FILE AND FOLDER SECURITY | Home Networking Annoyances: How to Fix the Most Annoying Things about Your Home Network

USER-LEVEL CONTROLS IN WINDOWS 98SE/ME

The Annoyance:

I want to protect some of the folders on my Windows 98SE computer so that only certain users can access them. The Access Control dialog box offers the option of user-level controls, and has a field for entering the location of the user list. I'm not sure whether to enter the name of the computer or the name of a file. If it's a file of usernames, how do I create it?

The Fix:

I'm assuming your network is a workgroup, not a domain. If you were running a domain (usually found only in business environments), the name of the domain would have been entered automatically in the "Obtain list of users and groups from" field (see Figure 7-7). For workgroups, only the share-level access control option is available.

Here's what's really annoying about this. Even though user-level access controls aren't available for workgroups, Microsoft doesn't make this option inaccessible when a computer is part of a workgroup. wait, I'm not donenot only is the option available, but also, you can enter anything in the field and the system will accept it (and make you reboot the computer to put the new setting into effect). However, after you go through all that, no users will ever be able to access the folder across the network because, of course, the option isn't really available.

Figure 7-7. Windows 98SE and Me computers that log on to a domain instead of a workgroup can limit access to specific users or groups.

Your network is a workgroup, so you're limited to share-level access controls. To protect the files, password-protect the folder and give the password only to those people you want to let into the folder.

DEFAULT PERMISSION OPTIONS FOR SHARE-LEVEL CONTROLS

The Annoyance:

I shared a folder on my Windows 98SE computer. Anyone on the network can open the files in that folder, which is what I intended when I shared it. However, if anyone working on a remote computer, including me, tries to save that file, the system displays an error message. What did I do wrong?

The Fix:

You didn't look carefully at the Sharing dialog box when you created the share. By default, Windows 98SE and Me impose a Read Only access restriction on shared folders. This means files can be read (opened) but not written (saved). If you want remote users to be able to save files, right-click the folder icon and choose Sharing, then select the Full option under Access Type (see Figure 7-8).

Figure 7-8. By default, remote users can see, but not save, files in this folder.

Warning: If you configure a shared folder for read-only access, the restrictions aren't limited to saving a file when you're working in software. Network users can't move or copy files into the folder, either, because there's no write access.

LOCAL USERS DON'T NEED A PASSWORD TO ACCESS A PROTECTED FOLDER

The Annoyance:

On my Windows 98SE computer, I password-protected a folder and didn't give anyone the password. I use the password to work on the files in that folder from another computer on the network. However, anyone who works on the Windows 98SE computer can get into the folder and open the files. The system never asks for a password. What kind of security protection is this?

The Fix:

That's the kind of security protection you have in Windows 98SE and Me. The password-protection feature is only for users who access files across the network. Local users can access anything, anywhere, at any time. If you want to protect files, use the password-protection features in your word processor.

DEFAULT PERMISSION OPTIONS FOR SHARED FOLDERS IN WINDOWS XP

The Annoyance:

I shared a folder on my Windows XP computer by checking the "Share this folder on the network" box. Everybody on the network, including me when I'm working on a remote computer, can open the files in the folder. But nobody can save the files.

The Fix:

By default, when you share a folder for network access, the system makes the folder read-only, which means nobody can write (save) to the folder. If you want to write to the folder, right-click its icon and choose Properties. Click the Sharing tab and check the "Allow network users to change my files" box (see Figure 7-9).

Figure 7-9. You must specifically choose the option to let users change files if you want network users to be able to save files to the folder.

SHARE THE WINDOWS XP SHARED DOCUMENTS FOLDER OVER THE NETWORK

The Annoyance:

I put some documents into the Shared Documents folder for the express purpose of letting everyone share those documents. That way, I can keep all my other folders private. But nobody, not even me, can find the Shared Documents folder when working on another computer on the network.

The Fix:

The Shared Documents folder is designed to let multiple users of the local computer access the documents it contains. It's not a network-based sharing scheme. However, you can share it across the network by right-clicking its icon and selecting Properties from the shortcut menu. Click the Sharing tab and check the "Share this folder on the network" box. To let users make changes to files, check the "Allow network users to change my files" box.

FIND THE SHARED DOCUMENTS FOLDER ON THE NETWORK

The Annoyance:

I shared the Shared Documents folder on the network, but when I'm working on another computer, I can't find it.

The Fix:

This folder has a different name when you access it over the network; it's named Documents.

PRIVATE FOLDER FEATURE IN WINDOWS XP REQUIRES NTFS

The Annoyance:

I want to make some of my folders private, but the "Make this folder private" option isn't available.

