After examining the Distributed file system, Removable Storage, and Remote Storage, discussing sharing folders on the network or the Internet sounds a bit commonplace. Nevertheless, sharing folders is important and we're going to tell you how to do it anyway.
You can administer shared folders in Windows 2000 in two ways. You can right-click a shared folder in Windows Explorer and choose Sharing from the shortcut menu, or you can use the Shared Folders MMC snap-in. The Shared Folders MMC snap-in provides a way of viewing all of the file shares at once, along with the current connections and open files. Windows Explorer doesn't. Therefore, we're going to talk about the Shared Folders MMC snap-in now, and we'll talk about Windows Explorer later, in the section entitled Configuring Web Shares.
To use the clearly superior Shared Folders tool (not that we're biased), follow these steps:
Figure 17-26. The Shared Folders tool in the Computer Management console.
It's easy to share a folder or volume on the system with other users on the corporate network. Just follow these steps:
Figure 17-27. The Create Shared Folder dialog box.
Real World
Setting Permissions
We strongly recommend that you implement NTFS file-level permissions instead of share-level permissions. Using share-level permissions alone isn't secure enough in most instances, and using both introduces an unacceptable level of complexity.
However, there are some exceptions to this rule; for example, you might want to permit all authenticated users to access a volume in a certain subfolder but allow only a certain group to access the root directory. (Administrators can always access the root folder for a drive by connecting to the drive's hidden administrative share, for example, C$.) In this instance, you could create two file shares: one at the subfolder level with no share-level security and one at the root folder level with share-level security to allow only the specified group access.
Somewhat more useful is the ability to hide file shares by adding the dollar sign ($) character to the end of the share name. This notation allows any user to connect to the share—provided he or she knows the share name. Once users connect, they're still bound by NTFS security permissions, but this can be handy for storing useful power tools that an administrator might want to be able to access from a user's system and user account. File security isn't really an issue—you just don't want users mucking around with the files.
To stop sharing a folder on the network, follow these steps:
If you need to disconnect users from the server for some reason—say to close off the server while you update the files—follow these steps:
Be kind to your users and warn them before disconnecting them. Disconnecting a user who is working on a file can cause data loss and resultant ill feelings.
You can limit the number of simultaneous user connections you want to allow to a shared folder so that a given shared folder doesn't overburden the server with user connections. To do so, follow these steps:
Figure 17-28. The General tab of a shared folder's Properties dialog box.
File shares hosted on computers running Windows XP or Windows 2000 Professional support a maximum of 10 simultaneous users.
As mentioned previously, you really shouldn't use share-level permissions in most instances unless you're not using NTFS file-level security. Share-level permissions allow or deny access to a shared folder depending on the user's group membership and the security settings of the file share and don't apply to locally logged-on users.
File-level security, on the other hand, has a much more granular level of control, providing the ability to grant or deny users and groups the ability to perform a wide range of actions on both folders and individual files for both network and local users. Because you would normally use NTFS permissions in a situation where security is important, we generally don't recommend setting share-level permissions. You can do it, however, so here's how:
Although we discourage the use of share-level permissions, it is appropriate to replace the Everyone group with the Authenticated Users group (give it Full Control permission).
Click Caching in the General tab to control whether or not clients can cache the contents of the file share using the Offline Folders feature of Windows.
You can share folders with users on your intranet, as long as Internet Information Services (IIS) is installed on the system. Although most administrators will set up Web shares using IIS (discussed in Chapter 28), you can also do it using Windows Explorer. However, before you go about installing IIS and publishing folders on your intranet or anywhere else, proceed to Chapter 28 and review the security suggestions made there.
To share folders on your intranet using IIS, follow these steps:
Figure 17-29. The Edit Alias dialog box.
For more thorough control over the Web shares, launch the Internet Services console from the Administrative Tools folder on the Start menu. See Chapter 28 for more information about this.