Windows Folder Security: A Practical Guide

TL;DR

This guide shows you how to properly secure folders on a Windows computer using NTFS permissions and best practices. It covers setting basic permissions, checking effective access, and avoiding common pitfalls.

1. Understanding NTFS Permissions

Windows uses NTFS (New Technology File System) for folder security. Permissions control who can do what with your folders and files. Key permissions include:

• Full Control: Complete access – read, write, modify, delete, change permissions, take ownership.
• Modify: Read, write, delete, but cannot change permissions or take ownership.
• Read & Execute: View files and run programs within the folder.
• List Folder Contents: See the names of files and folders inside (but not their contents unless they also have ‘Read’ permission).
• Read: View file content.
• Write: Create new files and folders, change existing ones.

Permissions are applied to users and groups.

2. Setting Basic Folder Permissions

1. Right-click the folder you want to secure.
2. Select Properties.
3. Go to the Security tab.
4. Click Edit… to change permissions.
5. Click Add… to add a user or group (e.g., your account, a specific team). Type in the name and click ‘Check Names’ then OK.
6. Select the added user/group from the list.
7. In the ‘Permissions for…’ section, check or uncheck boxes to grant or deny permissions. Start with the least privilege necessary – don’t give Full Control unless absolutely required. For example, if someone only needs to view files, grant them Read & Execute and List Folder Contents.
8. Click Apply then OK on all open windows.

3. Checking Effective Access

It’s crucial to verify that permissions are working as expected.

1. Right-click the folder and select Properties.
2. Go to the Security tab.
3. Click Advanced.
4. Select the user or group you want to test.
5. Click Effective Access.
6. Click View Effective Access…
7. Check the results – this shows exactly what that user/group can do with the folder, taking into account all inherited permissions and group memberships.

4. Dealing with Inheritance

Permissions are often inherited from parent folders. This is usually desirable, but sometimes you need to break inheritance.

1. Right-click the folder and select Properties.
2. Go to the Security tab.
3. Click Advanced.
4. Click Disable Inheritance. You’ll be prompted with options:
• Convert inherited permissions into explicit permissions on this object: This copies the current inherited permissions to the folder, and then breaks inheritance.
• Remove all inherited permissions from this object: This removes all inherited permissions, leaving you with a clean slate. Use with caution!
5. Choose the appropriate option and click Apply.

After disabling inheritance, you can then set specific permissions for the folder.

5. Avoiding Common Mistakes

• Don’t give Full Control to Everyone: This is a major security risk.
• Use Groups instead of Individual Users: Managing groups is much easier than managing individual user permissions.
• Regularly Review Permissions: Make sure permissions are still appropriate as team members change or projects evolve.
• Be Careful with ‘Deny’: Deny permissions override Allow permissions, and can be difficult to troubleshoot. Use sparingly.
• Take Ownership if Necessary: If you need to modify permissions on a folder you don’t own, you may need to take ownership first (Advanced Security Settings).

6. Command Line Example

You can also manage permissions using the command line.

icacls "C:MyFolder" /grant username:(OI)(CI)F

This grants ‘username’ Full Control (F) to the folder and all subfolders/files (OI = Object Inherit, CI = Container Inherit). Replace “C:MyFolder” with your actual folder path.