How to Lock Your Files in Windows: Using File and Folder Permissions

How to Lock Your Files in Windows: Using File and Folder Permissions

 

Normally, we don’t worry about Windows permissions, since the Operating System already takes care of that for us. Each user will have their own set of permissions, preventing unauthorized access to files and folders.

However, there are times when you want to secure certain documents further. Fortunately for us, Windows comes with a feature that lets us manually configure these permissions on set files and folders to prevent other people from accessing the documents or data. Obviously, it’s assuming that other “people” also have access to the same computer you’re using.

If not, then you can simply encrypt your hard drive, and that’s pretty much it. However, when you have a computer at home that other users can access, such as family, friends, kids, then the permission feature can come in really handy.

There are other alternatives, such as hiding the files and folders using file attributes, or use command prompt to hide the data. You can even hide an entire drive in Windows if you like, but that would be for another blog entry.

In this entry, we’ll talk about how you can set permissions for specific files and folders that you want to safeguard.

 

Data Security

The only other time where you will need to use the folder or file permission is when you get Permission Denied error, when trying to access data. In which case, you can take ownership for the files that don’t belong to your current user account, and still have access to them.

This is important to note, as it means setting permissions for the file or folder doesn’t guarantee security of that specific file or folder. Administrator on any Windows PC can easily override these permissions and take ownership to these, and once you have ownership, you can set your own permissions after.


So what does this mean? Basically, if you have sensitive data that you don’t want to share with others, then don’t save it on the computer at all. Or better yet, use encryption tools like TrueCrypt.

Those who are in-the-know may say TrueCrypt has been discontinued due to its vulnerabilities. However, they have been audited by an independent organization, and Phases I and II have been completed. Thus, you can now use them to secure your data.

It’s important to note though that you should only download TrueCrypt 7.1a, as it’s been uploaded to a verified mirror on GitHub. You can also opt for VeraCrypt, (TrueCypt’s successor, and has fixed multiple issues of the latter).

 

File and Folder Permissions

Now that we have Data Security out of the way, let’s talk about permissions in Windows. Each file and folder in Windows comes with its own set of permissions. This can be broken down into Access Control Lists with users can corresponding rights. Here’s an example:

Permissions can also be inherited or not. Normally with Windows, every file or folder gets their permission from the parent folder. This hierarchy goes all the way up to the root of the hard drive. The simplest permission comes at least for three users: SYSTEM, user account currently logged in, and Administrators group. 

The permissions are usually at C:\Users\Username hard drive folder. Right-click on a file or folder to access these permissions, then choose Properties and then click Security tab. Edit permissions for a specific user, then click on that user and choose Edit button.

 

 Sometimes the permissions are greyed out (like the one above). If this is the case, that means permissions are inherited from the containing folder. You can remove inherited permissions, but before that, let’s first understand the different types of permissions.

 

Permission Types

Six types of Windows permissions:

  • Full Control
  • Modify
  • Read & Execute
  • List Folder Contents
  • Read
  • Write

 

List Folder Contents is the only permission exclusive for folders. There are more advanced features, but you don’t have to worry about those.

Here’s a chart of what these permissions can do:

 

Modifying Permissions

Before you can modify the permissions, you need to have the ownership of the file or folder. If these files are in another user account, or a system account like Local System or TrustedInstaller, then you won’t be able to modify the permissions.

If you want to be the owner of the file and/or folder, then you can check out our entry on how to take ownership of these documents.

Now that we have the ownership out of the way, here’s how you can edit permissions.


  1. If you set Full Control permissions on the folder for a user, then the user will be able to delete any file or sub-folder, regardless of what permissions you set.
  2. By default, permissions are inherited. Thus, should you want to customize the permissions for any file or folder, you need to disable inheritance first.
  3. Deny permissions override Allow permissions, thus, make sure you use this sparingly, and preferably only for specific users, not groups.

