As has been mentioned before, the whole point of a network is to share resources among the users. However, sharing is also an extension of the security features that begin with user accounts and passwords. Your goal as a system administrator is to make sure that everyone can use the resources they need without compromising the security of files and other resources. Three types of capabilities can be given to users:
In the normal course of events, you'll deal with rights only rarely. However, shares and permissions are at the heart of an administrator's responsibilities.
On an NTFS volume, Windows 2000, like Windows NT Server, allows security that's so granular it's practically microscopic. Permissions of various types can be set including on individual files. This presents quite a temptation to the administrator to micro-manage every resource. Our best advice is to not give in to this temptation. Start with the least restriction possible and add restrictions only when required.
REAL WORLD Differences Between Shares and Permissions
Shares and permissions, although they sound very much alike, are not at all the same and it's important to understand the differences. Shares apply to drives and directories. Until a drive or folder is shared over the network, users can't see it or gain access to it. Once a folder is shared, everyone on the network has, by default, access to all files in the folder, and to all subfolders of that folder and so on.On a FAT volume, a drive or folder can be shared and then additional restrictions added in the form of share permissions. These permissions apply only at the drive or folder level—not at the file level—and are limited to allowing or denying Full Control, Read, and Change.
On NTFS volumes, directories have the same share permissions as those on a FAT volume, but another layer of permission is available beyond that. Each folder has a Security Property window that allows more precise restrictions. Each file also has a Security Properties window, allowing access to be granted or denied for individual files. These folder permissions and file permissions can restrict access both across the network and locally. For example, you can leave the share permission for a folder at the default setting, allowing Full Control to Everyone and use the Security properties windows to set more restrictive permissions by group or individual—wither for the folder as a whole or file-by-file within the folder.
Share permissions determine the maximum access over the network. This means if you set share permissions to allow Read but deny Change, all users will be restricted to Read only when they access the share over the network. You can, however, grant a user more extensive access through folder or file permissions, and this expanded access will be available when the user logs on locally. Or you can block the inheritance of permissions on a subfolder and give a user Full Control of the subfolder over the network—while the parent folder remains Read only.
Shares have no effect on users who can log on locally. For someone who will be logging on locally to an NTFS partition, access can be restricted by using permissions.
In addition to shares created by a user or administrator, the system creates a number of special shares that shouldn't be modified or deleted. The special share you're most likely to see is the ADMIN$ share which appears as C$, D$, E$, and so on. These shares allow administrators to connect to drives that are otherwise not shared.
Special shares exist as part of the operating system's installation. Depending on the computer's configuration, some or all of the following special shares may be present. None of them should be modified or deleted.
To connect to an unshared drive on another computer, use the address bar in any window and enter the address (Figure 9-24), using the syntax
\\computer_name\[driveletter]$ |
Figure 9-24. Connecting to an unshared drive on a remote computer.
To connect to the system root folder (the folder in which Windows is installed) on another computer, use the syntax
\computer_name\admin$ |
Other special shares such as IPC$ and PRINT$ are created and used solely by the system. NETLOGON is a special share on Windows 2000 and Windows NT servers and is used while processing domain logon requests.
On partitions formatted using FAT, you can restrict files only at the folder level, only over the network, and only if the folder is shared. For someone who logs on locally, the shares have no effect.
On an NTFS volume, directories can be shared and also restricted further by means of permissions. On an NTFS volume, you should use folder and file permissions for security control both locally and over the network and allow Full Control access to Everyone on the share.
The easiest way to create shared folders is to use the Configure Your Server tool from the Administrative Tools menu. To do so, follow these steps:
Figure 9-25. Selecting a folder to be shared.
Figure 9-26. Selecting share permissions.
You can set shares directly by right-clicking a folder, choosing Properties from the shortcut menu, then clicking the Sharing tab.
REAL WORLD Share Names and File Names in MS-DOS
If you have MS-DOS based machines on your network (that includes Windows versions through 3.11) that will be accessing a shared folder, you must follow the 8.3 naming convention in the share name. A share name that doesn't conform to the MS-DOS 8.3 naming standard will not be seen at all by users with MS-DOS or Windows 3.x machines.The names of files or directories can have up to 255 characters. MS-DOS users connecting to the file or folder over the network will see the name in the 8.3 format. Windows NT will truncate the long names down to a size that a MSDOS machine can recognize but will not do so for share names. Yes, it's odd. Windows 2000 converts long names to short names using the following rules:
- Spaces are removed.
