Authorisation with the power of NTFS

Until now we have looked through the ways of creating and managing users and groups in the Windows OS environment and how we absolutely secure them with strong passwords. Let us now get to the next stage and see how we can limit or expand the authorisation of each of these users or groups via NTFS. NTFS stands for NT File systems. NT should be New Technology.

NTFS disc partitioning

This whole process starts with the hard disks NTFS partition. Most of the new Windows should have NTFS partitions due to high performance and security mechanism. Note that every files and folders you have inside your system especially on an NTFS partition comes in with a list that has two layers of data. The first layer listed includes all the users and groups that has access to that files and folders. The second layer is the level of authorisation each of these groups and users have. This is where you set the level of access and things that each of these users can do or not via the NTFS permission.

NTFS permissions

NTFS permissions are one of the most powerful security mechanisms of the Windows environment. For instance, you can authorize a person to read and edit a document but you can restrict them from deleting the file. These are generally called read, write permission. You can do much more specific things for each user or group based on your need. This is highly configurable.

NTFS topic goes a way deeper and has a complex structure, which we do not need to go to, rather let’s know about the core concepts regarding NTFS which is good enough to lay an intermediate security foundation for your system.

The functions of NTFS security

NTFS has some basic level of permission you can work with such as the ones listed below with their description.

Ownership

This is a very powerful mechanism. The way it works is when you create any files or folders you by default become the owner of the document. You can do whatever you like with this document including restricting others from accessing your document. Even the administrator.

Take ownership permission

This is used to give permission to take over your document and they can do whatever they want with this document. One thing to note that, all the users under administrator accounts have the power to take ownership away from you but they only can access the file.

Change permission

Another significant role of this is that you can give or take away any permission for other accounts in the system.

Folder permission

Folder permission lets you to decide how far a user can do things with the folder. For instance, you can deny permission for users to the contents of the folder.

File permission

With this you are able to set what the user can do with such file. For instance, you can deny the user to ‘Read and Execute’ the file. They won’t be able to run that program ever.

The easiest and quickest way to get to such security tab is to right-click on any folder or files and select properties. From there select security tab. There you will see two boxes. The top one contains all the lists of users and groups that have access to that file or folder and the bottom one contains the kind of permission each of them have and the configuration you can make there.

You can configure the changes by clicking the edit button. Here you will be able to add or remove anyone. You can set the permission of each of them. Whatever you do, keep an extra eye on never delete or remove administrator account especially from the user and group panel. You can do so in the files and folder but not from the system.

Permissions in details

Let’s look at each of these permission in details.

Full control allows you to give full control over that file or folder, which they can do anything they want. Modifying lets you read, write and delete the files or folder. Read and Execute is the mode that allows you to open and execute or run a program in the system.

List folder contents lets you see the files and sub folders. Read is used for letting a person just open the file. Finally, Write is the mode that lets you only open and write in the file.

These types of permission are the same for a file other than file does not have any List folder contents.

General tips

Two major takeaways from this would be, remember that whoever from the listed users or groups creates a file or folder has complete ownership of that file or folder even if you have blocked some of the permission for them. Another major takeaway is to always know that administrator has the highest authority over all of the files and folders. Even if you have blocked the administrator from getting access to your files and folders, they can easily get access to them via Taking ownership.