1 / 14
CHAPTER 7 — WHO CAN DO WHAT

Permissions, Shares
& Access Control

Understanding how Windows decides who gets access to what

LFI Security Hub • Prepared for HR • March 2026

02

Agenda

🔐
NTFS Permissions

The 6 levels of file/folder access

🛡️
ACLs, DACLs & SACLs

Security descriptors & access control entries

📂
Inheritance

How permissions flow from parent to child

🔒
Share vs NTFS — The Two Locks

Network access control explained

⚙️
Administrative Shares

C$, ADMIN$, IPC$ — hidden shares

🎯
Principle of Least Privilege

The golden rule of access control

03

NTFS Permissions: The Six Levels

Every file and folder on an NTFS volume has permissions that control exactly what users can do. Think of them as a graduated set of keys — each unlocking a different level of access.

PermissionWhat It AllowsIncludes
ReadView file contents, attributes, and permissions
WriteCreate new files/subfolders, modify attributes
List FolderView file & subfolder names (folders only)Read
Read & ExecuteRead + run executables, traverse foldersRead + List
ModifyRead & Execute + edit/delete filesR&E + Write + Delete
Full ControlModify + change permissions + take ownershipEverything
⚠️ Key Insight: The difference between Modify and Full Control is critical. Only Full Control can change the ACL itself.
04

Permission Hierarchy — Building Blocks

Full ControlChange permissions + Take ownership
ModifyEdit + Delete files
Read & ExecuteRun programs + Traverse folders
List Folder ContentsView names in folders
WriteCreate files + Modify attributes
ReadView contents + Read permissions

Each level includes all permissions below it. Full Control is the most powerful.

05

ACLs, ACEs, DACLs & SACLs

Every securable object in Windows has a Security Descriptor containing:

👤

Owner SID

Who owns the object — can always change its permissions

🛡️

DACL

Discretionary ACL — controls who can access the object

📋

SACL

System ACL — controls what gets audited (logged)

ACE = Allow / Deny + Who (User/Group) + What (Permission)
🚫 Deny ALWAYS wins! Deny ACEs are evaluated first — if any match, access is blocked immediately.
06

ACE Examples in Action

RuleTypeWhoWhat
1✔ AllowFinance-StaffRead
2✔ AllowFinance-ManagersFull Control
3✘ DenyInternsWrite
4✘ DenyEngineering-StaffAll Access
DACL = "Who can do what"
Controls access permissions
📋 SACL = "What do we record"
Controls auditing & logging
07

Inheritance: How Permissions Flow

Permissions set on a parent folder automatically flow down to all children. Controlled by inheritance flags:

FlagCodeMeaning
Object Inherit(OI)Inherited by files in child folders
Container Inherit(CI)Inherited by subfolders
Inherit Only(IO)Applies only to children, not the folder itself
⚠️ Breaking inheritance without copying creates a blank ACL — you could lock everyone (including yourself) out permanently!
08

Common Inheritance Combinations

(OI)(CI)

This folder + all subfolders + all files

Most Common
(OI)(CI)(IO)

Subfolders and files only — NOT the folder itself

Partial
(CI)(IO)

Subfolders only — not files, not this folder

Specific
(OI)(IO)

Files only — not subfolders, not this folder

Specific
Copy inherited permissions — safe, start with same then modify
🚫 Remove inherited permissions — dangerous, starts blank
09

Share vs NTFS — "The Two Locks"

Windows has two completely separate permission systems that can apply to the same resource:

🚪

Lock 2: NTFS Permissions

The Office Door

  • Always applies (local + network)
  • 6 levels + special permissions
  • Fine-grained control
  • Full inheritance support
10

Effective Access = Most Restrictive

Over the network, you must pass through both locks. Effective access is always the most restrictive combination.

Share: Full Control+NTFS: Read=Read
Share: Read+NTFS: Full Control=Read
Share: Change+NTFS: Modify=Change ≈ Modify
💡 Best Practice: Set share permissions to "Everyone: Full Control" (wide open gate), then use NTFS for fine-grained control. One set of permissions to manage!

When accessing locally (logged in at the machine), share permissions don't apply — only NTFS matters.

11

Share vs NTFS — Side by Side

FeatureShare PermissionsNTFS Permissions
Applies when?Network access onlyAlways (local + network)
Granularity3 levels6 levels + special permissions
Applied atThe share (folder level only)Any file or folder
Inheritance?No — share-level onlyYes — flows to subfolders/files
Toolnet share, Computer Mgmticacls, Properties → Security
12

Administrative Shares: C$, ADMIN$, IPC$

Windows creates hidden shares automatically (ending with $). They don't show in Network Neighborhood.

C$

Entire C: drive

Remote file system access. Every drive gets one (D$, E$…)

ADMIN$

C:\Windows

Used by PsExec and remote admin tools to push executables

IPC$

Inter-Process Communication

Named pipes, remote management. Used in null session attacks
🚨 Security Risk: If an attacker gets admin credentials, \\target\C$ gives full drive access. Monitor via SACL auditing!
13

Principle of Least Privilege

"Every user, program, and process should have only the minimum permissions necessary to do their job — nothing more."

✅ Good Practices

  • Intern has Read-only access to IT docs
  • Finance-Staff gets Modify on Finance$
  • Only Finance-Managers get Full Control
  • Start with nothing, add only what's needed

❌ Bad Practices

  • Engineering can see Finance share
  • Departed employee still has Modify access
  • Everyone has Full Control on shared drives
  • Service accounts running as Domain Admin
PRESENTATION COMPLETE

Thank You!

Key Takeaways

🔐 NTFS has 6 permission levels — Full Control is the most powerful
🛡️ Deny ACEs always win — evaluated before Allow
🔒 Network access requires passing BOTH Share + NTFS locks
📂 Inheritance flows down — be careful when breaking it
🎯 Always follow the Principle of Least Privilege

LFI Security Hub • Questions?

Use Arrow Keys or click buttons to navigate