- Characters not allowed in MS-DOS names are replaced by underscores (_).
- The name is shortened to its first six remaining characters, and then a tilde and a digit are added. For the first file, the digit will be 1. For a second file using the same six characters, the digit will be 2. For example, your file named Budget Figures for March will be shortened to BUDGET~1. A second file, called Budget Figures for the Second Quarter, will be shortened to BUDGET~2.
- If the long name has any periods followed by other characters, the last period and the next three characters are used as the file extension in the short version of the file name. So a file called December.Sales.Presentation will be shortened to DECEMB~1.PRE.
As you can see, long file names when truncated may be quite mysterious. If your network includes MS-DOS computers, you may want to continue using MSDOS naming conventions for the first six characters. The budget files used above as examples would then be MARBUD~Budget Figures for March.XLS and 2NDQTR~Budget Figures for the Second Quarter.XLS. To the DOS computer, the files would appear as MARBUD~1.XLS and 2NDQTR~1.XLS.
A single folder might be shared more than once. For example, one share might include Full Control for Administrators and another share for users might be more restricted. To add a new share, follow these steps:
Figure 9-27. Adding a New Share.
To remove a folder from being shared, open Computer Management from the Administrative Tools menu. Expand System Tools, then Shared Folders, and then Shares. Right-click the shared folder in the details pane, and choose Stop Sharing from the shortcut menu.
CAUTION
In Windows NT, when users are connected to a folder you are about to stop sharing, you are warned in a dialog box. This doesn't happen in Windows 2000. If you stop sharing a folder that users are connected to, the users are dropped out of the folder without warning and they may lose data.
Share permissions establish the maximum range of access available. Other permission assignments (on an NTFS volume) can be more restrictive but can't expand beyond the limits established by the share permissions. Table 9-8 summarizes the three types of access, from most restrictive to least restrictive.
Table 9-8. Types of share permissions
Share Permission | Type of Access |
---|---|
Read | Allows viewing of file and subfolder names, can always view and clear the security log. |
Change | Allows the access under Read, plus allows adding files and subdirectories to the shared folder, changing data in files, and deleting files and subdirectories. |
Full Control | Allows all the access under Change plus allows changing permissions (NTFS volumes only) and taking ownership (NTFS volumes only). |
To set share permissions for a folder, right-click on the folder and choose Sharing from the shortcut menu. Click the Permissions button to open the dialog box shown in Figure 9-28. The type of access is set by the list at the bottom. Use the Add and Remove buttons to change who has access. Share permissions can be assigned to individual users, to groups, and to the special identities Everyone, System, Interactive, Network, and Authenticated Users.
Figure 9-28. Setting share permissions.
After traipsing through My Network Place's various windows to find a shared folder, users can simply double-click the folder to open it and access its contents. For easier access, right-click the shared folder and drag it to the desktop. Select Create Shortcut Here after releasing the mouse button.
For frequent use, it's simple to map a folder or drive so that it appears in Windows Explorer (or My Computer) as simply another local drive.
NOTE
A mapped drive is even better than a shortcut in one important respect: if you're using older programs, they're not going to recognize the network places and will not be able to open or save files anywhere other than your own computer. If you map a drive, the program cooperates because the drive on the other computer appears (to the program at least) to be local.
You can set up these connections for users or they can do it for themselves. Here's how it's done:
Figure 9-29. Mapping a network resource.
To get rid of a mapped drive or folder, you can highlight it and right-click. Choose Disconnect from the shortcut menu (Figure 9-30).
Figure 9-30. Disconnecting a mapped resource.
You can see a list of shares, current sessions, and open files by opening Computer Management from the Administrative Tools menu and then expanding Shared Folders (Figure 9-31).
Figure 9-31. Viewing shared folders.
Expand Shares to see a list of the shared folders plus the following information about each folder:
Expand Sessions in the console tree to see the following information about the users who are currently connected:
Expand Open Files in the console tree for a list of the files currently open. In the details pane, you can see the name of the file, who opened it, the type of connection, the number of locks on the file (if any), and the share permissions that were granted when the file was opened.
For regular viewing of shares, it may be more efficient to make an MMC that contains the Shared Folders snap-in. You can add a Shared Folders snap-in for several servers and switch among them easily (Figure 9-32).
Figure 9-32. Viewing shared folders on multiple servers.