You can set NTFS security via group policies.
This has two majoor advantages. First, even if someone changes the settings localy, they are reset to the GPO settings whenever group policy is refreshed. Second, by using GPO you can set the NTFS permissions for multiple machines in one simple step.
Furthermore, by using the policy templates provided by Microsoft, you can also set extra security settings on system drives and the registry.
So how do you do it?
Open the MMC plug-in "Security Configuration and Analysis" or use the "users and computers" plug-in, selecting the GPO for a specifiec OU.
You should do this on a server which has the directories or partition you want to secure!
To add a specific NTFS setting go to:
Computer configuration, Security Settings, File System.
Right click "File System" and select "add file." Choose the path to the partitiondirectoryfile.
Next, select the users and permission you wan't to set.
Then choose how this policy should be set. You can choose to either:
A. Propagate inheritable permissions to all subfolders and files. This will change all current NTFS permissions.
B. Replace existing permissions on all subfolders and files with inheritable permissions. This will change permissions only on those files which inherit their permissions from the current folder.
C. Do not allow permissions on this file or folder to be replaced.
Close and save the Group Policy. Once the machine policy is reapplied (every 15 minutes or so or after a reboot, the new settings will be set.
You can also manually apply the policy by typing the following command at the command prompt:
"secedit /refreshpolicy machine_policy"