Introduction to SMB File Shares and NTFS Permissions on Windows Server 2019

SMB (Server Message Block) file sharing is the foundation of Windows file services. Windows Server 2019 uses SMB 3.1.1 — the latest protocol version — which includes AES-128-GCM encryption, pre-authentication integrity checking, and improved performance. Combined with NTFS permissions (the access control system built into the NTFS file system), SMB provides a secure, flexible, and scalable file sharing platform used in virtually every Windows-based organisation.

Understanding both SMB share permissions and NTFS permissions is critical because access to a shared file is governed by the more restrictive of the two. For example, if an SMB share gives Everyone Full Control but NTFS only allows Administrators to write, then standard users will be blocked from writing even though the share permits it. The recommended practice is to grant Everyone Full Control at the SMB level and apply all access restrictions through NTFS permissions.

Creating an SMB Share with PowerShell

First create the folder that will be shared:

New-Item -Path "D:SharesProjects" -ItemType Directory

Create an SMB share with basic settings:

New-SmbShare -Name "Projects" -Path "D:SharesProjects" -Description "Project Files Share" -FullAccess "Everyone"

The -FullAccess “Everyone” grants full control at the share level, relying on NTFS for actual access restrictions. For more granular share-level access:

New-SmbShare -Name "HR" -Path "D:SharesHR" -ChangeAccess "CONTOSOHR Users" -ReadAccess "CONTOSOHR Readers" -FullAccess "CONTOSODomain Admins" -NoAccess "CONTOSOContractors"

Configuring SMB Share Properties

Set share properties such as enabling enumeration of accessible folders only (Access-Based Enumeration hides folders a user cannot access):

Set-SmbShare -Name "Projects" -FolderEnumerationMode AccessBased -CachingMode None -ConcurrentUserLimit 200 -EncryptData $true

Enable SMB encryption on a per-share basis (encrypts data in transit between client and server):

Set-SmbShare -Name "Finance" -EncryptData $true

Enable SMB encryption globally across all shares on the server:

Set-SmbServerConfiguration -EncryptData $true -Force

Setting NTFS Permissions

NTFS permissions are set on the folder using the Set-Acl cmdlet or icacls command. View current NTFS permissions on the folder:

Get-Acl -Path "D:SharesProjects" | Format-List

Remove inherited permissions and set explicit permissions using PowerShell:

$folder = "D:SharesProjects"
$acl = Get-Acl -Path $folder

# Disable inheritance and copy existing inherited permissions
$acl.SetAccessRuleProtection($true, $true)

# Clear all existing rules
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }

# Add Administrators - Full Control
$adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTINAdministrators","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($adminRule)

# Add Domain Users - Read and Execute
$usersRule = New-Object System.Security.AccessControl.FileSystemAccessRule("CONTOSOProject Users","ReadAndExecute,Synchronize","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($usersRule)

# Add Project Managers - Modify
$pmRule = New-Object System.Security.AccessControl.FileSystemAccessRule("CONTOSOProject Managers","Modify","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($pmRule)

Set-Acl -Path $folder -AclObject $acl

Using icacls for NTFS Permission Management

The icacls command-line tool provides a quick way to manage NTFS permissions. Grant Modify permission to a user:

icacls "D:SharesProjects" /grant "CONTOSOJohnSmith:(OI)(CI)M"

Where OI = Object Inherit, CI = Container Inherit, M = Modify. Other permission letters: F (Full Control), R (Read), W (Write), RX (Read and Execute), D (Delete).

Remove a user’s permissions:

icacls "D:SharesProjects" /remove "CONTOSOJohnSmith"

Reset permissions to inherit from parent:

icacls "D:SharesProjects" /reset /T

View current permissions:

icacls "D:SharesProjects"

Enabling SMB Auditing

Enable file system auditing to track access to shared files. First, enable object access auditing in the Local Security Policy or Group Policy:

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Then configure NTFS audit rules on the folder:

$acl = Get-Acl "D:SharesFinance"
$auditRule = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone","Delete,DeleteSubdirectoriesAndFiles","ContainerInherit,ObjectInherit","None","Success,Failure")
$acl.AddAuditRule($auditRule)
Set-Acl "D:SharesFinance" $acl

Audit events appear in the Security event log (Event ID 4663 for object access). View share access statistics and open files:

Get-SmbOpenFile | Select ClientUserName, ClientComputerName, Path
Get-SmbSession | Select ClientUserName, ClientComputerName, NumOpens

Close all open files from a specific user:

Get-SmbOpenFile | Where-Object {$_.ClientUserName -like "*JohnSmith*"} | Close-SmbOpenFile -Force