The Fix:

Making a folder private is a security feature, and your computer must be running NTFS to have security features available. Apparently, your computer is running the FAT (or FAT32) filesystem. To see which filesystem was used to format your hard drive, right-click My Computer and choose Manage. In the left pane of the Computer Management console window, select Disk Management. The right pane displays information about your hard drive(s), including the filesystem (see Figure 7-10).

Figure 7-10. Only drives formatted with NTFS offer security features.

FAT, FAT32, AND NTFS

A filesystem controls the way an operating system manages files and folders. The filesystem is installed when you format a hard drive, a step that must take place before you can install an operating system. The Windows operating system can run on any of three filesystems: FAT, FAT32, and NTFS.

FAT (along with its slightly more powerful cousin, FAT32) derives its name from the structure the filesystem uses to manage files and foldersthe File Allocation Table. It's just easier to say "FAT filesystem" than "file allocation table filesystem." The file allocation table is an index that tracks the name and location of every file and folder on the drive.

NTFS is called NTFS, and whatever it stood for when it was named has been lost in history. If you ask the people at Microsoft who should know these things, you get the answer "I don't know" quite frequently. Some people say NTFS stands for NT File System because the filesystem was introduced with Windows NT. (Microsoft people can't agree on what the "NT" in Windows NT stands for, but the most say New Technology.) NTFS tracks file and folder information using a much more complicated database than the file allocation table. One of the additional sets of data in this database is security information, such as user permissions. This is what gives NTFS its ability to provide security options to users.

SOME FOLDERS CAN'T BE MARKED PRIVATE

The Annoyance:

I have some folders that contain software, and I want to keep some of them private. However, Windows won't let me check the "Make this folder private" box.

The Fix:

Your computer is running Simple File Sharing, which is the default security mode for Windows XP (see the sidebar "Simple File Sharing Simplified" for an explanation). With Simple File Sharing, you can make folders private only if they exist as part of your personal folders hierarchy (called your user profile). To see the folders in your user profile, follow these steps:

Open My Computer or Windows Explorer.
In My Computer, click the Folders icon on the toolbar to change the My Computer window so that it shows drives and folders in the left pane, and the contents of drives and folders in the right pane (Windows Explorer automatically presents the two-pane view).
In the left pane, click the plus sign next to Local Disk (C:) to expand its contents.
In the left pane, click the plus sign next to the Documents and Settings folder to expand its contents.
In the left pane, click the plus sign next to your logon name.
The folders you see in the left pane, under your logon name, are your personal folders (see Figure 7-11).

If you're running Windows XP Professional, you can turn off Simple File Sharing. If you're running Windows XP Home Edition, you can't turn off Simple Fire Sharing, but you have some other workarounds to make files private. Both of these options are discussed in the annoyances that follow.

Figure 7-11. Your personal folders are subfolders of your logon name folder, and some of the subfolders have additional subfolders, indicated by a plus sign.

SIMPLE FILE SHARING SIMPLIFIED

With Simple File Sharing, the operating system assumes that everybody who logs on to a computer trusts everybody else who logs on to that computer. Therefore, it assumes that everybody wants to share their files. In addition to sharing files with all users of the computer, folders offer an option to share their contents with network users.

If, however, you have some files you don't want to share, Simple File Sharing lets you set folders as "private." Other users of the computer can't access the contents of private folders.

Those folders must be part of your set of personal folders. When you make a folder private, all of its subfolders are also private. When you share a folder, you can make a subfolder private.

TURN SIMPLE FILE SHARING OFF IN WINDOWS XP PROFESSIONAL

The Annoyance:

I'm running Windows XP Professional with NTFS and I want to be able to decide which folders are private and which can be accessed by other users of my computer. How do I get rid of Simple File Sharing?

The Fix:

Open any Windows system folder (My Documents, Windows Explorer, My Network Places, etc.), and select Tools Folder Options. Click the View tab and uncheck the "Use simple file sharing (Recommended)" box.

Tip: The Folder Options dialog box is also available in the Control Panel (under Appearance and Themes).

After you disable Simple File Sharing, the Properties dialog box for every folder displays the classic Security and Sharing tab. You can use that tab to specify user permissions for shared folders.

Warning: If you're not familiar with the way Security and Sharing permissions work, don't mess with this feature. You might accidentally deny yourself access to your own data.

INSTALL SOFTWARE AND MAKE IT PRIVATE IN WINDOWS XP HOME EDITION

The Annoyance:

I want to install QuickBooks on my computer, and I don't want anyone who logs on to the computer to be able to use it. However, the folder in which QuickBooks is installed can't be made private. It's annoying that Windows XP won't let me keep software private.

