Windows File Share Permissions – Allow: Read, Write, Delete – Deny: List

Let’s say you have an application that has a flat file repository for files attached to records. In other words, the application uses a simple Windows share for its file repository. And all users of this application need the ability to read, write, and delete files in this directory, but given the sensitive nature of some of these files, you don’t want users to be able to browse to this directory and see a list of files. Users will only have access to the files in this repository via record access within the application. This of course is a horrible way to do things, but you are at the mercy of the application.

To set up permissions for a Windows share so that users can read, write, and delete files in that share, but not list the contents, you will need to configure share permissions along with two “Special” folder security permissions.

Note: Using this method, users can still read the actual files if they happen to know the file name, they will simply be unable to get a directory listing of files.

These directions assume all users of this application are members of an example group called “Application Users.” Obviously you can use whatever group you want.

  1. Create a folder and go to its Properties and then to the Sharing tab and then go to Advanced Sharing. Assign the “Application Users” group “Change” and “Read” share permissions.
  2. Go to the Security tab, then Advanced, then Edit, and uncheck “Include inheritable permisions from this object’s parent” and then Remove all permissions from this folder. At this point, you may want to add an administrator group like “Domain Admins” and assign full permissions for administrative purposes.
  3. Assign the first Special security permission by clicking Add, select the “Application Users” group, configure “Apply to” so that it applies to “This folder, subfolders, and files,” and then check the following permissions:
    – Traverse folder / execute file
    – Read attributes
    – Read extended attributes
    – Create files / write data
    – Create folders / append data
    – Write attributes
    – Write extended attributes
    – Delete
    – Read permissions
  4. Assign the second Special security permission by clicking Add, select the “Application Users” group, configure “Apply to” so that it applies to “Files only,” and then check the following permission only:
    – List folder / read data

Now users can read, write, and delete files in this share, but they cannot browse its contents. Users will be able to browse to the server hosting the share, and they will see the share name, but when they try to browse the share itself, they will receive a “Network Error” stating Windows cannot access the share because the user does not have permission.

Please share your thoughts