Windows provides two sets of permissions to restrict access to files and folders: NTFS permissions and share permissions.
- NTFS permissions are applied to every file and folder stored on a volume formatted with the NTFS file system. By default, permissions are inherited from a root folder to the files and subfolders beneath it, though this inheritance can be disabled. NTFS permissions take effect regardless of whether a file or folder is accessed locally or remotely. NTFS permissions, at the basic level, offer access levels of Read, Read and Execute, Write, Modify, List Folder Contents, and Full Control, as shown below:
There is also an advanced set of NTFS permissions, which divides the basic access levels into more granular settings. These advanced permissions vary depending on the type of object to which they are applied. The advanced permissions on a folder are shown below:
- Share permissions are only applied to shared folders. They take effect when a shared folder is accessed across a network from a remote system. The share permissions on a particular shared folder apply to that folder and its contents. Share permissions are less granular than NTFS permissions, offering access levels of Read, Change, and Full Control:
The most important thing to remember about NTFS permissions and share permissions is the manner in which they combine to regulate access.
The rules for determining a user's level of access to a particular file are as follows:
- If the file is accessed locally, only the NTFS permissions are used.
- If the file is accessed through a share, NTFS and share permissions are both used, and the most restrictive permission applies. For example, if the share permissions on the shared folder grant the user Read access and the NTFS permissions grant the user Modify access, the user's effective permission level is Read when accessing the share remotely and Modify when accessing the folder locally.
- A user's individual permissions combine additively with the permissions of the groups that the user is a member of. If a user has Read access to a file, but the user is a member of a group that has Modify access to the same file, the user's effective permission level is Modify.
- Permissions assigned directly to a particular file or folder (explicit permissions) take precedence over permissions inherited from a parent folder (inherited permissions).
- Explicit Deny permissions take precedence over explicit Allow permissions, but because of the previous rule, explicit Allow permissions take precedence over inherited Deny permissions.
Both sets of permissions can be assigned in the properties window of a file or folder. NTFS permissions are assigned in the Security tab of the properties window. Share permissions are assigned in the Sharing tab by clicking Advanced Sharing, then clicking Permissions.