NTFS permissions in Windows
File system permissions are an essential method of securing one's private data. In Windows, you can set permissions on NTFS-formatted partitions/drives; other file systems, such as FAT/FAT32/exFAT do not support access restrictions, aka Access Control Lists (ACL).
See this tutorial to convert your FAT/FAT32 drive to NTFS without losing any data.
Best security practices include protecting whole folders instead of individual files and enforcing security inheritance on subfolders. If there are many users and many folders requiring different permissions, it is recommended to grant access using user groups, not individual users. In most cases, basic access rights work the best; the usage of advanced ones can easily create frustration and end up with losing access to required resources.
You should never try changing permissions of whole system drive (the drive/partition where Windows is installed); or system folders or their subfolders, such as Windows, Program Files/Program Files (x86) or ProgramData. Always have a backup ready in case something goes awfully wrong.
Windows XP considerations
Windows XP Home Edition does not support setting file system access restrictions, even on NTFS-formatted drives. Windows XP Professional and all newer editions and versions of Windows have the required tools built in. You can use keyboard shortcut Windows Key+Break/Pause to check the version and edition of Windows.
To see the Security tab in Windows XP Professional, you must disable simple file sharing first. Launch Windows Explorer using keyboard shortcut Windows Key+E (or double-click My Computer), open Tools menu and click Folder Options.
Later versions of Windows (Vista, 7, 8 and 8.1) have the Security tab visible at all times.
Open View tab, scroll to the bottom of the Advanced settings list and clear the Use simple file sharing (Recommended) check box. Click OK to apply the changes.
Folder options are described in more detail here.
In Windows XP Home Edition, you can still make your own user profile folder (including the My Documents folder) private by opening Windows Explorer, navigating to C:\Documents and Settings folder, right-clicking your user folder and clicking Properties. Then open the Sharing tab and turn on the Make this folder private option.
As said before, it is strongly recommended to apply permissions to folders, not individual files. The main reason is security inheritance - by default, all items inherit Access Control Lists (ACL) from the folder they are in (if the Read & Execute option is enabled). So if you change Access Control Entries (ACE aka user access to a file), the permissions might stay effective only until the next time you modify and save the file. After saving, the file inherits permissions of its parent folder and the item might not be private enough anymore.
This limitation gives you an opportunity to organize files into different folders and apply security to these folders. The bright side of this is that you can then locate and manage your files in an easier way.
To view or modify file/folder permissions in Windows, locate and right-click it in Windows/File Explorer and click Properties. Keyboard equivalent is to use shortcut Alt+Enter on a selected item.
File or folder properties window opens. Click to open the Security tab and you can see the currently effective permissions. The top part of the window (Group or user names) lists users and groups that have been granted or denied some sort of access to the item; the bottom part (Permissions for <selected group or user>) lists the selected user's/group's basic access rights to the item.
In Windows XP, you can select a user or a group (aka principal) and change its permissions right away; in Windows Vista and newer, you must first click the Edit button (all items in the bottom half of the window are grayed out/disabled by default).
The basic access rights to an item/object are as follows:
- Full Control - can create items; see, open, read, write, delete the item; modify access rights and attributes and take ownership of the item. Selecting the box enables all other options.
- Modify - can create items; see, open, read, write and delete the item; view access rights and modify attributes. Activating the option enables all check boxes below it.
- Read & Execute - can see, open/launch and read the item. Selecting the option enables the List folder contents and Read items.
- List folder contents - applies to folders only, same rights as Read & Execute, but applies to sub-folders only (not to files in these).
- Read - can see, open and view permissions and attributes of the item. The most basic right.
- Write - can create items; see, open, read, write, synchronize and delete the item. Viewing permissions and attributes is also allowed.
- Special permissions - customized rights that fall out of scope of basic rights.
If you enable the Read & Execute option of a folder, all sub-folders and files will inherit permissions from it. Disabling it and using the List folder contents option instead will enforce the rights to sub-folders only, excluding files. The latter allows independent access rights to individual files within folders and sub-folders.
To add a user or a group, click the Add... button in the top half of the item properties window.
To delete an Access Control Entry (ACE), click the Remove button. Be careful here - you do not want to remove your own access right! If you've accidentally removed your own right, click the Cancel button and start over.
