Securing Files with NTFS

Use NTFS to specify who is allowed to write to files and directories. In this way, you can often prevent hackers from modifying pages in your website.

If your website is not currently on an NTFS partition (e.g. it is currently on a FAT or FAT32 partition), you can use the convert.exe program that comes with Win2K to convert your partition to NTFS. It is strongly recommended that you keep all web and ftp sites on NTFS partitions with appropriate permissions.

To better secure your web pages from hackers, do the following:
  • 1.) On the server, use Explorer to navigate to your web directory.

  • 2.) Right click on the web directory, and choose "Properties" as shown in the figure.

Directory Properties


  • 3.) Click on the "Security" Tab, and then click on "Add".

Security Tab


  • 4.) In the ensuing dialog, click on "Administrators" and then click on the "Add" button. (Note that you may have to make a selection in the "Look In" combo box first.). Click on the "OK" button.

Select Administrators


  • 5.) Click on the "Full Control" checkbox as shown in the figure. This gives administrators (probably you), full control over these files.

    Full Control for Administrators


  • 6.) At the bottom of this dialog is a checkbox that says "Allow inheritable permissions from parent to propagate to this object". Clear this checkbox, and choose "Copy" as shown in the figure.

    Copy Permissions


  • 7.) Click on the "Everyone" group, and then clear the "Full Control", "Modify", and "Write" checkboxes.

    Everyone Permissions


    At this point, Administrators can do anything (write, delete, modify) to these files, while Everyone (and in particular, your web visitors) can read files, but cannot modify the files in any way. This protects you from hackers modifying your web pages (unless one of the Administrator's accounts is compromised) .

    Additionally, you should consider adding Modify permissions for the web developers in your enterprise.

Problems, Comments, Suggestions? Click here to contact Greg Thatcher

Please read my Disclaimer





Copyright (c) 2013 Thatcher Development Software, LLC. All rights reserved. No claim to original U.S. Gov't works.