[This is preliminary documentation and subject to change]

Setting NTFS Permissions for a Directory or File

You can control access to your Web server's directories and files by setting NTFS access permissions. You can use NTFS permissions to define the level of access that you want to grant to specific users and groups of users, with valid Windows accounts. Proper configuration of file and directory permissions is crucial for preventing unauthorized access. For more information, see About Access Control or the Windows documentation.

When you share a directory or file, the default access settings for NTFS directories and files grants Full Control access to the Windows user group Everyone, which includes all users. This means that all users have permission to modify, move, and delete files or directories, and to change NTFS permissions. This default setting may not be appropriate for all directories and files.

Making your server secure involves removing unnecessary users and groups, or groups that are too general for your purposes. However, removing the Everyone group from the discretionary access control list (DACL) on your Web resources without further modification will cause even non-anonymous access to fail. If you want to have non-anonymous access work correctly you must have the following permissions in addition to any specific users or users groups:

Administrator [full control]
Creator/Owner [full control]
System [full control]

note Note If you do not see the Security tab in the drive, directory, or file property sheets, your server's file system is not configured as NTFS. To convert the file system to NTFS, see the Windows documentation.

To change NTFS permissions for a directory or file

Open My Computer, select the drive, directory, or file you want to secure, and open its property sheets.
On the Security property sheet, select the Windows account you want to change permissions for.
Under Permissions, select the types of access for the selected user or group. Use Allow to specifically allow access and Deny to specifically deny access. For more choices, click Advanced. For more information about the various permissions, see the Windows documentation.

Important Be careful when selecting Deny. Deny takes precedence over Allow. Applying Deny to the Everyone group might close the resource to that level of access by anyone, including the Administrator.

To add or remove Windows accounts to the NTFS permissions for a directory or file

On the Security property sheet, click Add to add users and groups or click Remove to remove users and groups.
In the Select Users, Computers, or Groups dialog box, select a computer or domain from the list or enter a name in the Name text box. You can continue to add users or groups. The lower list will contain those users and groups you have selected or entered.
Click OK to add these to the list on the Security property sheet.
In the Name list box, select a user or group that you want to grant access to your file or directory.

note Note If there are conflicts between your NTFS and Web server permissions, the most restrictive settings will be used. This means that permissions that explicitly deny access always take precedence over those permissions that grant access.