NTFS permissions (Deny X Allow)

Posted on May 26, 2009 by Paulo Oliveira
Hi,
 
many administrators know that Deny permissions has precedence over Allow permissions. Is it really right? Well, not in the case where both permission are inherit.
 
Let´s understand how NTFS permission really works! But, before, a little background.
 
Before Microsoft come with NTFS permissions, another file system (FS) was used and had some limited number of permissions, this FS was FAT. It has basic permissions, like, read, write, execute and modify. Altough, this is the most used kind of permissions, system administrators couldn´t define more accurately permissions.
This was true until NTFS, which came with a whole lot of new options. Letting system administrators have more granular control over files and folders.
 
OK, that said, let´s get down the business.
 
There´s two types of NTFS permissions: explicit and inherited.
 
Inherited permissions are those propagated to an object from a parent object. Explicit permissions are those applied on the current folder.
 
Consider the scenario below:
 
                        Type        Deny       Allow
Folder1            Inherit
                       Explicit         X
 
     Folder2       Inherit          X
                       Explicit                      X
 
         Folder3   Inherit          X           X
                       Explicit
 
Now what? What happen if an user tries to access Folder3 directly?
 
The access will be allowed!! How? Simple, the user is inheriting both permissions (Deny and Allow). OK, but everyone knows on NTFS Deny has precedence over Allow… Not always!
 
Extracted from Microsoft Technet:
 
"Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry."
 
"Explicit permissions take precedence over inherited permissions, even inherited Deny permissions."
 
However, none of this apply to our scenario above.
 
NTFS has a logic for checking permissions:
  1. Check if exist explicit Deny on Folder3 >> No.
  2. Check if exist explicit Allow on Folder3 >> No.
  3. Check if inherit is enabled on Folder3 >> Yes, It is. Check inherited permissions on parent folder (Folder2).
  4. Check if exist explicit Deny on Folder2 >> No.
  5. Check if exist explicit Allow on Folder2 >> YES!!
  6. Allow access to object!!

There´s no explicit permissions on Folder3, the last inherited permission will take precedence.

That´s why the user has access to Folder3!

Now you know how NTFS permission really works, pay attention on this next time you´re assigning permission to a user or group on a folder/file.

 

Regards,

Paulo Oliveira.

This entry was posted in Windows Server. Bookmark the permalink.

Leave a comment