The Fix:

To keep a software installation private, install the software in your user profile because any folder in your user profile can be made private. To accomplish this, you need to create a subfolder for the software in your user profile, and then change the installation process so that the software is installed into that folder.

To create a folder for the software in your user profile, open My Computer or Windows Explorer, expand the hard drive, expand the Documents and Settings folder, and select the folder bearing your user logon name. Select File New Folder to create a new subfolder in your user profile. Name the new folder for the software (in this case, QuickBooks).

Install the software, but instead of accepting the default location for installation (commonly a subfolder under the Program Files folder), select the option to customize the installation process. Then select your new subfolder as the target folder for the software.

After the software is installed, open My Computer or Windows Explorer and navigate to the folder you created for this software. Right-click the folder and choose Sharing and Security from the shortcut menu, then check the "Make this folder private" box. If any other user tries to open the software, an error message appears.

MAKE SOFTWARE DATAFILES PRIVATE IN WINDOWS XP HOME EDITION

The Annoyance:

I installed Quicken on my computer and now I want to make sure nobody can get to my datafile. I can't make the installation folder private, but it's OK if other users use the software as long as they can't see my datafiles. However, Quicken automatically saves the datafile in the installation folder. What can I do?

The Fix:

You have two ways to make software datafiles private: password-protect the file, or move the datafiles into a private folder (almost all software applications offer both of these features).

If you want to move the datafiles to a private folder, first create the folder within your user profile. Then copy (don't move) the datafiles to the new location. Open the software. Most database software applications, such as Quicken, automatically open the datafile you were working on when you last closed the software (which is why I told you not to move the datafiles because that would confuse the software, and it could hang for a long time trying to find the file). Open the datafile that exists in the private folder (using the File Open command). Then close the software to make sure the datafile located in the private folder is the last used file, which is the file that is opened the next time you use the software.

To make sure it worked, rename the original file (add a letter or number to the beginning of the original filename). Open the software again to make sure the datafile in the private folder opens automatically. If it does, you can delete the original file. If it doesn't, check the software's documentation or call the support line to find a solution.

Warning: Some software applications create multiple files that combine to comprise a datafile. In this case, you must copy all the files related to your datafile to the private folder.

Tip: Check to see if your software has a feature that lets you move or copy datafiles. For example, Quicken offers a Copy File feature. The software then asks if you want to use the copy (the file in the new location) as your datafile. Nifty feature!

SHARE SOME, BUT NOT ALL, OF YOUR DOCUMENTS

The Annoyance:

I save all my documents in My Documents and many of them are private. However, I want to share some documents with other users on the same computer and across the network. I use Windows XP Home Edition, and it's annoying that I can't specify shared or private status on a file-by-file basis.

The Fix:

It would be easier to set security permissions on individual files. However, you have several ways to work around this limitation:

Make your My Documents folder private and move public files into the Shared Documents folder. Enable the option to make the Shared Documents folder available to network users.
Keep your My Documents folder public, and password-protect the private documents using the password features available in your software applications.
Keep your My Documents folder public. Create a subfolder for private documents in your My Documents folder and make the subfolder private. Save private documents to the subfolder.

WORK ON PRIVATE DOCUMENTS FROM A REMOTE COMPUTER

The Annoyance:

The computer I use most frequently is also used by other household members, so I created a private subfolder under My Documents. However, sometimes I work from a different computer and need to access my private documents. Of course, the system doesn't let me into the private folder, which is really annoying.

The Fix:

Private means private, and when you're working on a remote computer, you're a guest on the computer that holds your private files. Because you're not the same person who made the files private, you can't access them.

The only solution is to use your software's password-protection feature and save the files in a folder you configured as public and accessible across the network. When you open the software on the remote computer and then open the file across the network, entering the password makes the file available.

HIDE SHARED FOLDERS

The Annoyance:

I want to be able to work on my own documents from a remote computer. I'm really annoyed at all the stuff I have to go through to make folders private, public, password-protected, and so on. Is there an easier way?

The Fix:

You can create shared folders and then hide them. When users view the computer from My Network Places or Network Neighborhood, they see all the shared resources. They don't see shared folders that are hidden. The person who created the hidden folder is the only person who knows it exists.

To create a hidden, shared folder, create the folder (use some innocuous name), share it across the network, specify that users can change the files, and make the last letter of the sharename a dollar sign (see Figure 7-12).

Figure 7-12. Adding $ to the end of a sharename hides the share from My Network Places and Network Neighborhood.

