Secure Files and Folders with NTFS Permissions

As mentioned, the share permissions are meaningless when someone is accessing files and folders locally. You can still secure files locally, however, if you use NTFS permissions. Before you do so, you need to take two preliminary steps:

• Format the desired volume using the NTFS file system (refer to Chapter 4, "Disk and File System Management," for details).
  
  
• Disable Simple File Sharing.
  
  

Once you take these steps, you'll see the Security tab when examining the Properties of a file or folder stored on and NTFS partition. As shown in Figure 11-7, the Security tab contains an ACL where you set NTFS permissions. Like share permissions, you can have very granular control over permissions for individual users and groups. The NTFS permissions are more powerful and flexible than share level permissions, though.

NTFS permissions are a function of NTFS attributes, a full discussion of which is beyond the scope of this book. You can view the individual NTFS attributes by clicking on the Advanced button, but I'll let you explore that on your own.

Here's what's important to keep straight about NTFS permissions:

• NTFS permissions are effective locally. Share permissions apply only when network connections are made to a resource.

• NTFS permissions are effective for both folders and individual files. Share permissions can be granted at the folder level only. The share permissions then apply to all files and subfolders within the share.

• File permissions override folder permissions.

• As with share permissions, each of the NTFS permissions has an Allow setting and a Deny setting.

• Like share permissions, NTFS permissions are cumulative. A user who's granted the NTFS Read permission via the Everyone group and the NTFS Full Control permission through his or her membership in the Administrators group would have the Full Control effective permission.

And finally this, which merits a separate paragraph: when NTFS and share permissions are combined, the effective permission is the most restrictive permission. For example, if a user is granted the share-level permission Full Control and the NTFS permission Read, the effective permission is… Read. (It's confusing, I know, but you've got it in writing, so you can re-read this chunk if necessary.)