NTFS Write-Once Files

for backup purposes I have an external HDD, an I'm on Windows.

What and how should I set (up?) so that files can be written to the drive once but there should be no way they can be deleted or modified? (This is to be a protection against accidental/malicious (=virus) activities. Therefore even admins should be banned from messing with the files once written to the media.) I'm thinking of something like an append-only file system.

Although a set-up-once-and-forget-it scheme would be the best but I'm willing to run a script on each backup operation if that's what it takes.

PS: I have no serious experience with NTFS (not much beyond that of an average user).

There is no such filesystem. Your options are DVD-R or CD-R media or only plug in the HDD when you are backing up. The unplugging option is worse here, the disk is still writable when the disk is plugged in.

Hard disks are read-write medium be definition, and you can't make them write-once media.

In NTFS, WORM behavior is similated using specific ACL entries. For example, you can deny file append by setting the appropriate ACL.

Problem is that any administrators (or use with the required privileges) can simply change the applied ACL and so your read-only file suddenly become writable again.

Unfortunately, a simple USB disk can not work in the way you ask, as a privileged process can do heavy harm to such a disk (for example, it can trigger a USB disk format).