NTFS Permissions and the File System

#NTFS Permissions, File System Security, and ACLs#link

Now that you understand Windows authentication and identity, we turn to authorization — how Windows decides what authenticated users can actually do with files, folders, and other resources. The NTFS (New Technology File System) permission model is the backbone of Windows file security, and misconfigurations here are among the most common findings in penetration tests.

This lesson covers NTFS permissions, Access Control Lists (ACLs), inheritance, and how attackers exploit weak file system permissions for privilege escalation and data exfiltration.

NTFS vs. FAT32: Why the File System Matters

Windows supports multiple file systems, but NTFS is the standard for all modern Windows installations. Unlike FAT32, NTFS supports:

• ▪Access Control Lists (ACLs) — per-file and per-folder permissions
• ▪Encryption (EFS) — per-file encryption using user certificates
• ▪Compression — transparent file compression
• ▪Disk quotas — per-user storage limits
• ▪Journaling — transaction log for crash recovery
• ▪Alternate Data Streams (ADS) — multiple data streams per file (used by malware for hiding)
• ▪Hard links and symbolic links — multiple path references to the same data

Access Control Lists (ACLs) and Access Control Entries (ACEs)

Every securable object in Windows (files, folders, registry keys, processes, services, etc.) has a security descriptor containing two types of Access Control Lists:

Each entry in a DACL is an Access Control Entry (ACE) that specifies a trustee (user or group) and a set of permissions. ACEs are processed in order: explicit deny ACEs come first, then explicit allow ACEs, then inherited deny, then inherited allow.

NTFS Standard Permissions

NTFS provides both basic (standard) and advanced (special) permissions. The standard permissions are combinations of more granular special permissions:

# View the ACL of a folder
Get-Acl "C:\SensitiveData" | Format-List

# View ACL with detailed ACE information
Get-Acl "C:\SensitiveData" | Select-Object -ExpandProperty Access | 
  Format-Table IdentityReference, FileSystemRights, AccessControlType, IsInherited

# Check effective access for the current user
Get-Acl "C:\SensitiveData" | Get-EffectiveAccess

# Find all files where 'Everyone' has write access (common misconfiguration)
Get-ChildItem -Path "C:\" -Recurse -ErrorAction SilentlyContinue | 
  ForEach-Object {
    $acl = Get-Acl $_.FullName
    $acl.Access | Where-Object {
      $_.IdentityReference -match "Everyone" -and
      $_.FileSystemRights -match "Write|FullControl|Modify"
    } | Select-Object @{N='Path';E={$_.FullName}}
  }

Permission Inheritance

NTFS permissions are inherited by default. When you set permissions on a parent folder, those permissions propagate to all child objects (subfolders and files). Inheritance can be disabled, which is sometimes necessary for security but can also lead to inconsistent permission configurations.

Key inheritance concepts:

• ▪Container inherit — ACE propagates to subfolders
• ▪Object inherit — ACE propagates to files
• ▪No propagate inherit — ACE applies only to immediate children
• ▪Inheritance flags control how child objects receive parent permissions

# Check if inheritance is enabled on a folder
$acl = Get-Acl "C:\SensitiveData"
$acl.AreAccessRulesProtected  # $true means inheritance is DISABLED

# Disable inheritance and copy existing ACEs (convert inherited to explicit)
$acl = Get-Acl "C:\SensitiveData"
$acl.SetAccessRuleProtection($true, $true)  # $true, $true = disable inheritance, keep existing
Set-Acl "C:\SensitiveData" $acl

# Grant a specific user explicit permissions
$acl = Get-Acl "C:\SensitiveData"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
  "DOMAIN\analyst", "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$acl.SetAccessRule($rule)
Set-Acl "C:\SensitiveData" $acl

Special Permissions and Dangerous Configurations

Beyond standard permissions, several NTFS configurations are particularly dangerous from a security perspective:

• ▪Write access to system directories (C:\Windows, C:\Program Files) — allows DLL hijacking and binary replacement
• ▪Write access to other users' profile folders — allows planting startup items or modifying user data
• ▪Full Control on service executable paths — allows replacing service binaries for privilege escalation
• ▪Write access to scheduled task script locations — allows modifying task actions
• ▪Impersonation after write — writing to locations that privileged processes will later execute from

Share Permissions vs. NTFS Permissions

When accessing files over the network (SMB shares), two layers of permissions apply: Share permissions and NTFS permissions. Windows enforces **the most restrictive combination** of both.

# List all SMB shares on the local machine
Get-SmbShare

# View share permissions for a specific share
Get-SmbShareAccess -Name "DataShare"

# Create a new share with specific permissions
New-SmbShare -Name "SecureShare" -Path "C:\SecureData" 
  -FullAccess "DOMAIN\Admins" 
  -ChangeAccess "DOMAIN\Users" 
  -ReadAccess "DOMAIN\Guests"

Ownership and Take Ownership

Every NTFS object has an owner. By default, the creator is the owner. The owner always has the ability to modify the object's permissions, even if they are explicitly denied access. This is a fundamental principle of Windows security: ownership trumps permissions.

The 'Take Ownership' privilege (SeTakeOwnershipPrivilege) allows a user to become the owner of any object, after which they can modify the DACL to grant themselves full access. This privilege is granted to the Administrators group by default.

# Take ownership of a file (requires Take Ownership privilege)
takeown /f "C:\ProtectedFile.txt"

# Grant yourself full access after taking ownership
icacls "C:\ProtectedFile.txt" /grant "jsmith:F"

# Alternative: use PowerShell to take ownership
$acl = Get-Acl "C:\ProtectedFile.txt"
$acl.SetOwner([System.Security.Principal.NTAccount]"jsmith")
Set-Acl "C:\ProtectedFile.txt" $acl