What is the correct statement about share permissions and NTFS permissions?

This section will be of interest to an administrator who is familiar with security settings on a FAT32 volume where permissions for a shared folder are the only permissions protecting files and subfolders in the shared folder.

When using share permissions and NTFS permissions together, if there is a conflict in the configuration, the most restrictive permission prevails. For example, if a user has NTFS full access to a specific file in a folder that is not shared, the user cannot access the file from the network. In this case, the user can sit down at the computer that contains the file, log in and access the file, because sharing permissions do not affect local access.

One strategy for providing access to resources on an NTFS volume is to share folders with the default shared folder permissions and then control access to shared folders by assigning NTFS permissions. When you share a folder on an NTFS volume, both shared folder permissions and NTFS permissions combine to secure file resources.

Shared folder permissions provide limited security for resources. You gain the greatest flexibility by using NTFS permissions to control access to shared folders. Also, NTFS permissions apply whether the resource is accessed locally or over the network.

When you use shared folder permissions on an NTFS volume, the following rules apply:

• You can apply NTFS permissions to files and subfolders in the shared folder. You can apply different NTFS permissions to each file and subfolder that a shared folder contains.

• In addition to shared folder permissions, users must have NTFS permissions for the files and subfolders that shared folders contain to gain access to those files and subfolders.

• When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.

Planning

The first step is planning how folders will be shared. To do this, make a list of what data will be stored and what user groups will require access. For example, types of data may be employee data, customer account status data, customer service data, management guideline data, and so on. Groups of users may be managers, administrators, sales reps, customer service reps, and so on.

Create a table with three columns:

• Column 1 displays each data folder by name and location
• Column 2 displays the shared folder name
• Column 3 displays the name of the user group with assigned folder permissions
• File and Printer Sharing for Microsoft Networks

To share any folders or other network objects, you must have "File and Printer Sharing for Microsoft Networks" as a networking component in your local area connection.

To add this component:

1. In the Windows System Tray, right-click the Local Area Connection icon and choose Status from the context menu. The Local Area Connection Status dialog box appears.

2. Click Properties. The Local Area Connection Properties dialog box appears.

   

3. To add the File and Printer Sharing for Microsoft Networks check box, click Install… and choose it from the Services category.

   Home tenfold Blog Active Directory

   NTFS Permissions and Share Permissions – What’s the Difference?

   Nele Nikolaisen · 18.04.2019

   Organizations rely on share permissions and NTFS permissions to manage access to local resources. Both permission types serve the purpose of protecting sensitive data and preventing unauthorized access. But what is the proper way to combine them and how do NTFS vs. share permissions interact? In this guide, we’ll take a closer look at the differences between share permissions and NTFS permissions and illustrate some best practice examples for using both methods in Microsoft Windows environments.

   What Are NTFS Permissions?

   NTFS (New Technology File System) is the standardized file system for Microsoft Windows NT and newer versions of Microsoft’s operating system. NTFS permissions govern access to folders and files on Windows drives.

   What’s special about NTFS permissions is that they apply both when access is made locally using a computer and for access via network. That’s the main difference between NTFS permissions and share permissions: The latter only apply when access is made via the network. They have no effect on direct access on a machine, i.e. locally.

   Setting NTFS Permissions

   Setting NTFS permissions is not overly complicated, though there are a couple of things you should be aware of. Our article Setting NTFS Permissions covers the 5 most common mistakes and outlines the best practices for dealing with NTFS permissions.

   To set an NTFS permission, right-click on a folder or file and select “Properties”, then navigate to the “Security” tab to edit permission levels for different groups. For maintenance and security reasons, you should not apply permissions to individual users. This is the window you will be looking at:

   
   How to set NTFS permissions

   While share permissions only allow the three options (Full access, Modify and Read), NTFS permissions allow you to set access at a more granular level, both for individuals and groups.

   The level of access you choose to set can be passed on to subordinate files or folders due to the NTFS permissions’. The following NTFS permission levels are the most important ones:

   • Full control: The user has permission to change the contents of files and directories and can furthermore change system settings (e.g. permissions or ownership of the folder).

   • Modify: The user has permission to see, read, execute, write and delete files.

   • Read & Execute: The user has permission to view file contents in the folder including scripts and may execute programs.

   • List folder contents: The user has permission to see directories and files contained in the folder.

   • Read: The user has permission to see which directories and files the folder contains and can also view the contents of these files and folders.

   • Write: The user has permission to add files and subfolders and to write to files.

   What Are Share Permissions?

   Share permissions are used to control access to shared folders (and their subfolders and files) when accessed over a network. This means if access is made locally using a PC, the share permission has no effect. To set share permissions, right-click on the folder, go to “Properties“, click on the “Sharing“ tab, then “Advanced Sharing“ and, finally, click on “Permissions“. You will then see this window:

   
   Share Permissions

   Unlike NTFS permissions, share permission levels are limited to “Read”, “Modify” and “Full access”.

   • Full Control: The user can change folders and files within the share, as well as edit permissions and take control of files.

   • Change: Users are permitted to read, execute, write and delete folders and files in the share.

