How to Configure SMB File Shares and NTFS Permissions on Windows Server 2016
Server Message Block (SMB) is the primary file sharing protocol used in Windows environments, and NTFS (New Technology File System) permissions provide granular access control to files and folders on Windows volumes. Understanding how to correctly configure both SMB share permissions and NTFS permissions is essential for securing data on Windows Server 2016 file servers. The two permission systems work together, and the most restrictive combination of SMB and NTFS permissions applies when a user accesses a file over the network.
Understanding the Permission Layers
SMB share permissions control access at the share level and only apply when accessing files over the network. They are coarse-grained and offer three levels: Full Control, Change, and Read. NTFS permissions are more granular, applying both for local and network access, and allow precise control over who can read, write, execute, delete, and manage individual files and folders. The recommended approach is to set the SMB share permission to Full Control for the Everyone group (or Authenticated Users) and then use NTFS permissions to enforce the actual access control policy.
Step 1: Create the Folder Structure
Plan and create your folder hierarchy before creating shares. A well-structured folder layout with separate folders per department or project makes permission management much more straightforward:
New-Item -ItemType Directory -Path "D:FileSharesFinanceReports"
New-Item -ItemType Directory -Path "D:FileSharesFinanceInvoices"
New-Item -ItemType Directory -Path "D:FileSharesHRPolicies"
New-Item -ItemType Directory -Path "D:FileSharesITScripts"Step 2: Install the File Server Role
Install the File Server role service to get the full management capabilities and best SMB performance:
Install-WindowsFeature -Name FS-FileServer -IncludeManagementToolsStep 3: Create SMB Shares
Create shared folders using the New-SmbShare cmdlet. Set the share-level permission to Full Control for Authenticated Users, then rely on NTFS permissions for access control:
New-SmbShare -Name "Finance" -Path "D:FileSharesFinance" -FullAccess "Authenticated Users" -Description "Finance Department Share" -FolderEnumerationMode AccessBased
New-SmbShare -Name "HR" -Path "D:FileSharesHR" -FullAccess "Authenticated Users" -Description "Human Resources Share" -FolderEnumerationMode AccessBasedThe -FolderEnumerationMode AccessBased setting enables Access-Based Enumeration (ABE), which hides folders and files that users do not have permission to access, improving the user experience and security by not revealing the existence of restricted content.
Step 4: Disable Inheritance and Clean Up Default Permissions
Before setting custom NTFS permissions, disable inheritance on the share root folder to prevent parent folder permissions from flowing down. Then remove inherited entries to start with a clean slate:
# Get the ACL for the Finance folder
$acl = Get-Acl -Path "D:FileSharesFinance"
# Disable inheritance and convert inherited permissions to explicit
$acl.SetAccessRuleProtection($true, $true)
# Apply the change
Set-Acl -Path "D:FileSharesFinance" -AclObject $acl
# Optionally remove the Users group inherited permission
$Users = [System.Security.Principal.NTAccount]"BUILTINUsers"
$acl.PurgeAccessRules($Users)
Set-Acl -Path "D:FileSharesFinance" -AclObject $aclStep 5: Configure NTFS Permissions Using Active Directory Groups
Always assign NTFS permissions to Active Directory security groups, never to individual user accounts. This makes permission management scalable and auditable. Create groups such as Finance-ReadOnly, Finance-Contribute, and Finance-FullControl in Active Directory, then assign permissions:
# Grant read-only access to Finance-ReadOnly group
$acl = Get-Acl -Path "D:FileSharesFinance"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAINFinance-ReadOnly","ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
Set-Acl -Path "D:FileSharesFinance" -AclObject $acl
# Grant modify (contribute) access to Finance-Contribute group
$rule2 = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAINFinance-Contribute","Modify","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule2)
Set-Acl -Path "D:FileSharesFinance" -AclObject $acl
# Grant full control to Finance-FullControl group
$rule3 = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAINFinance-FullControl","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule3)
Set-Acl -Path "D:FileSharesFinance" -AclObject $aclStep 6: Configure SMB Encryption and Signing
Windows Server 2016 supports SMB 3.1.1 with encryption, which protects data in transit without requiring IPsec. Enable SMB encryption on sensitive shares:
# Enable encryption on a specific share
Set-SmbShare -Name "Finance" -EncryptData $true
# Enable SMB signing on the server (prevents tampering)
Set-SmbServerConfiguration -RequireSecuritySignature $true -EnableSecuritySignature $true -Confirm:$falseStep 7: Verify and Audit Share Permissions
Review the configured share and NTFS permissions to confirm they are correct before going live:
# View SMB share permissions
Get-SmbShareAccess -Name "Finance"
# View NTFS permissions
Get-Acl -Path "D:FileSharesFinance" | Format-List
# List all shares with their properties
Get-SmbShare | Select-Object Name, Path, EncryptData, FolderEnumerationModeStep 8: Enable File Auditing
Enable object access auditing to log file and folder access events. First, configure the audit policy:
auditpol /set /subcategory:"File System" /success:enable /failure:enableThen enable auditing on specific folders through the NTFS audit settings:
$acl = Get-Acl -Path "D:FileSharesFinance"
$auditRule = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone","Delete,DeleteSubdirectoriesAndFiles","ContainerInherit,ObjectInherit","None","Failure")
$acl.SetAuditRule($auditRule)
Set-Acl -Path "D:FileSharesFinance" -AclObject $aclProperly layered SMB and NTFS permissions on Windows Server 2016 ensure that users can access only the data they are authorised to see, while encryption and signing protect the integrity and confidentiality of data as it travels over the network.
