Windows file and folder security
There are many cases where you will need to restrict your file or folder security to yourself or a certain group of users. Like, you can assign a specific folder in your computer where your home users can access music, images, or videos, or at the workplace to access work files, documents, or more, but you want to restrict the access permissions of users only to that group of files or folders, not your whole computer system.
Insecure file permissions is one of the core security weaknesses identified during the penetration tests. During our internal infrastructure security reviews, we often encounter such weaknesses as privilege escalation opportunities to elevate our access levels and push us closer to the domain administrator privileges. This is one of the primary topics under the access control domain and must be understood to ensure security in an Active Directory environment where file servers access/sharing files/repositories work on the NTFS permissions structure.
This is where the Windows files or folders permissions come in handy to prevent unauthorised access to your essential data. Further, in this article, you will know how to use files and folders permission to secure your data privacy and leaks.
How to set secure folder permissions in Windows?
Windows uses folder permissions for every register key, folder and file within your computer. Usually, the operating system automatically monitors ‘permissions’ to ensure that files and folders are secure. Therefore, you no longer have to fret about someone gaining unauthorised access to your file or folder. However, you sometimes wish to take complete Control of this feature and manually decide the users or groups who can access a folder or file.
In such situations, windows permissions are very useful. For example, multiple users work on the same computer as you do. They can be your co-workers or family members. By specifying the permissions for a file under your ownership, you can restrict other users’ access to it.
File and folder permissions in windows
Windows uses folder permissions to every file and folder within the computer. To access these permissions. A user must have a user account within the system and an administrator Group.
- Click on the file in a folder and choose Properties.
- Click the user to open their permissions
- Click the Edit icon.
Permissions are either inherited permissions or explicit permissions. All Windows files and folders are given permissions for parent folders. Explicit permissions are set by default during the creation of the folder. On the other hand, inherited permissions are assigned to a subfolder because it is part of the parent folder.
At times Powershell set permissions also help in managing files and folders at a faster rate. It is a robust method that helps in the automation of otherwise time-consuming tasks. It is done by creating scripts and using commands called “cmdlets”.
Share permissions and NTFS permissions
Windows comprises two categories of significant categories of permissions. The first category is called Sharing Permissions, while the second type is categorised as NTFS Permissions. They are different from one another. If you share a folder automatically, everyone gets that permission.
What is NTFS, and what are NTFS permissions?
The New Technology File System or NTFS is Windows’s latest file system to store and retrieve files. NTFS file supports more file sizes and harder drives and is much more secured than FAT (File Allocation System). NTFS is present in Windows 7, 8, and 10. Windows Vista XP, Windows 2000, and Windows NT also use this technology. Following are two standard NTFS permissions.
- NTFS Permissions are windows permissions that can only work in the NTFS file system.
- These permissions are cumulative. It means that a user’s effective permissions are a result of the additive effect of his group permissions and assigned permissions.
NTFS file and folder permissions
There are different types of files and folder permissions. It is necessary to understand the differences between the NTFS permissions that apply to files and folders. We will discuss each one of them separately in the section below.
- Full Control: You can read, write, execute, change attributes, modify, permissions, and take full ownership of the file.
- Modify makes it possible to read, write, execute, and change file attributes.
- Read & Execute enables you to display the file’s data, owner, attributes, and permissions.
- Read will make it possible to open the file, view its permissions, owner, and attributes.
- Write will help you to write data onto the file and make changes to its attributes.
- Full Control gives you the authority to read, write, execute, and modify a folder, its permissions, and attributes. The recipient can even gain ownership of the folder.
- Modify makes it possible to read, write, execute, and change folder attributes.
- Read & Execute enables you to display the folder’s data, owner, attributes, and permissions.
- List Folder Contents allow the recipient to display the information in the folder and show its permissions, data, owner, and attributes.
- The read-option makes it possible to show the permissions, attributes, owners, and data of a file.
- Write will help you to write data onto the folder and make changes to its attributes.
You use windows permissions on a file or folder at times before sharing it with another user or group. Such permissions are called Share Permissions. There are three different types of share permissions.
- These permissions are only applicable for users who are approaching the resource through a network. They won’t work if you log in, for example, through terminal services.
- By using them together with NTFS permissions, you can develop a more detailed restriction scheme.
- If you have got FAT or FAT32 formatted volumes, only share permissions will be available to you. NTFS Permissions will be unavailable on those file systems.
The new share permissions
- Read permission is new share permission. Although it allows the recipient to open a file, they won’t be able to delete, edit, or modify the data. Can open but not modify or delete a file.
2. The read/Write option allows the recipients to do whatever they wish. They can not only open but delete and edit the file too.
Older share permissions
- In the older versions, read permission will enable you to visit all files and subdirectories within the shared folder. However, it will not permit you to edit permissions, take ownership of the folder, or manipulate a file. It will make it possible to execute different applications.
