Always check special NTFS permissions

Be careful with NTFS permissions
Michael Murdock

Fiddling with NTFS permission can have unexpected results, as this tip from reader Michael Murdock illustrates. Do you have a security tip? Why not send it in? We'll enter you in our tips contest for some neat prizes, and we'll post your tip on our site.

If you remove standard NTFS permissions in the wrong order, some undesirable special NTFS permissions can be left behind.

Here's an example. Choose a file with all of the NTFS permissions selected for a particular user or group, then clear the Write permission and click Apply. The OS automatically removes Full Control and Modify (leading you to believe that only Read and Execute remains).

Now, go have a look in the Advance Properties for the special NTFS permissions and you will see that the Delete permission remains. And guess what? That user/group is able to delete that file.

Always adjust standard NTFS permission by removing the most powerful first (least restrictive), i.e. remove Full Control, then Modify, then Write, etc.

Just because you clear the Read permission and the OS automatically clears the others, do not assume it is always correct. Always check special NTFS permissions.

Did you like this tip? Why not let us know. Email to sound off.

Related Book

Windows 2000 Security Handbook
Author : Tom Sheldon and Phil Cox
Publisher : McGraw-Hill
Published : Dec 2000
Summary :
Deploy and administer bullet-proof Windows 2000 security policies. This book explains how to safeguard intranet, Internet, and e-commerce transactions with IPSec, defend against hacking, spoofing, sniffing, and DDS attacks, and secure your network with firewalls, proxy servers, and VPNs.

This was first published in July 2001

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.