NTFS permissions allow you to control which users and groups can gain access to files and folders on an NTFS volume. The advantage with NTFS permissions is that they affect both local users and network users.
Usually, when assigning NTFS permissions, you would assign the following standard permissions:
- Full Control: Permission to read, write, modify, and execute the files in a folder; change attributes and permissions; and take ownership of the folder or files within
- Modify: Permission to read, write, modify, and execute the files in the folder, as well as to change the attributes of the folder or files within
- Read and Execute: Permission to display a folder’s contents; to display the #data, attributes, owner, and permissions for files within the folder; and to run files within the folder
- List Folder Contents: Permission to display a folder’s contents; and display the data, attributes, owner, and permissions for files within the folder
- Read: Permission to display a file’s data, attributes, owner, and permissions
- Write: Permission to write to a file, append to the file, and read or change the file’s attributes
To manage NTFS permissions, you can right-click a drive, folder, or file and select Properties, then select the Security tab. As shown in Figure 1, you should see the group and users who have been given NTFS permissions and their respective standard NTFS permissions. To change the permissions, you would click the Edit button.
Groups or users who are granted Full Control permission on a folder can delete any files in that folder regardless of the permissions protecting the file. In addition, List Folder Contents is inherited by folders but not files, and it should only appear when you view folder permissions. In Windows Server 2008, the Everyone group does not include the Anonymous Logon group by default, so permissions applied to the Everyone group do not affect the Anonymous Logon group.
To simplify administration, it is recommended that you grant permissions using groups. By assigning NTFS permissions to a group, you are granting permissions to one or more people, reducing the number of entries in each access list and reducing the amount of effort to configure situations in which multiple people need access to certain files or folders.