The Select Users or Groups dialog opens. Here you can either type in the names of groups or users (separated by semicolon) and click the Check Names button for verification; or click the Advanced... button to enable listing of all available group and user names.
If you have a local network (HomeGroup, Workgroup, Domain), you can also choose users from other Windows PC-s on the same network using the Location button. You might have to enter user name and password (use administrative accounts only) for the remote PC first.
After using the Advanced button, click Find Now.
The list of all users and groups appears. You can either select one item at a time, or hold down Shift key to select concurrent items, or hold down Ctrl key to select non-adjacent items.
After selecting required users or groups, click OK.
Click OK back in the Select Users or Groups window to add the selected item(s) to Access Control List.
By default, the added users and groups will receive the Read & Execute, List Folder Contents and Read permissions. You can adjust the rights by selecting or deselecting available check boxes for each added account.
Click OK after you're done adjusting the access permissions.
There are special accounts available in Windows. You should use these with caution and only if you fully understand what kind of access they allow or deny.
- Anonymous Logon - network users that have not specified user name and password. This applies best to web servers and is not recommended while securing or sharing folders and files.
- Authenticated Users - any user who has successfully logged on with user name and password. This does not include the Guest account even if it is password-protected.
- Creator Owner and Creator Group - identifies the user or group who created the selected file or folder. You can use these entries for protected folders to allow deleting temporary files that many programs such as Microsoft Word or Microsoft Excel automatically create after opening a document. The owner can read, modify and delete such items, but other non-administrative users cannot erase these accidentally.
- Dialup - users who access the computer over a dial-up (modem) connections.
- Everyone - any user who accesses the computer, including Guest account. Anonymous Logon is excluded.
- HomeUsers - available in Windows 7, 8 and 8.1 only, all members of the HomeGroup that this PC has joined. If the computer is not in a HomeGroup, the item is not visible.
- Interactive - any user who has logged on locally (not over network).
- Network - any user who has logged on over the network (not locally). This excludes users who have logged on over a Remote Desktop connection.
- Remote Interactive Logon - any user who has logged on over Remote Desktop Connection (not locally or over direct network connection).
You are administrator and you have a folder that you want to share with another users on this computer. However, non-administrative users should not be able to delete documents other than their own.
- Add Administrators group with Full Control permission. This includes your own account.
- Add Users group with Read & Execute and Write permissions. This gives ordinary (limited) users permission to open and modify all files, but not to delete these.
- Add Creator Owner account with Full Control permission. This means that anyone who creates a new file or folder can also delete it. Other non-administative users cannot delete the item.
- Add special SYSTEM account with Full Control permission. This ensures that files can be properly backed up, defragmented, etc by scheduled tasks.
The previous section covered basic permissions that are normally fine for everyday use. Advanced settings include more granular control over access rights of folders, sub-folders and files; and cover inheritance, ownership and permission testing.
As usual, right-click the object (file or folder) you want to customize and click Properites. Then open Security tab and click Advanced in the bottom half of the window.
In Windows XP, editable list of permission entries appears right away. In Windows Vista, 7, 8 and 8.1, you must click the Change Permissions button first to modify the listed rights. This will open a separate window.
You are now able to add or remove permissions from the Access Control List (ACL) using the corresponding buttons.
To change advanced rights for a user or a group, click its entry and then click Edit.
For folders, you can choose how the permissions affect items in it using the Apply onto (Windows XP), Apply to (Windows Vista and 7) or Applies to (Windows 8 and 8.1) combo box. The entries speak for themselves, This folder, subfolder and files is selected by default. This enforces the listed rights to each and every file, sub-folder and all files in all sub-folders. Using such granularity, you can create different access rights for files in the current folder, for subfolders and their files, etc.
For clarity, try avoiding advanced permissions and use different top-level folders for items that require different permissions.
For files, this option is disabled.
To change advanced permissions, tick or clear the appropriate check boxes.
In Windows 8 and 8.1, you must click the Show advanced permissions link on the right first (see the image above).
In case all these options are grayed out, there must be a line on the top of the window that warns about inherited rights. You cannot change the access rights unless you disable inheritance for the object.