- Modify permission permits you to do anything acceptable by ‘read permission’. In addition, it will enable you to add new subdirectories and files and read and write edit data. Therefore, the user or group with whom the file is mainly shared benefits from it.
- Just as the name suggests, Full Control gives you complete authority over all other default permissions. You can do anything if you have complete control over a file or folder. Moreover, you can even use NTFS permissions on every file within the shared folder.
Using share and NTFS permissions together
The most restrictive permission prevails when you use shares and the NTFS permission jointly. The following rules apply when you are making use of shared permissions together with NTFS.
- It is possible to impose restrictions on files/folders using NTFS permissions. They are applicable on each file/subfolder present in the shared folder.
- Users shall use both permissions to gain access to subfolders/files within the shared content.
- When you use a combination of shared permissions and NTFS permissions, the more restrictive license will take the lead.
Changing permissions for files and folders
If you wish to edit window permissions for a specific file or folder, you may follow the steps below. These steps help when users set permissions to restrict certain users from gaining access to a folder/file.
1. Log into Windows with an administrator account. If you log in with a different account, you will only be able to change permissions for that specific account. Therefore, to change permissions for all accounts on the computer, it is best to log into the administrator account. With other accounts, most permission features will be unavailable.
2. Right-click on the file/folders whose permissions need to change. This can be done to any file or folder, for example, ssh folder. Ssh folders contain public keys and authorised hosts entries. Changing the ssh permissions (in this case, ssh folder) for a single folder will directly impact all the subfolders/files present in it.
3. Moving on, choose Properties from the drop-down menu. The Properties window for that specific file of folder will launch on the screen.
4. Once this is done, click on the Security Tab. A list containing the names of all users and groups that can access the file/folder will display on the screen.
5. After this, click on the “Edit” button. It will allow you to change the permission settings for that file or folder.
6. If you wish to add a new user or group to the list, you may click on the “Add” button. Select ” Advanced ” and ” Find No ” to find all users and groups on the computer, select “Advanced” and “Find No”, respectively. Choose the user/group you wish to add and then click”.
7. Click the user whose permission settings are about to change. All available permissions will be shown in”Permissions for Use”.
8. Check all the boxes to grant permissions you desire to give to the user or group. “Allow” and “Deny” boxes are present with each consent. Choose a suitable package according to your wish.
9. If the boxes are grey, adjust your settings to meet your needs. If you cannot make changes to the default permissions, adjustments can be made to specific settings.
- Click Advanced security settings from Security Tab.
- Choose the user and then tap on the Change Permissions/Edit button.
- Unselect “Include inheritable permissions from this object’s parent.”
- You may save the changes now.
By Clicking “Apply”, all changes will be saved. Consequently, the permissions for the target user will also renew. The user’s access to the file or folder will either increase or decrease depending upon your selections.
This section addresses all the popular questions relevant to permissions in windows and ways of keeping files and folders secure.
Q. Is the Folder Lock key a secure option?
Yes! It is one of the safest ways of keeping your data/folder secure at all times. No matter if you boot your program in Safe Mode or DOS mode. The folder Lock key will ensure that your encrypted files are not damaged.
Q. Where do I find my secure folder?
You may follow the steps below to access your secure file or folder.
- Go to Settings
- Then select Biometrics and Security
- You will find the Secure Folder Tab here.
- Choose the correct folder.
Q. What is the use of folder redirection?
Folder Redirection enables users to save their important documents on a file server instead of their workstations. It allows them to open their files quickly on any computer. Users must have specific permissions before doing so.
Q. What is ACL in PowerShell?
The ACL sets out all the permissions that users or groups accessing a secure file or folder. In Windows PowerShell 3.0 and later versions, a feature, InputObject parameter of Get-Acl, help access the safety descriptor of all objects without a path.
Q. How do I list file permissions in Windows?
You can use the command icacls in the command prompt to list all the current users of the file.
Q. What are folder permissions in Outlook?
Folder Permissions in Outlook are used to restrict the viewers who can view a folder in Outlook. Roles such as owners, editor, publishing author, and publishing editor are also present.
Q. How do I make a secure folder?
The steps below are meant for Windows 7 and close versions.
- Open Windows Explorer. Then, go to the folder you want to secure through a password.
- Right-Click it.
- Click on Properties> Advanced> Encrypt Content to Secure Data.
- Click OK. The system will be using your Windows username and password.
- Double Click to see if the folder is still accessible.
Files and folders contain vital information that must be kept secure. At times, multiple users are working on the same computer. In this situation, all people working on the computer will have access to each other’s private folders. This is when window’s permissions come in handy. By setting up permissions for each user working on your computer, you can restrict their access to your files and folder. There are several types of licenses.
However, they are usually divided into two broad categories, share permissions and NTFS permissions. Each class has several sub-types. If both work together, the private document becomes very secure. Thanks to Windows, it is possible to edit/change permissions for each user on the internet. With all these fantastic features in hand, you no longer need to worry about the security of your files.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.