Editing NTFS (section)

== Security ==
NTFS uses [[access control list]]s and user-level encryption to help secure user data.

=== Access control lists (ACLs) ===
[[File:NTPermissions.png|thumb|right|200px|NTFS file system permissions on a modern [[Windows]] system]]
In NTFS, each file or folder is assigned a [[security descriptor]] that defines its owner and contains two [[access control list]]s (ACLs). The first ACL, called [[discretionary access control]] list (DACL), defines exactly what type of interactions (e.g. reading, writing, executing or deleting) are allowed or forbidden by which user or groups of users. For example, files in the {{code|C:\Program Files}} folder may be read and executed by all users but modified only by a user holding administrative privileges.<ref name=":0">{{cite web |url= https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc781716(v=ws.10)|title= How Security Descriptors and Access Control Lists Work|access-date= 4 September 2015|website= [[Microsoft Learn]]|date= 8 October 2009|publisher= [[Microsoft]]}}</ref> Windows Vista adds [[mandatory access control]] info to DACLs. DACLs are the primary focus of [[User Account Control]] in [[Windows Vista]] and later.

The second ACL, called system access control list (SACL), defines which interactions with the file or folder are to be audited and whether they should be logged when the activity is successful, failed or both. For example, auditing can be enabled on sensitive files of a company, so that its managers get to know when someone tries to delete them or make a copy of them, and whether they succeed.<ref name=":0"/>

=== Encryption ===
{{Main|Encrypting File System}}

[[Encrypting File System]] (EFS) provides user-transparent encryption of any file or folder on an NTFS volume.<ref>{{cite web |url=https://learn.microsoft.com/en-us/previous-versions/technet-magazine/cc162507(v=msdn.10) |title=Security Watch Deploying EFS: Part 1 |first=John |last=Morello |work=Technet Magazine |publisher=[[Microsoft]] |date=February 2007 |access-date=2025-01-25}}</ref> EFS works in conjunction with the EFS service, Microsoft's [[Cryptographic Application Programming Interface|CryptoAPI]] and the EFS File System Run-Time Library (FSRTL). EFS works by encrypting a file with a bulk [[symmetric key algorithm|symmetric key]] (also known as the File Encryption Key, or FEK), which is used because it takes a relatively small amount of time to encrypt and decrypt large amounts of data than if an [[asymmetric key algorithm|asymmetric key]] cipher is used. The symmetric key that is used to encrypt the file is then encrypted with a [[public key cryptography|public key]] that is associated with the user who encrypted the file, and this encrypted data is stored in an alternate data stream of the encrypted file. To decrypt the file, the file system uses the [[private key]] of the user to decrypt the symmetric key that is stored in the data stream. It then uses the symmetric key to decrypt the file. Because this is done at the file system level, it is transparent to the user.<ref>{{cite web |title=How EFS Works|url=https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc962103(v=technet.10)|work=Windows 2000 Server Resource Kit|date=18 July 2012 |publisher=[[Microsoft]]|access-date=25 January 2025}}</ref> Also, in case of a user losing access to their key, support for additional decryption keys has been built into the EFS system, so that a recovery agent can still access the files if needed. NTFS-provided encryption and NTFS-provided compression are mutually exclusive; however, NTFS can be used for one and a third-party tool for the other.

The support of EFS is not available in Basic, Home, and MediaCenter versions of Windows, and must be activated after installation of Professional, Ultimate, and Server versions of Windows or by using enterprise deployment tools within Windows domains.