Simple File Sharing and NTFS Permissions

Windows XP Professional introduces a new file-sharing feature called Simple File Sharing. This feature is also used in Windows XP Home edition as well. Simple File Sharing is a simplistic way to manage file-sharing permissions, and is designed for home and small office networks. When Simple File Sharing is in use, you simply click a check box to share a folder or printer. Users then basically have read access to the share. You can also assign Modify rights by clicking the Allow Network Users to Change My Files check box. As you can see in Figure 6-9, you can access Simple File Sharing by accessing the Sharing tab, found on a folder’s Properties sheets.

Figure 6-9: Simple File Sharing options

So, why Simple File Sharing? As you might guess, the process is, well, simple. Simple File Sharing gives end users in a home or small office network an easy way to share files and folders without the complications of folder and New Technology File System (NTFS) permissions. The problem, though, is that Simple File Sharing does not give you much flexibility—the folder is either shared or not, and full control is either granted or not. You cannot individually assign access control permissions to users. If you are in a home or small office environment that uses Windows XP Home edition, you are unfortunately stuck—simple file sharing is in use and it cannot be disabled. However, if you are using Windows XP Professional, you can disable file sharing so that you can use classic sharing, which uses NTFS and folder permissions. To disable Simple File Sharing on a Windows XP Professional computer, follow the steps described in the following subsection.

Disabling Simple File Sharing

1. On Windows XP Professional, log on as administrator.

2. Open Control Panel, then open the Folder Options applet.

3. Click the View tab.

4. Under Advanced Settings, scroll to the bottom of the list and clear the Use Simple File Sharing check box, shown in Figure 6-10.

   
   Figure 6-10: Disable Simple File Sharing

When you now access the Sharing tab of a folder’s properties, you see the classic sharing options and the Security tab so that NTFS permission can be configured.

Exploring File and Folder Permissions

File and folder permissions are set on the Security tab found on the Properties sheet of the file or folder. Simply right-click the desired file or folder and click Properties, and then click the Security tab, shown in Figure 6-11. As you can see, you can select a desired group or individual user and configure the desired file-level permissions for that file.

Figure 6-11: Security tab found on an individual file

The standard permissions are Full Control, Modify, Read & Execute, Read, Write and Special Permissions. Each of these permissions is actually a combination of certain special permissions. Before looking at what special permissions make up these standard permissions, let’s first consider the special permissions and their definitions, which are described in Table 6-1.

Now that you have taken a look at the special permissions, let’s return standard permissions mentioned previously. Standard permissions are combinations of special permissions that give users or groups certain rights. The following bulleted list tells you which special permissions are included in which standard permissions.

• Full Control  Full Control permissions contains all special permissions.

• Modify  Modify permission contains the following special permissions:

  • Traverse Folder, Execute File

  • List Folder, Read Data

  • Read Attributes

  • Read Extended Attributes

  • Create Files, Write Data

  • Create Folders, Append Data

  • Write Attributes, Write Extended Attributes

  • Delete

  • Read

  • Synchronize

• Read & Execute  Read & Execute permission contains these special permissions:

  • Traverse Folder, Execute File

  • List Folder, Read Data

  • Read Attributes

  • Read Extended Attributes

  • Read Permission

  • Synchronize

• Read  Read permission contains these special permissions:

  • List Folder, Read Data

  • Read Attributes

  • Read Extended Attributes

  • Read

  • Synchronize

• Write  Write permission contains these special permissions:

  • Create Files, Write Data

  • Create Folders, Append Data

  • Write Attributes

  • Write Extended Attributes

  • Synchronize

So now that you have taken a look at the file and folder standard permissions and what special permissions make up the standard permissions, it is important for you to know how the permissions work together. You should keep two important rules in mind with NTFS permissions:

• File and folder permissions are cumulative. This means that if a user has Read permission but that same user is a member of a group that has Full Control permission, then the user’s effective permission is Full Control. In situations where multiple permissions apply to the same user, then the least restrictive permission takes effect.

• Deny permission overrides all other permissions. This is an exception to the first rule. For example, suppose that a user has Full Control permission but is a member of a group that is denied access. In this case, the user’s effective permission is Deny. The user has no access to the file at all.

Working with Advanced NTFS Permissions

Under most circumstances, the standard permissions of Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write are all you need to manage user access to shared folders and files effectively. However, in some cases, you may need to customize the security settings for a particular user or group. For example, what if you wanted to give a particular group Full Control to a shared folder without the special permission of Take Ownership? You could do so through advanced permissions.