Of course, now you're asking how to get to the files in your hidden share when you're working on a remote computer. Opening My Network Places or Network Neighborhood doesn't help because the share doesn't show up. Here's the trick: select Start Run and enter \\ComputerName\ Figure 7-13. Go directly to the hidden share; do not stop at My Network Places or Network Neighborhood.

Click OK to open the hidden share's folder (see Figure 7-14). Go to work!

Figure 7-14. Ta-da! Here are my hidden files.

Warning: A hidden folder isn't a "private" folder. If anyone else learns the name of the folder, they can get to it.

MAP A DRIVE TO A HIDDEN FOLDER

You can map a drive to a hidden folder, which makes it easier to open and save files while you're working in a software application. You can't use the regular Windows interface to map the drive because a hidden share doesn't show up in My Network Places or Network Neighborhood. Instead, open a command prompt window and enter the command net use x: \\Computername\HiddenShareName. Substitute an available drive letter for x: and use the computer name and the name of the hidden share in the rest of the command (don't forget the $ at the end of the sharename).

When you map a drive from the command line, an icon for the mapped drive appears in My Computer. Before you leave the computer, right-click the icon and choose Disconnect to remove the mapping (otherwise you've lost all the secrecy). You can also disconnect a mapped drive at the command line by entering net use x: /delete (substitute the mapped drive letter you used for x:).

HIDDEN SHARES WITH SHARED PARENT FOLDERS AREN'T REALLY HIDDEN

The Annoyance:

I created a hidden share as a subfolder under My Documents. I share the My Documents folder on the network so that I can work on files from any computer. When I open My Documents, I see the hidden share listed. It has a dollar sign at the end of the name, but it still shows up. This is really annoying.

The Fix:

Unfortunately, when you share a folder, you share all its contents. Anyone who can see the share can see all the contents. If those contents include shares with a dollar sign at the end of the name, that's tough nuggies.

The best way to create a hidden share is to use a folder on the C drive, not a subfolder of an existing folder. If you want to use a subfolder, never share the existing parent folder. And of course, avoid sharing the drive because that becomes the parent of all folders, hidden or otherwise. If the parent is shared, so are all its contents.

WHO'S VISITING MY COMPUTER?

The Annoyance:

I wish there were a way for me to know whether network users are in my computer, and what they're doing there.

The Fix:

You can track remote users easily, but the process depends on your version of Windows.

View Network Visitors in Windows XP/2000

In Windows XP and 2000, you can keep an eye on network connections in the Computer Management console. Right-click My Computer and choose Manage. When the console window opens, click the plus sign next to the Shared Folders object in the left pane to display the following objects:

Shares, which lists all the shares on the computer, including hidden and administrative shares
Sessions, which displays the current network sessions for remote users (see Figure 7-15)
Open Files, which lists each local file opened by network users, and the name of the user

Figure 7-15. You can see who's on your computer, and which remote computer they're using.

View Network Visitors in Windows 98SE/Me

In Windows 98SE and Me, your network spy is Net Watcher. Select Start Programs Accessories System Tools Net Watcher. The Net Watcher window opens with a view of the current remote connections (see Figure 7-16).

Figure 7-16. Net Watcher tracks information about remote users.

To change the view so that you can see the names of open files and the shares on the computer, use the options in the View menu.

INSTALL NET WATCHER

The Annoyance:

Net Watcher doesn't appear on my System Tools menu.

The Fix:

Net Watcher is not always included when you install the operating system (it depends on the settings for installation). If you don't see Net Watcher on the System Tools menu, use the following steps to install it (you'll need your Windows CD because the system has to copy the Net Watcher files):

Open the Control Panel and double-click Add/Remove Programs.
Click the Windows Setup tab.
Scroll through the listings to select System Tools and click Details.
Check the Net Watcher box.
Click OK twice.

The system copies the files from your Windows CD and installs Net Watcher on the System Tools menu. This is one of the few times you don't have to reboot Windows 98 and Me after making a change to the system.

DISCONNECT REMOTE USERS

The Annoyance:

Can I get rid of remote users if I want to?

The Fix:

Yes, you have a way to get rid of remote users. (Well, "get rid of" seems harsh, the technical term is "disconnect," which sounds less vicious.)

In Windows XP and 2000, right-click My Computer and choose Manage to display the Computer Management console. Select the Sessions object in the left pane, and then take the appropriate action:

To disconnect a user, right-click the user's name in the right pane and choose Close Session.
To disconnect all users, right-click the Sessions object in the left pane and choose Disconnect All Sessions.

In Windows 98SE and Me, select the user you want to disconnect and choose Administer Disconnect User from the menu bar.