When a ransomware encrypts your file share, it exploits the permissions of the user who executed it. If that user had Modify or Full Control, every file they can access is lost. NTFS permissions are the last line of defense. This lesson goes beyond the six basic permissions to cover inheritance, effective access, and the critical difference between share and NTFS permissions—with real examples from high-security file server configurations.
NTFS offers a matrix of basic permissions: Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. But the devil is in the advanced permissions: Delete Subfolders and Files, Take Ownership, Change Permissions. A user with Modify can delete files they didn't create if Delete is inherited. Setting up a secure folder structure means stripping Modify to Read & Execute wherever possible, and using Full Control only for the SYSTEM and Administrators accounts.
The output shows SYSTEM and Administrators with Full Control (F), and the Finance Read-Only group with Read & Execute (RX). The (OI)(CI) flags indicate Object Inherit and Container Inherit, meaning subfolders and files inherit these permissions.
# Set granular NTFS permissions via PowerShell: grant Modify but deny Delete
$acl = Get-Acl -Path "D:\Projects"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\DevTeam", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
# Remove 'Delete' advanced right
$ruleToRemove = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\DevTeam", "Delete", "ContainerInherit,ObjectInherit", "None", "Deny")
$acl.AddAccessRule($rule)
$acl.AddAccessRule($ruleToRemove)
Set-Acl -Path "D:\Projects" -AclObject $acl💡 Deny permissions take precedence over Allow. Use Deny sparingly—only to carve out exceptions from broad Allow rules. Misusing Deny can lock out administrators.
NTFS permissions flow from parent to child via inheritance. Disabling inheritance and converting to explicit permissions is common for folders that need unique ACLs. The 'Effective Access' tab in Windows Explorer (or Get-EffectiveAccess in PowerShell) calculates the real permissions a user has by combining all group memberships and ACEs. Always use this before declaring a folder 'secure'—overlapping group memberships often grant unexpected Write access.
| Inheritance Flag | Meaning | When to Use |
|---|---|---|
| (OI) | Object Inherit: files inherit | Almost always needed |
| (CI) | Container Inherit: subfolders inherit | Unless you want different permissions per folder |
| (NP) | Don't propagate to subcontainers | Use to create a break in inheritance chain |
| (IO) | Inherit Only: ACE applies only to children, not the folder itself | Useful for granting permission on all files without affecting folder access |
When accessing a file over SMB, both share permissions and NTFS permissions apply—the most restrictive wins. Many admins set Share to Everyone: Full Control and rely solely on NTFS. While common, this increases risk if a share misconfiguration appears. The secure approach: set Share permissions to Authenticated Users: Change (or Read), and lock down with NTFS. This provides defense-in-depth.
⚠️ The CREATOR OWNER well-known SID inherits permissions from the parent. If you don't explicitly remove it, users who create files can modify permissions on their own files, potentially locking out administrators.
Verify exercises to earn ★ 140 XP and unlock next lab level.