Permission levels are configured to limit individual or group user access to specific data. Both FAT32 and NTFS allow folder sharing and folder-level permissions for users with network access. Folder permissions are shown in Figure 1. The additional security of file-level permissions is provided only with NTFS. File-level permissions are shown in Figure 2.

To configure file- or folder-level permissions, use the following path:

Right-click the file or folder and select Properties > Security > Edit…

When configuring network share permissions for a computer that has NTFS, create a network share and assign shared permissions to users or groups. Only users and groups with both NTFS permissions and shared permissions can access a network share.

To configure folder sharing permissions in Windows 7, use the following path:

Right-click the folder and select Share with

There are four file sharing options to choose from:

To configure folder-sharing permissions in Windows Vista, use the following path:

Right-click a folder and select Share…

To configure folder-sharing permissions in Windows XP, use the following path:

Right-click a folder and select Sharing and Security…

All file systems keep track of resources, but only file systems with journals, which are special areas where file changes are recorded before changes are made, can log access by user, date, and time. The FAT32 file system lacks journaling and encryption capabilities. As a result, situations that require good security are usually deployed using NTFS. If increased security is needed, it is possible to run certain utilities, such as CONVERT, to upgrade a FAT32 file system to NTFS. The conversion process is not reversible. It is important to clearly define your goals before making the transition. A comparison of the two file systems is shown in Figure 3.

Principle of Least Privilege

Users should be limited to only the resources they need in a computer system or on a network. They should not be able to access all files on a server, for example, if they need to access only a single folder. It may be easier to provide users access to the entire drive, but it is more secure to limit access to only the folder that is needed to perform their job. This is known as the principle of least privilege. Limiting access to resources also prevents malicious programs from accessing those resources if the user’s computer becomes infected.

Restricting User Permissions

File and network share permissions can be granted to individuals or through membership within a group. If an individual or a group is denied permissions to a network share, this denial overrides any other permissions given. For example, if you deny someone permission to a network share, the user cannot access that share, even if the user is the administrator or part of the administrator group. The local security policy must outline which resources and the type of access allowed for each user and group.

When the permissions of a folder are changed, you are given the option to apply the same permissions to all sub-folders. This is known as permission propagation. Permission propagation is an easy way to apply permissions to many files and folders quickly. After parent folder permissions have been set, folders and files that are created inside the parent folder inherit the permissions of the parent folder.