Recipe 8.25. Restricting Access to a Share


Problem

You want to restrict access to a share.

Solution

There are two ways to restrict access to a share; you can set share permissions or NTFS permissions. I'm going to describe how to set share permissions, but see the Discussion section for more on NTFS permissions, the preferred method.

Using a graphical user interface

  1. Open Windows Explorer.

  2. In the left pane, browse to the shared folder.

  3. Right-click the folder and select Sharing and Security.

  4. Select the Sharing tab.

  5. Click the Permissions button.

  6. From here, you can grant users or groups Full Control, Read, or Change access to the share.

Using a command-line interface

This command grants the AMER\rallen user with Full Control over the Perl Libs share:

> subinacl /share "Perl Libs" /grant=amer\rallen=F

This command revokes the permission:

> subinacl /share "Perl Libs" /revoke=amer\rallen

Discussion

The generally accepted way to manage share permissions is not to actually manage permissions on the shares themselves, but on the underlying files and folders using NTFS permissions. With Windows 2000, this is pretty straightforward. By default, share and NTFS permissions are both set to allow Everyone Full Control. So you create a share and just modify the NTFS permissions to include the user or groups that should have access and remove the Everyone entry.

With Windows XP, it isn't as straightforward. In an effort to make things more secure, Microsoft changed the default share permissions when creating a new share to allow Everyone only Read access. That means that, regardless whether the underlying NTFS permissions grant Write access to a group, members of that group won't be able to write to the share until you also grant Change (or more appropriately, remove the Read restriction) on the share permissions. I said that this is the generally accepted way to manage permissions because you may find some people prefer to rely on share permissions. In my mind, using share permissions makes things a little more complicated, but to each his own.

See Also

MS KB 301195, "HOW TO: Configure Security for Files and Folders on a Network (Domain) in Windows 2000," and MS KB 324267, "HOW TO: Share Files and Folders over the Network in a Windows Server 2003 Domain Environment"



Windows XP Cookbook
Windows XP Cookbook (Cookbooks)
ISBN: 0596007256
EAN: 2147483647
Year: 2006
Pages: 408

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net