Re: NTFS and shared permissions

From: Roger Abell (
Date: 04/07/05

Date: Wed, 6 Apr 2005 22:45:15 -0700

A few ? Matthew, that is quite a list of topics.
You could likely find some interesting discussions for
some of these in the Resource Kits, perhaps the XP RK
but more likely in one of the older server RKs

I attempt some comments inlined below . . .

Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
<> wrote in message
> I have a few questions about NTFS permissions and share that I hope
> someone can help me with. I know that NTFS permissions are applied to
> both remote and local users and that shared permissions are only
> applied to remote users.
> When and why would you apply NTFS permissions
> to a share or file??
Since share permissions effect an upper limit on what can be
done, one will often see a share grant to an encompassing group,
like Users, that is sufficient to allow any of the desired grants
at the NTFS level that might be made to numerous specific
custom groups (OfficeDocReaders, OfficeDocWriters, etc.)
NTFS permissions are of course needed for control of accounts
that log into the machine itself at the console, or with remote
Sometimes you will see share level permissions specifically
used to limit network logins so that they cannot do as much as
they could if logged in locally (that is, to reduce their ability
down from a more broad NTFS grant).
> With the shared vs NTFS permissions the most
> restrictive permission will take effect but which should you lock down
> the shared or the NTFS permissions??
IMO both.  You have two handles and choosing to use only
one is to give up half of your leverage.  The local vs remote
aspect can be used in ways as indicated earlier to be able to
do things one could not with just one or the other.
> Can you give an example?
Users change at share level, but no grants to Users at NTFS
level, only grants to different custom groups, some read only,
some can modify, etc.
> With NTFS permissions on a file what is the difference with the
> "read" and "read & execute" permissions?
read does not grant execute
notepad.exe cannot be executed if the account has only read
> And what is the
> difference between "modify" and "write" permissions?
write does not include delete
In the NTFS permissions dialog, click on Advanced to see
the individual ACEs (access control entries) that make up
the ACL (access control list).  Then, highlight one of the
ACEs and click Edit to see the precise differences between
the generic grants.
> And the
> "list folder content" and "transverse folders"?
listing a folder is being able to see the entries within
that folder
traversing the folder is being able to execute the directory
in order to navigate through it
> With the share permission I was also reading that there is no
> difference between the "modify" and "full control" is this
> true??
The highest NTFS permission that share level grant of change
will allow is modify,  Modify does not include the ability to
change permission settings or to take ownership for example.
> What does the auditing tab do on the advanced tab and what is effective
> permissions and how are they different from the permissions that are
> assigned? I didn't see a difference and was confused by it???
NTFS (and other uses of permission ACLs) has a couple forms
of access control lists in use, the DACL and the SACL
(discretionary and security ACLs).
The DACL controls what is allowed to happen
The SACL controls what events will be recorded in the
security event log when they happen
The Auditing tab is where the SACL is seen/defined