What are users who only have the list folder contents permission allowed to do?

Learn everything about folder and file NTFS permissions. What are their limitations? And whats about the inheritance of NTFS permissions and how can I see the effective permissions of a user? Check out this post to answer these questions!

NTFS, which stands for New Technology File System, is Microsoft’s current file system for the Windows NT operating system. NTFS is the successor of Microsoft’s previous systems, FAT and HPFS, and contains a wide range of improvements in terms of performance, extendibility, and security.

The main differences between NTFS and its predecessors are:

• FAT32 only supports individual files of up to 4GB in size. On the other hand, NTFS supports files of up to 16 EiB (16 × 10246 or 264 bytes).
• The most important difference you need to understand in order to follow this tutorial is that NTFS supports file permissions and introduced the concept of the access control list (ACL), a concept we will be explaining in more detail as we proceed.

NTFS Permissions

NTFS permissions determine who have access to files or folders. These permissions can be assigned to individual users or groups, but the best practice is to assign them to groups whenever possible. NTFS Permissions are set in the ACL (Access Control List).

Access Control List (ACL)

The access control list (ACL) is the list of users or groups that have access to a certain object. An object can be a file or folder. Each entry in the ACL is known as an access control entry (ACE).

The users or groups in the ACL are known as trustees. NTFS Permissions can be allowed, denied, or audited.

To create, edit, or view access control lists, you right click on a file or folder then select Properties from the options displayed:

(A reason I like the way Novell Netware did things – it didnt show files or folders that you didnt have access to.
Whereas MS NTFS still shows the items but you get an Access Denied message if you dont have permission)."

---------------------------

"Yes, you'll need to enable access based enumeration "

...

"I only ever use ABE on a folder level. I.e. if a user can see a folder (and therefore access it) then they can see the files in that folder.

If that makes sense."

-------------------------------------

"Actually, I have just done some testing and found with ABE that if you give LIST access to a folder then the user can see the folders and subfolders but cannot see the files! Perfect!

I didnt think it would work this way, because the List permission is actually "List Folder Contents". But ABE requires the user to have at least Read permissions. Since List is lower than Read permissions the files do not get displayed. You'd think then the folders wouldnt get displayed either since they have List (not Read) permissions assigned .. but MS must have smartly assumed that if List is enabled on the folder then the admin wants the folder to be visible.

Both share and NTFS permissions serve the same purpose within Windows environments; namely, to help you prevent unauthorized access to your critical folders. However, there are some critical differences between the two that will determine which one you use.

In this blog we will learn about what share permissions and NTFS permissions are, what the differences between the two are, and the best practices for using them.

What Are Share Permissions?

Simply put, share permissions allow you to control who accesses folders over the network (they will not apply to those users who are accessing locally). In share permissions, you cannot control access to individual subfolders or objects on a share. Instead, share permissions apply to all of the files and folders within the share. Share permissions can be used with NTFS, FAT, and FAT32 file systems and allow you to determine the number of users who can access the shared folder.

Share Permission Types

• Full Control: Allows users to create, read, update and delete files and folders in a directory, as well as NTFS files and folders. By default, the “Administrators” group is granted “Full Control” permissions.
• Change: Allows users to read files, as well as add, edit and delete files and folders. “Change” permissions are not assigned by default.
• Read: Allows users to read content in files and folders, as well as execute programs. The “Everyone” group is assigned “Read” permissions by default.

What Are NTFS Permissions?

New Technology File System (NTFS) is used to manage data stored on NTFS file systems and is the de facto file system for Windows NT and later operating systems. Unlike share permissions, NTFS permissions affect both network and local users. The types of NTFS permissions available are similar to share permissions but go into a bit more detail.

The basic types of access permissions for NTFS are Full Control, Modify, Read & Execute, Read and Write. Most of these are self-explanatory, and similar to share permissions. Read & Execute rights allow users to run executables, including scripts. The basic types of access permissions are described in more detail below.

NTFS Permission Types

• Full Control: Allows users to create, read, write, edit and delete files, folders and sub-folders. Users can also change the permissions for all files and folders in a directory.
• Modify: Allows users to modify and delete the files, file properties and folders in a directory.
• Read & execute: Allows users to read files and run executables, including scripts.
• List folder contents: Allows users to view a list of all files, folders and sub-folders in a directory. They can also view folder attributes and permissions, and even execute files, but they cannot view file contents.
• Read: Allows users to read files, file properties and folders in a directory.
• Write: Allows users to write to a file and add files to directories.

Differences Between NTFS and Share Permissions

The type of permissions you choose to use will depend on what you’re looking to achieve and the resources you have available to you. Before deciding which permissions to use, there are a number of important differences between NTFS and Share permissions that you should be aware of. These differences are described below;

• NTFS permissions provide more granular control over shared folders and their contents than Share permissions
• When Share and NTFS permissions are used together, the most restrictive permissions are chosen by default. For example, if NTFS permissions are set to “Everyone Modify Allow”, and Share permissions are set to “Everyone Read Allow”, the Share permissions will override the NTFS permissions as they are more restrictive.
• Unlike NTFS permissions, Share permissions can be applied to FAT and FAT32 file systems.
• Unlike Share permissions, NTFS permissions apply to users who are logged on to the server locally.
• , Unlike NTFS permissions, share permissions allow you to restrict the number of concurrent connections to a shared folder.
• Share and NTFS permissions are configured in different locations. Share permissions are configured in the “Advanced Sharing” properties in the “Permissions” settings, while NTFS permissions are configured on the Security tab in the file or folder properties.

Best Practices for Using Permissions

Your entire objective when using permissions should be to operate on a policy of least privilege, where users only have access to the files and folders they need to do their job. To help achieve this, there are a number of things you can do:

• Don’t assign permissions to user accounts: Permissions should be assigned only to groups in order to simplify the management of access to shared resources. If an employee in your organization changes roles and requires a new set of permissions, you can simply remove them and add them to the most appropriate groups.
• Use the Administrators group wisely: Users in this group will be able to do anything with your files and folders, including changing permissions. There are very few users who warrant this kind of control, and those that do need to be audited and monitored closely. You should use a third-party File Server audit solution to audit, monitor, and alert on changes administrators are making to your files and folders.
• Group objects together depending on security requirements: If there is a load of folders that apply to one particular department in the organization, group them into a parent folder and share that parent folder. This will save you from having to go through and share each folder individually.

How To Manage Permissions

If you find working with two separate sets of permissions too difficult to manage, you are probably better off using only NTFS permissions, as the added granularity will provide more flexibility and thus better security. Not only that, but NTFS permissions can be applied whether the resource is accessed locally or over the network. To use NTFS permissions by default, simply change the Share permissions for the folder to “Full Control.” That way, any changes you make to NTFS permissions will override the Share permissions.

If you want to get the NTFS permissions reports using PowerShell, please check this article.

If you want to better understand the permissions and privileges in your organization and ensure that you are operating on a principle of least privilege, see how Lepide File Server Auditor can help you.

What special permissions constitute the list folder contents permission?

What are the 3 permissions available when sharing a file?

What are the two types of permissions used to control access to a shared folder?