Best Practices for Securing Files with NTFS Permissions

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

Observe the following best practices when you set NTFS permissions:

  • Assign permissions to groups rather than to users. Because it is inefficient to maintain user accounts directly, assigning permissions on a user basis should be the exception.

  • If possible, avoid changing the default permission entries on file system objects, particularly on system folders and root folders. Changing default permissions can cause unexpected access problems or reduce security.

  • Never deny the Everyone group access to an object. If you deny Everyone permission to an object, it includes administrators. A better solution is to remove the Everyone group, as long as you give other users, groups, or computers permissions to that object. You may also need to assign Full Control to the Administrators group and LocalSystem.

  • Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry. Explicit permissions take precedence over inherited permissions, including inherited Deny permissions.

  • Deny permissions should be used only for the following special cases:

    • To exclude a subset of a group which has Allowed permissions.

    • To exclude one special permission when you have already assigned Full Control to a user or group.

  • Use care when configuring NTFS permissions for your Web site. Inappropriately set permissions can deny valid users access to required files and directories. For example, even though a user has the correct user rights to view and execute a program, the user might not have permission to access a particular dynamic-link library (DLL) that is required to run that program. To guarantee users secure and uninterrupted file access, place related files in the same directory, and then assign the appropriate NTFS permissions to the directory.

  • For more information about NTFS permissions, see "Access Control" in Help and Support Center in Windows Server 2003.

  • For more information about converting a volume from the FAT or FAT32 file system to NTFS, see "Convert" in Help and Support Center in Windows Server 2003.