Restrict access to the files stored on NTFS partitions

NTFS partitions have the capability of handling access control lists (ACL) for the folders/directories on the partition. This can be used to control who is allowed to get access to certain folders.

For example one can restrict access to the NTFS partition/drive/folder so only authenticated users have access:
  1. Open My Computer
  2. Right-click the NTFS-partition and select Properties (Or a folder on the partition)
  3. In the new dialog pick the Security-fan
    • One has to be part of the Administrator-group to use this fan.
    • If using WinXP Pro then one has to disable Simple Filesharing to access this fan.
    • If using WinXP Home then one has to boot in safemode to access this fan.
  4. In the Security-fan one can do the following:
    • Take ownership of the partition:
      1. Press the Advanced-button
      2. Select the Owner-fan
      3. Select the Administrators-group
      4. Check Replace owner on subcontainers and objects-box
      5. Press Ok-button
      6. Press Apply-button
    • Restrict access to the NTFS partition so only authenticated users have access:
      1. Remove the Everyone-group and instead add Authenticated Users-group
      2. Select the Authenticated Users-group and make sure it has Full Control
      3. Press Apply-button
    • Apply the above restriction to all subfolders (Do NOT do this on the system-partition):
      1. Press the Advanced-button
      2. Select the Permissions-fan
      3. Tick "Replace/Reset Permissions..."
      4. Press Ok-button
      5. Press Apply-button
Note one can also use this to take ownership of NTFS partitions when getting access denied. This can be useful when installing a new harddisk with existing NTFS partitions. Because the harddisk usually comes from another computer, where it was configured only to be owned by the users on the other computer.

Note one can also use this to take ownership of user folders, which can be useful in the situation where one is doing a Restore of an existing profile after reformat/repair

Note one can also use this feature to provide extra control of who has access to network shares. Even if a user has authenticated to get access to a share, then it is possible to block certain folders within the share using NTFS permissions. See also Access-based Enumeration.

Note if having Created a dummy Administrator-account, then one should make sure it doesn't have access to any of the NTFS partitions in the machine. But be sure that it is the dummy account and NOT the Administrators-group.

Note if having enabled the guest-account, then one should consider to only give read-access to the required NTFS partitions.

More Info MS KB148437
More Info MS KB153094
More Info MS KB244600
More Info MS KB266118
More Info MS KB268019
More Info MS KB301195
More Info MS KB308418
More Info MS KB308419
More Info MS KB308421
More Info MS KB318754
More Info MS KB324067
More Info MS KB325361
More Info MS KB810881
More Info MS KB825751

Updated: 29 November 2008

Leave a Reply

Your email address will not be published. Required fields are marked *