Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
EAN: N/A
Year: 2005
Pages: 338
Pages: 338
In Windows XP Professional, members of the Administrators, Power Users, and Server Operators groups can share folders. Other users who have been granted the Create Permanent Shared Objects user right can also share folders. If a folder resides on an NTFS volume, you must have at least Read permission to share the folder.
When you share a folder, keep the following in mind:
You can only share folders, not files.
Shared folders are only relevant to users who need to access data over the network. Sharing a folder and assigning shared folder permissions has no effect on users who are locally logged on to a computer.
When you copy a shared folder, the original shared folder is still shared, but the copy is not shared.
When you move a shared folder, the folder is no longer shared.
If you have a mixed environment, use 8.3 format share names so older client operating systems can recognize them.
To share a folder
Right-click the folder you want to share, and then click Properties.
In the folder properties dialog box, click the Sharing tab.
Click Share this folder, and then in Share name, type the name you want users to see when they browse for this folder on the network. If you append the name with the $ symbol, the folder is shared, but the folder does not appear when users browse for it across the network.
In Comment, type a description for the shared folder. This description is visible to users who browse across the network.
In User limit, make any changes you want. The default setting is Maximum allowed, which corresponds to the number of client access licenses you have purchased. You can also designate a user limit by clicking Allow, typing the number of users next to Users, and then clicking OK.
| Warning | By default, shared folder permissions are set so that the Full Control permission is assigned to the Everyone group. You can change the default shared folder permissions by clicking Permissions in the folder properties dialog box. |
You can also share a folder from the command line by using the net share command. For more information about sharing a folder, including information about using the net share command, see Windows 2000 Server Help.
Shared folder permissions determine who can gain access to resources on remote computers. When a folder is shared, users can connect to the folder over the network and gain access to its contents. Shared folder permissions allow you to control which users or groups can gain access to the contents of a shared folder.
Shared folder permissions are different from NTFS permissions. NTFS permissions use access control lists (ACLs) to limit access to resources, and can only be assigned to resources on an NTFS volume. In addition, NTFS permissions can be assigned to both files and folders. Shared folder permissions do not use access control lists, and can therefore be used on a volume that is formatted with any file system. In addition, shared folder permissions can only be assigned to folders. For more information about NTFS permissions, see File Systems in this book.
In addition to folders you designate as shared, Windows XP Professional also creates several shared folders by default when you start a computer or when you stop and then start the Server service. These shared folders, called the administrative shares, are shared for administrative purposes and allow users to access administrative resources remotely. Some of the administrative shares cannot be configured, and access is restricted to users who have administrative rights. The administrative shares include folders such as the systemroot folder (ADMIN$), the root folder of every drive (C$, D$, and so on), and the printer driver folder (PRINT$).
Shared folder permissions can only be set by members of the Administrators, Power Users, or Server Operators groups. Users who have been granted the Create Permanent Shared Objects user right can also assign shared folder permissions. If a folder resides on an NTFS volume, you must have at least Read permission to assign shared folder permissions.
There are three types of shared folder permissions: Read (the most restrictive), Change, and Full Control (the least restrictive). Table 6-3 describes each of these permissions.
| Permission | Description |
|---|---|
| Read | Users can display folder and file names, display file data and attributes, run program files and scripts, and change folders within the shared folder. |
| Change | Users can create folders, add files to folders, change data in files, append data to files, change file attributes, delete folders and files, and perform all tasks permitted by the Read permission. |
| Full Control | Users can change file permissions, take ownership of files, and perform all tasks permitted by the Change permission. |
You can allow or deny shared folder permissions to individual users or groups. From an administrative standpoint, it is usually most efficient to assign permissions to a group rather than to individual users. Also, deny permissions only when it is necessary to override permissions that are otherwise applied. Denied permissions take precedence over any permissions that you otherwise allow for user accounts and groups. For example, it might be necessary to deny permissions to a specific user who belongs to a group that has been granted permissions.
When you assign shared folder permissions, keep the following in mind:
Shared folder permissions do not restrict access to users who are locally logged on to a computer where the shared folder is located. Shared folder permissions only apply to users who connect to the folder across the network.
To restrict access to a folder, use shared folder permissions or NTFS permissions, but not both. The best practice is to share a folder so that the Everyone group has Full Control, and then restrict access to the folder using NTFS permissions.
If shared folder permissions are configured for a folder, and NTFS permissions are configured for the folder and its contents, the most restrictive permissions apply.
When you assign a shared folder permission to a user, and that user is a member of a group to which you assigned a different permission, the user s effective permissions are the combination of the user and group permissions. For example, if a user has Read permission and is a member of a group with Change permission, the user s effective permission is Change, which includes Read.
