How can I set the NTFS permissions on a folder for a WORM like behaviour

ntfs permissions

You can set permissions to allow this, but you're probably going to find that you're not happy with the result. (I have yet to ever configure this for a Customer who has requested it and not had to go change it a few days later.)

In particular, some programs (Microsoft Word is a good example) assume that they can write files under one name, then rename them after writing. Other programs create the file, close the file, then re-open it for writing again. When such a program tries to write to a directory with permissions like you describe you'll find that things break.

If you're just going to copy files into such a directory, you might have better luck.

Let's assume that you want "Authenticated Users" to be able to do this. You'll need to use the "Advanced" ACL editor to add the last permission:

SYSTEM - Full Control - Apply onto: This folder, subfolders, and files
Administrators - Full Control - Apply onto: This folder, subfolders, and files
Authenticated Users - Read - Apply onto: This folder, subfolders, and files
Authenticated Users - Create Files / Write Data - Apply onto: This folder and subfolders

This will allow "Authenticated Users" to create new files, but they won't be able to modify files they just created. (Obviously, members of SYSTEM and Administrators will be able to manipulate these files.)


Evan's answer was very helpful. Here, I've written a powershell script to reduce it to practice.

$worm="C:\WORM"
mkdir -Force $worm
cd $worm

<#  https://serverfault.com/a/17869

SYSTEM - Full Control - Apply onto: This folder, subfolders, and files
Administrators - Full Control - Apply onto: This folder, subfolders, and files
Authenticated Users - Read - Apply onto: This folder, subfolders, and files
Authenticated Users - Create Files / Write Data - Apply onto: This folder and subfolders

#>

$acl  = Get-Acl $worm
$ace1 = New-Object Security.AccessControl.FileSystemAccessRule 'Users', `
        'CreateDirectories, CreateFiles, ListDirectory, Read', `
        'ContainerInherit, ObjectInherit', `
        'None', `
        'Allow'
$acl.AddAccessRule($ace1)
Set-Acl -AclObject $acl -Path $worm

$acl  = Get-Acl $worm
$ace1 = New-Object Security.AccessControl.FileSystemAccessRule 'Users', `
        'DeleteSubdirectoriesAndFiles,Delete', `
        'ContainerInherit, ObjectInherit', `
        'None', `
        'Deny'
$acl.AddAccessRule($ace1)
Set-Acl -AclObject $acl -Path $worm

$acl  = Get-Acl $worm
$ace1 = New-Object Security.AccessControl.FileSystemAccessRule 'Users', `
        'WriteData', `
        'ObjectInherit', `
        'InheritOnly', `
        'Deny'
$acl.AddAccessRule($ace1)
Set-Acl -AclObject $acl -Path $worm

Related

Ganglia without multicast
How can I uprade my software RAID1 set of drives?
Logs: "Received disconnect from..." without the "Accepted" couterpart
please demystify the 10Gb ethernet interfaces, cables
Postgres connection establishment slow
Is there a way to configure bash to always page output?
How do you override a GPO with another GPO?
Windows 10 circumvents WSUS
Anaconda kickstart and rootpw option
AWS StrongSwan IPSec VPN
Debugging client certificate issues on IIS
Is it possible to use Linux as a Fibre Channel Raid Disk Box?