines above are also taken into consideration.

However, if the user groups are not at the same level, the permissions can cause unnecessary problems, especially if Deny permissions are used.

For example, if Agnes belongs to two security groups: group A and group B. If there is a file share, and members of group A are denied access (Deny permissions applied) while members of group B are allowed access (Allow permissions applied), it can lead to problems.

Since Agnes belongs to both groups, she will now be denied access to the file share, which may not be the required result.

So, how do you deny access to group A members while still allowing access to users belonging to both groups?

The simple solution is to remove group A from the access control list. It ensures they do not access the file share because they lack the required privileges. This way, it will allow only group B members to be granted access.

As a result, users belonging only to group A will be denied access to the file share. And, users belonging to both groups, like Agnes, will be granted access.

Because of such reasons and complexities, most administrators will only apply Deny permissions if there are no other means of achieving the intended objectives.


As you can see, most of the results accomplished using Deny permissions can be conveniently achieved using Allow permissions. Therefore, most administrators try avoiding using Deny permissions—although sometimes it is unavoidable.

In summary, if you have to use Deny permissions, ensure you keep to the following hierarchy of permissions precedence.

(Note that the list starts from the permissions with the highest precedence to permissions with the lowest precedence).

  • Explicit Deny
  • Explicit Allow
  • Inherited Deny
  • Inherited Allow

Useful Resources

Check out our posts about similar topics:

Do you have unclear NTFS Permissions assignments?

Do you have too many special permissions set on your fileservers?

Or blocked NTFS Permission Inheritance?

Protect yourself and your clients against security leaks and get your free edition of the easiest and fastest NTFS Permission Reporter now!

What’s the Best Practice in Using NTFS Permissions and Share Permissions?

What is the best practice in combining NTFS Permissions and Share Permissions?

This is a common question asked by most users, even Administrators.

Read here for an answer!

Read more

NTFS Permissions: How to Allow Creation of Files But Not Subfolders

Is there a way of allowing users to add files to a given folder but not subfolders?

It’s easy!

Just take care of a single NTFS Permission.

In this article, we’ll show you how.

Read more

How to Reset NTFS Permissions Using a Simple, Free utility

Do you need to reset the NTFS Permissions of a file or folder?

Tired of using command line tools?

Here you’ll find a How To guide on how to use an easy-to-use UI tool that gets you covered!

Read more

A Simple Guide to NTFS Permissions vs. Share Permissions

What is the difference between NTFS permissions and Share Permissions?

How do they work together?

Read more on how to use them correctly!

Read more