Windows Folder Permissions

Permissions can be set on files and folders to control access. Windows lets you change read, write, execute, and other permissions.

Learning Objectives

You should be able to:

  • Describe the permissions that Windows lets you set on files and folders
  • Modify file and folder permissions

Video Walkthrough

Use this video to follow along with the steps in this lab.

Why Folder Permissions Matter

Permissions should be applied using the principle of least privilege. People should be given the minimum level of permission they need to do their job and nothing more. Lazy administrators will sometimes grant too much access because it is easier to give read, write, and execute permissions rather than having users complain later that their application is broken.

Imagine that Beth works in the marketing department. Beth might need to read reports created by the accounting team. Beth should only be granted read access to the folder containing accounting reports. Beth should not have write access. If Beth had inappropriately been given write access, the following could occur.

  • Beth might accidentally delete accounting reports.
  • Beth might intentionally modify accounting reports.
  • Beth's computer might have malware that tries to encrypt data and hold it hostage for ransom (i.e., ransomware).

Removing Beth's write access would prevent intentional or accidental harm to the accounting reports.

Beth
Beth trying to make sense of accounting reports

Viewing and Modifying Permissions

  • Create a new folder called Secure Documents.
  • Right-click on the folder and choose Properties.

Folder Menu Options

  • Look at your account's permissions.

Account Permissions

  • Full Control: Grants all permissions, including the ability to modify permissions and take ownership.
  • Modify: Grants permissions to read, write, and delete, but not to change permissions or take ownership.
  • Read & Execute: Allows reading and executing files but does not grant write or delete permissions.
  • List Folder Contents: Allows viewing the contents of a folder (but not necessarily the ability to read the contents of files within).
  • Read: Grants permission to read the contents of the folder or file, but not modify it.
  • Write: Allows writing or adding to a file or folder, but not reading or executing files.

It might seem odd that permissions would be given to writ to a file, but not read the file. But this is a common scenario. For example, a user might be able to upload files to a folder, but not download files from the folder. This is common in web applications where users can upload files, but not download files uploaded by other users.

Special Permissions

"Special" permissions can be set for a user or group. These would typically be used when the standard permissions don't provide the level of control needed. If you were working with highly sensitive documents, you might need to set special permissions to control access. You don't need to memorize these. Just recognize that these options are available.

  • Traverse Folder/Execute File: Allows or denies moving through folders to reach files or folders, even if the user has no permission to the parent folders.
  • List Folder/Read Data: Allows or denies viewing file names and subfolders in a folder.
  • Read Attributes: Allows or denies viewing the basic attributes of a file or folder (e.g., read-only, hidden).
  • Read Extended Attributes: Allows or denies viewing additional, custom attributes defined by applications.
  • Create Files/Write Data: Allows or denies creating new files in the folder.
  • Create Folders/Append Data: Allows or denies creating subfolders or making changes to the end of a file.
  • Write Attributes: Allows or denies changing the basic attributes of a file or folder.
  • Write Extended Attributes: Allows or denies modifying extended attributes of a file or folder.
  • Delete Subfolders and Files: Allows or denies deletion of subfolders and files, even if the user does not have - Delete permission on the subfolder or file.
  • Delete: Allows or denies deleting the file or folder.
  • Read Permissions: Allows or denies viewing the permissions of a file or folder.
  • Change Permissions: Allows or denies changing the permissions of a file or folder.
  • Take Ownership: Allows or denies taking ownership of the file or folder.
  • Synchronize: Allows a thread to wait until a file or folder is ready to be accessed.

Challenge

  • Create a new user account on your system.
    • Run lusrmgr.msc from the start menu.
    • Select the Users category.
    • Right-click in an empty space and click New....
    • Give the new user information and click Create when done.
  • Give the user read access to the Secure Documents folder.
    • Edit the permissions.

Edit Folder Permissions

  • Click Add....

Add User

  • Type the name of the user, then Check Names, then OK. When working with user account permissions, clicking Check Names is important because it verifies that Windows found the account.

Find and Add User

  • With the new user selected, uncheck all permissions except Read, then click Apply.

Select Permissions

At this point, the new user has limited access to the folder in question.

Cleanup

When finished:

  • You can delete the Secure Documents folder.
  • You can delete the new user account you created.

Reflection

  • Which elements of the security triad does changing permissions help with?
  • When should permissions be granted to users? When should permissions be granted to groups?

Key Terms

  • Windows Folder Permissions: Settings that determine the level of access users and groups have to folders and files on a Windows operating system. These permissions control actions such as reading, writing, modifying, and executing files within a folder.