Recipe 4.25. Restricting Access to a ShareProblemYou want to restrict access to a share. SolutionThere are two ways to restrict access to a share; you can set share permissions or NTFS permissions. I'm going to describe how to set share permissions, but see the Discussion section for more on NTFS permissions, the preferred method. Using a graphical user interface
Using a command-line interfaceThis command grants the AMER\rallen user with Full Control over the Perl Libs share: > subinacl /share "Perl Libs" /grant=amer\rallen=F This command revokes the permission: > subinacl /share "Perl Libs" /revoke=amer\rallen DiscussionThe generally accepted way to manage share permissions is to not actually manage permissions on the shares themselves, but on the underlying files and folders using NTFS permissions. With Windows 2000, this is pretty straightforward. By default, share and NTFS permissions are both set to allow Everyone Full Control. So you create a share and just modify the NTFS permissions to include the user or groups that should have access and remove the Everyone entry. With Windows Server 2003, it isn't as straightforward. In an effort to make things more secure, Microsoft changed the default share permissions when creating a new share to allow Everyone only Read access. That means that, regardless of whether the underlying NTFS permissions grant Write access to a group, members of that group won't be able to write to the share until you also grant Change (or more appropriately, remove the Read restriction) on the share permissions. I said that this is the generally accepted way to manage permissions because you may find some people prefer to rely on share permissions. In my mind, using share permissions makes things a little more complicated, but to each his own. See AlsoMS KB 301195 (HOW TO: Configure Security for Files and Folders on a Network (Domain) in Windows 2000), and MS KB 324267 (HOW TO: Share Files and Folders over the Network in a Windows Server 2003 Domain Environment) |