Problem solve Get help with specific problems with your technologies, process and projects.

Always check special NTFS permissions

User Michael Murdock explains why it's important to check those special NTFS permissions to avoid undersireable leftovers.

Be careful with NTFS permissions
Michael Murdock

Fiddling with NTFS permission can have unexpected results, as this tip from reader Michael Murdock illustrates. Do you have a security tip? Why not send it in? We'll enter you in our tips contest for some neat prizes, and we'll post your tip on our site.

If you remove standard NTFS permissions in the wrong order, some undesirable special NTFS permissions can be left behind.

Here's an example. Choose a file with all of the NTFS permissions selected for a particular user or group, then clear the Write permission and click Apply. The OS automatically removes Full Control and Modify (leading you to believe that only Read and Execute remains).

Now, go have a look in the Advance Properties for the special NTFS permissions and you will see that the Delete permission remains. And guess what? That user/group is able to delete that file.

Always adjust standard NTFS permission by removing the most powerful first (least restrictive), i.e. remove Full Control, then Modify, then Write, etc.

Just because you clear the Read permission and the OS automatically clears the others, do not assume it is always correct. Always check special NTFS permissions.

Did you like this tip? Why not let us know. Email to sound off.

Related Book

Windows 2000 Security Handbook 
Author : Tom Sheldon and Phil Cox
Publisher : McGraw-Hill
Published : Dec 2000
Summary : 
Deploy and administer bullet-proof Windows 2000 security policies. This book explains how to safeguard intranet, Internet, and e-commerce transactions with IPSec, defend against hacking, spoofing, sniffing, and DDS attacks, and secure your network with firewalls, proxy servers, and VPNs.


Dig Deeper on Windows legacy operating systems

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.