Inheritance eases the creation of security settings so that you do not have to apply the same permissions to each and every subfolder. All you need to do is to create Access Control List (ACL) for the parent folder and all subfolders and files will inherit these automatically. That is, if inheritance is enabled (it is by default) and the Read & Execute option (discussed earlier in this article) for the folder is enabled.
To break the inheritance for a folder or a file, clear the Inherit from parent the permission entries that apply to child objects (Windows XP) or Include inheritable permissions from this object's parent (Windows Vista and 7). In Windows 8 and 8.1, click the Disable inheritance button.
A warning dialog will appear. In Windows XP, click Copy; in Windows Vista and 7, click Add. In Windows 8 and 8.1, click Convert inherited permissions into explicit permissions on this object.
This will disable inheritance, turn the previously inherited rights into explicit rights and save you some time by keeping the default permission entries (you do not have to start creating access rights from the scratch).
Now you have a set of default permissions that you can modify as you like. As always, I suggest using the basic access rights instead of advanced permissions. Just click OK to close the Advanced Security Settings window and define the ACL in the folder or file properites window.
If required, you can also replace all access rights of subfolders and files by enabling the Replace permission entries on all child objects with entries shown here that apply to child objects (Windows XP) or Replace all child object permissions with inheritable permissions from this object (Windows Vista and later) option.
Then click OK.
This will spawn another warning window, click Yes. Please be aware that this will remove all customized access rights of subfolders and files.
To re-enable inheritance, put a check mark in the Inherit from parent the permission entries that apply to child objects (Windows XP) or Include inheritable permissions from this object's parent (Windows Vista and 7). In Windows 8 and 8.1, click the Enable inheritance button.
This will add access rights from parent folder, but your customized permissions will also remain intact.
In its simplest form, owner is the user who created the file or the folder. In Windows XP, owner has full permissions to the item; later versions of Windows grant full access only if the Creator Owner or Creator Group account is included in basic or advanced permissions..
To change an object's ownership, you must either have Full Control permissions to it, or your user account must be a member of the Administrators group.
In Windows XP, Vista and 7, open the Owner tab of Advanced Security Settings window. The current owner is listed in the Current owner of this item (Windows XP), Current Owner (Windows Vista and 7) or Owner (Windows 8 and 8.1) field.
Just like in access rights part, Windows XP allows modifications right away; Windows Vista and 7 users must first click the Edit button; and Windows 8 users must click the Change link.
Now you can select a different administrative account or group in Windows Vista and 7, or click Change again in Windows 8/8.1 to select one from a list.
To replace owner of all subfolders and files also, enable the Replace owner on subcontainers and objects option. In Windows XP, this will grant full access rights to the selected user or group.
In Windows XP, Vista and 7, close and re-open all Properties windows to see new access rights. Windows Vista and 7 will pop up an informative dialog about this.
Windows 8 and 8.1 will close the windows automatically, so you must re-open these.
In case you connect an NTFS-formatted drive from another computer, and you cannot even see the amount of free space on the drive (a bunch of access denied errors for every action you try), follow these steps:
- Caution: never try this on a system drive (the drive where Windows is installed, usually drive letter C:\) - this can make Windows unbootable.
- Take ownership of the whole drive, but select a user account with administrator rights instead of a security group. Ignore error messages while owner of all objects on the drive is being changed. Close the open drive properties window, if necessary.
- Re-open properties of the drive, go to Security tab, grant Full Control permissons to the same user account you used before and click OK.
- The drive is accessible now, give Full Control rights to SYSTEM account and Administrators group.
If you go back to the original computer, you must repeat the steps above to access the drive.
Windows also has the Effective Permissions (Windows XP, Vista and 7) or Effective Access (Windows 8 and 8.1) tab that allows verifying that a user or a group has all required permissions. This is mostly intended for complex environments with many groups and users, but it is also good for home users.
Click the Select button in Windows XP, Vista or 7. Windows 8/8.1 users should click the Select a user link instead.
The Select User or Group window opens. Either type the name of the user or group and click Check Names to verify the account, or click Advanced and then Find Now to list all available accounts.
In Windows XP, Vista and 7, the list of effective access rights appears. In Windows 8 and 8.1, you must click the View effective access button first.