You can easily set advanced permissions for any desired file or folder and apply those advanced permissions to a desired user group. Exercise 9-6 shows you how to configure advanced settings, but before considering the exercise, you need to understand the concept of inheritance. By default, objects in Windows XP Professional as well as Windows 2000 inherit the properties of the parent object. For example, suppose that a particular folder called Docs resides in a shared folder called Company. By default, the properties and permissions of Company are enforced on the Docs folder as well. This inheritance behavior keeps administrators from having to configure folder after folder. Instead, you configure the top-level folder, and all subfolders inherit those settings. As you can guess, this is a great time-saving feature. However, there may be times when you need to override this feature, and you can do so with the advanced security settings as needed. The following steps show you how.

Configuring Advanced Permissions

1. Log on as an administrator.

2. Right-click the desired file or folder and click Properties. Click the Security tab.

3. Choose the desired user or group from the provided list and click the Advanced button.

4. The Advanced Security Settings dialog box appears, as shown in Figure 6-12. Note that the Inherit from Parent the Permission Entries That Apply to Child Objects check box is selected by default. If you want to override inheritance for this object, remove the check from the check box. In the Permission Entries list box, select the user or group for whom you want to change permissions and click the Edit button.

   
   Figure 6-12: Advanced Security Settings dialog box

5. In the Permission Entry dialog box, shown in Figure 6-13, click the Apply Onto drop-down menu and select one of the following as applicable:

   
   Figure 6-13: Select the special permissions you want to apply

   • This folder, subfolders, and files

   • This folder only

   • This folder and subfolders

   • This folder and files

   • Subfolders and files only

   • Subfolders only

   • Files only

   Once you have made your selection, click the desired check boxes in order to configure the permissions of the user or group. Also note that at the bottom of the page, a check box enables you to apply these permissions to objects and/or containers within the existing container. Once you are done, click OK, then click OK again to leave the Advanced Security Settings dialog box.

Working with Share-Level and NTFS permissions

As you learned in the previous section, a user’s effective NTFS permission is the least restrictive permission available. For example, if a user has Read, Write, and Full Control permission based on different groups, then the user has Full Control permission because it is the least restrictive.

Now let’s muddy the waters a bit. Windows XP Professional, like Windows 2000, also supports share-level permissions. Share-level permissions are the only permissions available for shared folders that reside on non-NTFS volumes, such as FAT or FAT32. They are a weaker form of permission without all of the advanced options found in NTFS permissions. There are three types of share-level permissions:

• Read  The user can view a list of what resides in the shared folder and subfolders, to view data and run applications in the shared folder.

• Change  The user can do everything allowed by Read permissions, but the user can also create files and subfolders and edit existing files. The user can also delete files and subfolders in the share.

• Full Control  The user can do everything allowed by Read and Change, but the user can also take ownership of the folder and change any existing NTFS permissions.

You can configure share-level permissions by clicking the Permissions button on the Sharing tab for the folder. This opens the Share Permissions tab of the Permissions for My Documents dialog box, where you can configure the permissions based on user or group, as you can see in Figure 6-14.

Figure 6-14: The Share Permissions tab

Like NTFS permissions, a user’s cumulative share-level permissions determine the user’s effective permission level. For example, if a user has Read permission due to one group membership and Full Control from another group membership, then the user has Full Control over that folder.

This all sounds simple enough. However, what happens when Share and NTFS permissions are mixed, which often happens? For example, suppose that a user belongs to a group that has the Read share-level permission of a folder but Full Control NTFS permission. Which permission does the user get? When share and NTFS permissions conflict, the most restrictive permission is applied—which in this case is Read. As you’ll notice, this is the opposite of the cumulative approach provided by NTFS permissions and share-level permissions. How can you keep it all straight? Here’s a quick list you can memorize.

• NTFS permissions are cumulative. When a user has several different permissions for the same share, the least restrictive permission applies. The exception is Deny, which overrides all other permissions.

• Share-level permissions are cumulative. When a user has several different permissions for the same share, the least restrictive permission applies. The exception is Deny, which overrides all other permissions.

• When share-level permissions and NTFS permissions are combined, the user receives the most restrictive permission. For example, if a user has Modify NTFS permission for a share but Read share-level permission, the effective permission is Read. Again, Deny overrides everything.

Painfule Lessons I’ve Learned: Permission Confusion

As you work with share level and NTFS permissions, it is important to keep things straight. The combination of these permissions are restrictive, which often causes confusion and problems in networking environments. As you work with permissions, it is always best to be as least restrictive as possible. This requires careful consideration and planning on your part.