System objects, including files and folders, have access control lists (ACLs) comprised of access control entries (ACE) that grant or deny users or groups specific permissions.

Users can be added directly to ACLs, although this is not a scalable solution and should typically not be used except in specific scenarios where you want to severely limit access (by adding a single user rather than an entire group).

User account groups can be added to ACLs, and this method affords the ability to manage permissions through group membership.

User account groups can be added to resource groups, which are groups on the resource itself (such as a file, folder, or printer). Account groups can be added to resource groups, which are then added to ACLs and assigned specific permissions. This is highly scalable, appropriate for large organizations, but is not recommended if permissions change frequently.

Role-based access requires the use of Windows Server 2003 and applications must support this framework. This method provides very granular setting of permissions based on defined roles within an application.

Auditing allows you to monitor access to files, folders, accounts, and objects. You can also audit the use of privileges to ensure that accounts and permissions are being used as intended.

You can restrict Registry access by using group policy, security templates, or editing the Registry.

Files and folders can be encrypted and decrypted on a folder...