File and Folder Security Using NTFS Permissions

Besides increased system stability, the best reason for choosing Windows XP or Windows 2000 as a desktop OS is the ability to take advantage of the NTFS file system. Unlike FAT and FAT32, NTFS provides the ability to configure file and folder security permissions that apply to both local and remote users. On a Windows XP Home system, NTFS permissions are configured as part of the Simple File Sharing feature looked at earlier, or “old style” as explained in the boxout. The obvious prerequisite to using NTFS permissions is that at least one partition is formatted with the NTFS file system.

Thankfully, a default installation of Windows XP Home or Professional on a new system will use the NTFS file system, but your system being configured with NTFS isn’t a given. The easiest way to tell is to access the properties of a drive (like C) and viewing the information on the General tab. If you’re XP or 2000 system is currently running a different file system (like FAT32), all is not lost. Windows includes a utility to convert FAT32 partitions to NTFS, without losing any existing data. The command to convert drive D from FAT32 to NTFS from the command prompt would be:

convert d: /fs:ntfs

Since only Windows 9X/ME systems cannot access NTFS partitions, be very careful with this command if your system is configured in a dual-boot configuration.

As mentioned, NTFS permissions apply to users both locally and across the network, providing the highest degree of security. Subfolders and files inherit NTFS permissions, so this is also another key consideration. For example, if you were to create a new NTFS partition (say E), all new folders and files would inherit the permissions applied to drive E. Inherited permissions are indicated by the fact that they are “grayed out” and cannot be directly changed by default. Inherited permissions can be copied directly to a file or folder or removed, as explained in the NTFS permission stepped procedure.

The default permission applied to the root of a new drive may not meet your security needs, so be sure to change the default permissions at this level at a minimum. For example, consider granting yourself the Full Control permission to the root of the drive, and then individual users permissions to specific subfolders. One drive that you should not tamper with is the root of drive C, and the Windows folder. Changing the permissions on either of these resources might render your system unusable.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.