To configure shared folder permissions
Right-click the folder for which you want to configure shared folder permissions, and then click Properties.
In the folder properties dialog box, click the Sharing tab, and then click Permissions.
In the Permissions for dialog box, click Add.
In the Select Users, Computers, or Groups dialog box, click Object Types, click the Users check box, and then click OK.
Under Enter the object names to select, type the name of the group or user for which you want to set shared folder permissions, and then click OK.
In the Permissions for dialog box, in the Group or user names box, click the group or user for which you want to set shared folder permissions.
In the Permissions for dialog box, allow or deny permissions, and then click OK.
When a Windows XP Professional based computer is not joined to a domain, the simple sharing model is fundamentally different than the model used in previous versions of Windows. By default, all users logging on to such computers over the network are forced to use the Guest account; this is called ForceGuest.
On computers running Windows 95 and Windows 98 you can specify read-only and full-control share passwords: any user connecting to a share can enter the appropriate password and get the specified level of access. However, this share-level password model is insecure, because share passwords are passed in plaintext and can be intercepted by someone with physical access to the network.
On computers running Windows 2000 and not joined to a domain, identical user accounts with matching passwords must be created on two computers (to enable transparent sharing) or the user must type a user name and password when connecting. Windows 2000 also requires that you grant permissions to the user account on the computer hosting a share to the share and to the files and directories being shared or that you enable the Guest account. However, using the Guest account can cause broader than intended access to the share, because the Everyone group (which allows Guest access) is widely used in the default system permissions.
By default, on computers running Windows XP Professional and not joined to a domain, all incoming network connections are forced to use the Guest account. This means that an incoming connection, even if a user name and password is provided, has only Guest-level access to the share. Because of this, either the Guest user account or the Everyone group (the only group to which the Guest account belongs) must have permissions on the share and on the directories and files that are shared. It also means that, in contrast to Windows 2000, you do not need to configure matching user accounts on computers to share files. Because Windows XP Professional supports Anonymous connections, and because it severely limits the use of the Everyone group in file system permissions, granting the Everyone group access to shared folders does not present the security problem that it does on Windows 2000 based computers.
ForceGuest is enabled by default, but can be disabled on Windows XP Professional by disabling the local security policy Network Access: Force Network Logons using Local Accounts to Authenticate as Guest. By contrast, on Windows XP Professional based computers joined to a domain, the default sharing and security settings are the same as in Windows 2000. Likewise, if the ForceGuest policy setting on a Windows XP Professional based computer not joined to a domain is disabled, then the computer behaves as in Windows 2000.
To simplify configuring sharing and to reduce the possibility of misconfiguration, Windows XP Professional uses the Simple Sharing User Interface (UI). The simple sharing UI appears if ForceGuest is turned on; the traditional sharing and security tabs are shown if ForceGuest is turned off.
On computers running Windows XP Professional that are not joined to a domain, ForceGuest is turned on by default. To access the traditional sharing and security tabs and manage permissions manually on these computers, go to Windows Explorer or My Computer, click the Tools menu, click Folder Options, click the View tab, and then clear the Use simple file sharing (Recommended) check box. Note that changes made manually cannot be undone by using the simple sharing UI, and although you might make what appears to be a reasonable change to permissions, the resultant permissions might not work as expected if ForceGuest is subsequently turned on.
By using the simple sharing UI you can create or remove a share and set permissions on the share. When simple sharing is in effect, appropriate permissions are automatically set on shared files and folders. The following permissions are added when you use the simple sharing UI:
Share permissions
File permissions
Allow others to change my files
Don t allow others to change my files
When the Guest-only security model is used, the Sharing tab has only three options:
Share this folder on the network. Grants the Everyone group Read permissions on the folder and its contents.
Share name. The name of the share on the network.
Allow other users to change my files. Grants the Everyone group Full Control permissions on folders and Change permissions on files.
You can create a share at the root of the system drive, but simple sharing does not adjust the file permissions on such shares. On a share created at the root, the simple sharing UI is displayed in the property sheet, and Sharing is added to the shortcut menu on the system drive icon in Windows Explorer. There are two important reasons why it is recommended that you not share the root directory of the system drive:
By default the Everyone group is granted only Read permissions on the root of the system drive, so sharing the root of the system drive is not sufficient for most remote administration tasks.
Sharing the root of the system drive is not secure it essentially grants anyone who can connect to the computer access to system configuration information. For maximum security, it is recommended that you only share folders within your user profile, and only share information that you specifically want others to access.
The Shared Documents folder in My Documents is new in Windows XP Professional. This folder appears when two or more user accounts are created on the local computer. Files can be shared among multiple users of the same computer. In a network environment, files can be copied or moved to a folder on another computer.
By default, the Shared Documents folder is automatically shared and made accessible to all other computers on the network.