Usually you don’t need to worry about permissions on Windows because the operating system already does it. Each user has their own profile and their own set of permissions, which prevents unauthorized access to files and folders.
However, there are times when you might need to manually configure permissions on a set of files or folders to prevent other users from accessing the data. This post assumes that other “people” also have access to the same computer that you are using.
If not, you can just encrypt your hard drive and that’s it. However, when other people, such as family or friends, can access the computer, then permissions can come in handy.
Of course there are other alternatives like hiding files and folders using file attributes or using the command line to hide data. You can even hide the entire drive in Windows if you like.
If you want to set permissions to share files with others, check out my post on creating a hidden network share or how to share files between computers, tablets, and phones.
Data security
The only other time you’ll need to mess with folder or file permissions is when you get a Permission Denied error when trying to access data. This means that you can take ownership of files that do not belong to your current account and still access them.
This is important because it means that setting permissions on a file or folder does not guarantee that the file or folder is secure. In Windows, an administrator on any Windows PC can override permissions for a set of files and folders, taking responsibility for them. Once you get ownership, you can set your own permissions.
So what does this mean in English? Basically, if you have data that you don’t want others to see, you should either not store it on this computer at all, or use an encryption tool like TrueCrypt.
For those tech-savvy readers, you’re probably saying, “Hey wait, TrueCrypt is no longer supported due to security vulnerabilities and should not be used!” Well that’s true, however TrueCrypt was independently audited and Phases I and II were completed.
You should only download TrueCrypt 7.1a, which has been uploaded to a verified mirror on GitHub. If you are not at all comfortable using TrueCrypt, the only other suggestion I can suggest is VeraCrypt, which was the successor to TrueCrypt but fixed many flaws.
File and folder permissions
Now that we’ve got all this sorted out, let’s talk about permissions in Windows. Every file and every folder in Windows has its own set of permissions. Permissions can be split into ACLs with users and corresponding rights. Here’s an example with a list of users at the top and permissions at the bottom:
Permissions are also either inherited or not. Typically, in Windows, each file or folder gets its permissions from the parent folder. This hierarchy continues down to the root of the hard drive. At least three users have the simplest permissions: the SYSTEM currently logged in and the Administrators group.
These permissions are usually taken from the C: Users Username folder on your hard drive. You can access these permissions by right-clicking a file or folder, choosing Properties, and then clicking the Security tab. To change the permissions for a specific user, click that user, and then click the Change button.
Note that if the permissions are grayed out like in the example above, the permissions are inherited from the containing folder. I’ll go over how to remove inherited permissions below, but first, let’s understand the different types of permissions.
Permission types
Types of permissions
There are six types of permissions in Windows: Full Control, Modify, Read and Execute, List Folder Contents, Read, and Write. Folder content listing is the only permission that is exclusive to folders. There are more complex attributes, but you don’t have to worry about them.
So what does each of these permissions mean? Well, here’s a nice diagram from the Microsoft website that reveals the meaning of each file and folder permission:
Now that you understand what each permission controls, let’s take a look at changing some of the resolutions and checking the results.
Edit Permissions
Before you can edit any permissions, you must take ownership of the file or folder. If the owner is another user account or system account, such as Local System or TrustedInstaller, you cannot change permissions.
Read my previous post on how to take ownership of files and folders in Windows if you are not currently the owner of them. Now that you are the owner, let’s do one more thing:
- If you give a user Full Control permissions on a folder, the user can delete any file or subfolder no matter what permissions are set for these files or subfolders.
- Permissions are inherited by default, so if you need custom file or folder permissions, you must first turn off inheritance.
- Deny override permissions Allow permissions, so use them sparingly and preferably only for specific users, not groups
If you right click on a file or folder, select Properties and click on the Security tab, and now we can try to change some permissions. To get started, click the “Change” button.
There are several things you can do at this point. First, you will notice that the Allow column is probably grayed out and cannot be changed. This is due to the inheritance I talked about earlier.
However, you can check items in the Deny column. So if you just want to block access to a folder for a specific user or group, first click the Add button, and after adding you can check the Deny button next to the Full Control field.
When you click the Add button, you must enter a username or group name in the field and then click Check Names to make sure they are correct. If you don’t remember the name of the user or group, click the “Advanced” button and then just click “Find”. It will show you all users and groups.
Click OK and the user or group will be added to the ACL. Now you can check the Allow or Deny column. As mentioned, try using Deny for users only, not groups.
What happens if we try to remove a user or group from the list. Well, you can easily delete the user you just added, but if you try to delete any of the items that were already there, you will get an error.
To turn off inheritance, you need to go back to the main Security tab for a file or folder and click the Advanced button at the bottom.
In Windows 7, you have one extra tab for the owner. In Windows 10, it just moved to the top and you need to click on “Change”. Anyway, in Windows 7, click Change Permissions at the bottom of the first tab.
In the Advanced Security Settings dialog box, clear the Include Inherited Permissions From Parent check box.
When you do this, another dialog will appear asking you if you want to convert inherited permissions to explicit or simply remove all inherited permissions.
If you’re not sure exactly what permissions you need, I suggest choosing Add (Explicit Permissions) and then just remove whatever you don’t need. Basically, clicking on the Add button retains all the same permissions, but now they will not be greyed out and you can click Remove to remove any user or group. By clicking Delete, you will start from scratch.
It looks a little different on Windows 10. After clicking the “Advanced” button, you must click the “Disable inheritance” button.
When you click on this button, you get the same options as in Windows 7, but in a different form. The Convert option is the same as Add, and the second option is the same as Remove.
The only thing you need to understand is the Effective Permissions or Effective Access tab. So what are effective permissions? Well, let’s take a look at the example above. I have a text file and my Aseem account has full control. What if I add another item to the list so that the Users group is denied full access.
The only problem here is that the Aseem account is also a member of the user group. So I have Full Access in one permission and Deny in the other, which one is better? Well, as I mentioned above, Deny always takes precedence over Allow, so Deny will win, but we can confirm this manually as well.
Click “Advanced” and go to the “Effective Permissions” or “Effective Access” tab. In Windows 7, click the Select button and enter the name of the user or group. On Windows 10, click the Select User link.
In Windows 7, as soon as you select a user, it will immediately display the permissions in the list below. As you can see, all permissions are unchecked, which makes sense.
In Windows 10, after selecting a user, you must click the “View active access” button. You will also see a nice red cross to indicate no access and a green check mark to indicate allowed access, which is a little easier to read.
So now you know everything there is to know about Windows file and folder permissions. To understand everything, you need to play with yourself a little.
The main thing to understand is that you need to be the owner to edit permissions, and that any administrator can take ownership of files and folders regardless of the permissions on those objects. If you have any questions, do not hesitate to leave comments. Enjoy!
–