   • Read: Users are permitted to view folder contents.

   The Issue With Share Permissions

   The last thing you need in your company are complicated, messy and convoluted access structures. But if you decide to use share permissions only, that’s probably what you’re going to be dealing with – one reason being that share permissions allow you to have different levels of permission within the same folder hierarchy, and that can be very confusing and misleading.

   Users might unintentionally end up receiving more rights to a folder than intended because the share permission for a subfolder allows more access than the folder above it. Click here for more information about the disadvantages of using share permissions only.

   Video Overview

   Watch Our Demo Video to See tenfold in Action!

   Start video

   Can You Combine NTFS and Share Permissions?

   The short answer is: Yes, you can mix share permissions and NTFS permissions. But in order to do so, you need to understand which permission takes priority over the other. Else you might end up giving your employees too many or not enough rights.

   When accessing a folder or file via network, share permissions take priority over NTFS permissions. If access is made locally on the file server, only NTFS permissions apply. The most important thing to remember, however, is that share permissions cannot grant a higher level of access than the active NTFS permission. It can only be used to further restrict the NTFS permission.

   Note: If share permissions and NTFS permissions are used together, the more restrictive permission overrules the other.

   Examples of Mixing Share and NTFS Permissions

   Let’s examine how share and NTFS permissions behave when they are used together in the following example: Assume that access to our folder “\\srv\Department\Sales“ is made via network share and not locally (otherwise, share permissions wouldn’t even factor into it).

   Example 1

   If the sharing permission is set to “Read“ and the NTFS permission is set to “Full Control“, the user will only get “Read“ access to the file because the more restrictive share permission prohibits “Full control“ access via network.

   
   Diagram illustrating different levels of permissions and the effective permissions that result.

   Example 2

   If the sharing permission is set to “Full Control“ and the NTFS permission is set to “Read & Execute“, the user will only have “Read & Execute“ access to the file. While the share permission would permit “full“ access, the NTFS permission restricts access to “Read & Execute“.

   
   Diagram illustrating different levels of permissions and the effective permissions that result.

   Best Practices for Combining Share and NTFS Permissions

   As you can tell, with only 3 permission levels, the security options for folder shares are very limited. Using NTFS permissions to manage access provides much more granular control. The main consideration for share permissions should be to make sure that they do not accidentally block access via the network because of conflicts with NTFS permissions.

   We therefore recommend setting share permissions for admins to “Full Control” and to “Change” for regular domain users. Do not set any other share permissions.

   This way, it is guaranteed that the NTFS permissions you set take effect and will not be restricted when access is made via network. Using NTFS to control access on file servers brings the following advantages:

   • Combining NTFS permissions and share permissions is confusing and complex.
   • NTFS permissions offer more fine-grained control.
   • NTFS permissions apply even if access is made locally on the server.

   Automated NTFS and Share Permission Management

   Keep in mind that setting NTFS permissions comes with a few obstacles and considerations of its own. For example, there’s the issue of creating the necessary permission groups in the Active Directory and implementing Microsoft’s recommended structure, also known as the AGDLP principle. Additionally, you may want to enable access-based enumeration in order to hide folders from users who do not have permission to view their contents. This makes it easier for employees to navigate through the file server, while preventing them getting the wrong idea from directories with telling names such as “2023_Restructuring” or “NY_Office_Staff_Changes”.

   For organizations managing large groups of users, the easiest way to ensure safe and appropriate access accross your entire staff and IT landscape is to automate user and permission management through an IAM solution. Automated platforms for identity and access management assign and remove permissions based on the roles and access profiles you define (an approach also known as role-based access control), all while implementing best practices for Active Directory security and group structures.

   And the best part? tenfold saves time and frees up your admins to focus on more important tasks. To learn more about how to best manage permissions in Windows environments, download our free whitepaper below.

   Whitepaper

   Best Practices for Access Management In Microsoft® Environments

   An in-depth manual on how to set up access structures correctly, including technical details. Also includes information on reporting and tips for implementation.

   Download Now

   Watch Our Demo

   Notice: JavaScript is required for this content.

   Request White Paper

   Notice: JavaScript is required for this content.

   About the Author: Nele Nikolaisen

   Nele Nikolaisen is a content manager at tenfold. She is also a book lover, cineaste and passionate collector of curiosities.

   Which of the following best describes what happens when share and NTFS permissions combine?

   When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.

   What are the common permissions for NTFS and shared?

   If the share permissions are “Read”, NTFS permissions are “Full control”, when a user accesses the file on the share, they will be given “Read” permission. If the share permissions are “Full Control”, NTFS permissions are “Read”, when a user accesses the file on the share, they will still be given a “Read” permission.

   What are the differences between share and NTFS permissions quizlet?

   What are the differences between share and NTFS permissions? Shared folder permissions apply only to users connected to the share through the network; NTFS permissions apply to both local and network access.

   What are the permissions for NTFS?

   There are three types of share permissions: Full Control, Change, and Read. Full Control: Enables users to “read,” “change,” as well as edit permissions and take ownership of files. Change: Change means that user can read/execute/write/delete folders/files within share.