Windows – NTFS Permissions – Create Files and Folder but prevent Deletion and Modification

ntfspermissionsshared-folderswindows

Objective: A shared folder to which users can create files but not modify or delete them. Users should also be able to create subfolders.

I have granted my security group the following advanced NTFS permissions:

Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Files/Write Data
Read Permissions

Through a process of trial and error, I have found that by NOT granting 'Write Attributes', this has the effect of preventing a user from modifying/deleting existing files (which is what I want). However, I would really like an explanation as to precisely why this works. The only theory I have is that the deletion/modification of a file changes the attributes of the file? Here is a discussion along same lines.

EDIT – The second part of my question is irrelevant, I thought that I had only selected 'Create Files/Write Data' but I did also have 'Create Folders/Append Data' selected as well.

Further more, I want users to be able to create subfolders within the root, and I have found that by granting 'Create Files/Write Data', this allows just that. But again, the name suggests this permission should just permit the creation of files, not folders, so I don't understand why it is working? Microsoft's explnanation of the 'Create Files/Write Data' attribute is "For folders, specifies whether a user can create files within the folder. For files, specifies whether a user can change files or overwrite data." There is no mention of the ability to create subfolders within a folder?

So basically, I've achieived what I set out to do but don't understand why it works?

Best Answer

Through a process of trial and error, I have found that by NOT granting 'Write Attributes', this has the effect of preventing a user from modifying/deleting existing files (which is what I want). However, I would really like an explanation as to precisely why this works.

This is a function of precisely how a file modification occurs. When you modify a file, the operating system doesn't actually modify the file you're editing. It replaces the file you're editing with the copy you changed. So, essentially, a file modification takes a copy of the original file, loads it into memory (where you modify it), deletes the original file, and creates a new file with the same name in the same place. This is why NTFS Delete permissions are required to modify files - in fact, if you check the Advanced permissions on an NTFS object, there is no Modify permission - a modification is really just a delete and a write.

So, in order to create that new copy of a file, it has to write the file attributes of this new file... and, of course, writing attributes requires the Write attributes NTFS permission. So that is why you can't modify a file without having the Write attributes NTFS permission.

Specifically, thanks to a chat with Fitzroy, the NTFS file attribute that needs to be written under the user's security context (that can't be, without the Write Attributes permission), when modifying a file, but not when creating a completely new one, would be the file's LastModificationTime. This is a part of the Standard Information attribute, according to one of the Microsoft Core Team developers.

Prevent Folder Deletion or inadvertent Drag and Drop with NTFS security

If you want to prevent a specific folder from being deleted or dragged and dropped elsewhere, even if it has elevated implicit permissions, you can set an explicit DENY to the FOLDER ONLY for the user account or security group which you want to prevent this action from being performed.

You can complete this folder security lock down using ICACLS with a local path (e.g C:\Path\FolderA\FolderE) or a UNC path (e.g \\server\share\FolderA\FolderE).

Example ICACLS syntax to run from an elevated command prompt

ICACLS "\\server\share\FolderA\FolderE" /deny "<UserOrGroupNameToDeny>":(DE)

Permissions Used

/deny user:permission
   Explicitly deny the specified user access rights.
   This will also remove any explicit grant of the 
   same permissions to the same user.

perm is a permission mask and can be specified in one of two forms:
   a comma-separated list in parentheses of specific rights:
         DE - delete

What this does

Running the above with those options in that syntax will set an explicit DENY to the NTFS DELETE permission on that FOLDER ONLY to that specific user account of security group.

You can confirm the deny permissions to the folder for the user account or security group by:

right-click the folder you've used in the command,
Select the Security tab,
In the Group or user name: area scroll to or select and highlight the account or group you've used in the command,
In the Permissions for Administrators area you will see the NTFS permission attributes for Allow and Deny
You'll see a check mark in the DENY column of the special permissions row for the account or group you've used in the command

Select Advanced and go to the Permissions tab
Check for the Name (or Principal) value that you used in command, for DENY in the Type field
The Permissions (or Access) field should show Delete and the Apply to (or Applies to) will show this folder only

NOTES

Please note that unchecking an ALLOW DELETE attribute is not the same as leaving that in place as-is and then creating a separate NTFS ACL rule for this same security group or user account saying to explicitly DENY the DELETE security.

This solution does NOT disallow DELETE this way

(WRONG)

This solution WILL explicitly DENY DELETE at this level to THIS FOLDER ONLY

(CORRECT)

Deny Changes to Immediate Subfolders/files but Allow Modify Rights to the Content of Subfolders

You only need to apply special permissions to the "Parent" folder of your A through E subfolders. In your case, the Parent folder is the Two folder.

Apply These Permissions To The Parent Folder:

Users: Read & execute (This folder, subfolders and files)
Users: Modify (Subfolders and files only)
Users: DENY 'Delete' (Subfolders only) and enable Apply these permissions to objects and/or containers within this container only

Note: Replace the Users group with the specific identity to which you wish to grant access.

Note: You'll also need to grant Administrators (or a user assigned responsibility for adding/deleting subfolders) Full Control permissions to this folder. Otherwise no one will have permission to create subfolders.

Resulting Permissions for the 'Users' group:

Cannot create, rename or delete folders or files immediately inside the parent folder
Can create, rename, modify, and delete folders or files inside the subfolders of the parent folder.

Resulting Permissions in your case:

U:\One\Two   <-- "Parent" folder
 - Users can read everything below this folder
 - Users cannot create, rename, or delete files or folders here

U:\One\Two\A (through E)   <--- "Subfolder" of Parent
 - Users can create, rename, modify, and delete files or subfolders here

Obviously since the permissions assigned to the Parent folder are inherited, future folders created in the Two folder will automatically receive the same set of permissions.

Best Answer

Related Solutions

Windows – How to prevent users from deleting one folder, while still giving them modify permissions to other files and folders