Right-click on file or folder, then choose Properties and then click Security tab. Here, you can now edi some permissions. Click the Edit button to get started.

 

From here, you can do two things. First, notice the Allow column is greyed out, and can’t be edited. This is due to the inheritance we talk about earlier. 

You can however, check the items from the Deny column. To block access to a folder for specific user or group, simply click Add button first, check Deny next to Full Control.

 

Click Add button and then type in the user name or group name to the box. Then, make sure your input is correct by clicking Check Names. If you can’t remember the names (user or group), then click Advanced Button, and then click Find Now. This will show you the users and groups.

 

Choose OK to add the user or group to the access control list. From here, you can now choose who to Allow or Deny. As mentioned earlier, it’s best to use the Deny option to specific users, rather than groups.

 

So what if you want to remove a specific user or group from the list? You can do this by removing the user you just added. However, if you try to remove any items that are already there, you will likely get this message:

 

To disable inheritance, you need to go back to the main Security tab for the file or folder, then click Advanced button

For Windows 7 computers, you’ll have one extra tab for the Owner. While in Windows 10, they simply moved that tab to the top, which you can click Change.

For Windows 7, click Change Permissions at the bottom of the first tab.

 

Uncheck the box that says Include inheritable permissions from this object’s parent from the Advanced Security Settings.

Another dialog box will pop-up to ask you whether you want to convert the inherited permissions to explicit permissions, or remove all the inherited permissions.

 

Unless you already know exactly what permissions you want, it’s best to choose Add (explicit permissions), then simply remove whatever you don’t want after. By choosing Add, you will keep all similar permissions, but they won’t be greyed out, and you can simply click Remove to delete users or groups. On the other hand, when you choose Remove, it will start off with a clean slate.

Windows 10 is slightly different. When you click the Advanced button, you will have to click Disable Inheritance.

After that, you will see the same set of options as in Windows 7, but in a slightly different form. Convert  option is the same as Add, while the second option is still the Remove button.

 

Now, the only thing left that you need to know is the Effective Permissions or Effective Access tab.

For the example above, the user has a Full Control. Adding another item to the list will have the users in the group a denied Full Control.

 

The problem with this is that, the user account is also part of the group. Basically, it has a Full Control in one permission, and a denied permission for the other. So which one will prevail? As mentioned earlier, Deny will always override the Allow. However, this can also be manually confirmed.

Click Advanced and head to Effective Permissions or Effective Access tab. For Windows 7, choose Select button and then type in the user or group name. For Windows 10 on the other hand, choose Select a user link.

For Windows 7, once you have chosen the user, it will quickly show the permission in the list box. All of the permissions are unchecked, which makes sense.

 

For Windows 10, you have to choose View effective access after you have chosen the user. You will see a red X mark for no access, and green check mark for allowed access.

 

Now that you have understood the file and folder permissions, it only takes a couple of playing around to familiarize yourself with this feature.

Understand that you have to be the owner before you can edit permissions. Any administrator can take ownership of any files and folders, regardless of the permissions of these objects.

For more computer tips, check out Dual Monitors Guide today!

 

Recent Articles

  1. Standing Desk or Walking Desk – Which Is Healthier For You?

    Jun 21, 16 10:09 AM

    Standing desk and treadmill desk are two of the hottest trends in healthy workstation upgrades today. Which one should you get? Here's Dual Monitors Guide's tips.

    Read More

  2. Different Ways to Fix Computer Screen or LCD TV Scratches

    Jun 17, 16 02:24 AM

    Blame everyone you think have laid their hands on your precious LCD screen, the scratch will remain there. So what now? Check these tips from Dual Monitors Guide.

    Read More

  3. Tips to Convince Your Boss to Get You a Treadmill Desk

    Jun 17, 16 02:14 AM

    At Dual Monitor Guide, we don’t just feature the best products and office add-ons to improve one’s workstation comfort and ergonomics, but also health and wellness to improve productivity.

    Read More