Lesson 2: Implementing Share Service Security | MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)

Lesson 2: Implementing Share Service Security

Shares are folders that an administrator has published on the local network in which users can store files. Share security is the term for restrictions placed on shares. This lesson will teach you to manage share security as an integral part of managing a secure network.

After completing this lesson, you will be able to

Understand the role of share security in network security
Create and manage shares
Manage share security

Estimated lesson time: 30 minutes

Understanding Share Security

Share security consists of account-based access restrictions that are placed on shared folders and implemented by the file-sharing service (Server.exe). User authentication and authorization are managed and enforced by the server service, and file system permissions are managed separately by the file system on the volume that stores the folder. The server service actually manages both file and print sharing, and the ACLs for both types of service are similar.

Share security was the first form of user access control provided by Windows operating system networks, before NTFS permissions were available. You should rely on share permissions only when you need to share a volume that cannot be upgraded to NTFS.

When a user connects to the file-sharing service by mapping a network drive or accessing a file remotely, the service authenticates the user when the session is established in one of the following ways:

Receiving a valid session ticket during a Windows 2000 domain log on
Performing Windows NT LAN Manager Authentication during a Microsoft Windows NT domain log on
Requesting credentials through NetBIOS during Workgroup log on

In all three cases, the server service on the server that is hosting the shared files creates an access token representing the user from the SIDs that are either provided to it (domain log on) or that are determined from the user's local account (workgroup log on). The access token is associated with the user's session and is used for all subsequent access until the user logs off the machine or the session is timed out and destroyed.

Only Windows NT based servers create an access token that allows user permissions to be checked by the file system. Earlier versions of Windows and third-party file-sharing services are not capable of checking file system permissions and can use only share security to protect shared files.

Whenever the user's session requests a file, Server.exe compares the user's access token to the share's ACL and determines whether to allow or deny the request. If the request is allowed, the service performs the operation on the file using the user's access token. Because the user's access token contains the SIDs for the user, the security reference monitor can still check NTFS permissions to determine whether the user has permission to operate on the file requested.

This method essentially means that permissions are checked in two places for shared files: once by the sharing service for the share as a whole, and then by the security reference monitor for NTFS files. Because these two mechanisms act independently of one another, any access not allowed by either service will prevent access. Share and NTFS permissions together are not cumulative; users must have permissions from both services to perform an action on a file.

Keep these points in mind when you create share security:

Share permissions can be applied to FAT and FAT32 volumes because they are enforced by the server service, not the file system.
Share security applies only to the share point, not to files within the share. Once a user has access to a share, only file system permissions can be used to restrict access to interior files and folders.
NTFS security is more flexible, more detailed, and more configurable than share security.

Rely on NTFS for file security because it is more robust than share security and cannot be circumvented by connecting to the disk through another file-sharing mechanism such as FTP or by logging on locally. You can use share security as a supplemental security service, but because it can be relied upon only to secure access to the share as a whole and only through the Windows file-sharing service, it is not robust enough to provide for all possible security requirements.

Never share files from a FAT or FAT32 volume on a server because security cannot be controlled for individual files and folders from these volumes.

Managing Shares and Share Security

Creating shares is simple: right-click a folder you want to share and choose Sharing. You can set the share name and permissions directly, and the share will be immediately created and available for use.

You can manage and view all the shares on a server through the Shared Folders snap-in in the Computer Management console of MMC. Using this console, you can easily delete existing shares without browsing through the file system. You can also view open files and sessions using this snap-in. Figure 4.6 shows the Shared Folders snap-in.

figure 4-6 the shared folders snap-in

Figure 4-6. The Shared Folders snap-in

Share Security Best Practices

Deciding when to use share security is simple: rely on NTFS permissions for security, and use share security as a supplemental security measure. You cannot rely on share security alone to prevent access to files because it is possible to circumvent share security by connecting to the shared resource through another service such as FTP or Terminal Services. Although share security isn't perfect, there's no reason not to supplement NTFS security with share security. Because NTFS and share security complement each other, inappropriate access can still be prevented if one or the other is improperly configured.

Create separate shares for major groups of users instead of creating monolithic shares that contain numerous folders to which users do not have access. Users will be less likely to attempt to circumvent security if they can't see the folders that they don't have access to. Use the distributed file system (Dfs) to make share management more convenient and scalable.

For more information about Dfs, see Microsoft Windows 2000 Server Distributed Systems Guide (Microsoft Press, 2002).

Practice: Applying Shares and Share Permissions

In this practice, you will use the secure folder structure created in Lesson 1, and apply different shares and share permissions. Rather than creating a single share at the root level of the Departments folder, you will be sharing each department's secured folder separately. In this way, only users who are members of a department can use its folder. If you shared the Departments folder, all domain users could create and attach their own folders at that level, because the permissions on that folder are not restrictive enough to prevent them from doing so.

Exercise 1: Managing Security for Shared Folders

In this exercise, you create a share for each of the major OUs in domain.fabrikam.com. These shared folders will be secured with both share permissions and NTFS permissions.

To create a shared folder

Browse to C:\Departments\Design in Windows Explorer.
Right-click the Design folder, and choose Sharing.
Select Share This Folder. The Share Name will default to the folder's name, as shown in Figure 4.7.

Figure 4-7. Creating a shared folder
Click Permissions to view the Permissions settings as shown in Figure 4.8.

Figure 4-8. Setting permissions for a shared folder
Select the Everyone permission, and click Remove.
Click Add to open the Select Users, Computers, Or Groups dialog box shown in Figure 4.9. Double-click the Design Users and Domain Admins security groups, and click OK.

Figure 4-9. Adding groups to the shared folder
Select Domain Admins, and, in the Allow column, select the Full Control check box.
Select Design Users, and, in the Allow column, select the Change check box.
Click OK to close the Permissions dialog box, and then click OK to close the Sharing dialog box. Notice that the folder's icon now indicates that it is being shared.

To create multiple shares

Share the Engineering folder. Remove the Everyone permission, and add Full Control permission for Domain Admins and Change permission for Engineering Users.
Share the Finance folder. Remove the Everyone permission, and add Full Control permission for Domain Admins and Change permission for Finance Users.
Share the Human Resources folder. Remove the Everyone permission, and add Full Control permission for Domain Admins and Change permission for Human Resources Users.
Share the Information Technology folder. Remove the Everyone permission, and add Full Control permission for Domain Admins and Change permission for Information Technology Users.
Share the Marketing folder. Remove the Everyone permission, and add Full Control permission for Domain Admins and Change permission for Marketing Users.

Exercise 2: Managing Share Security

In this exercise, you modify permissions to the Information Technology share. This share is intended to be used as a repository for IT resources such as installable application packages, IT users who are not administrators do not require Read access. You will create the share using Windows Explorer and then modify permissions using the Shared Folders snap-in in the Computer Management console. All share management operations can be managed using either method.

To modify share permissions

In Windows Explorer, right-click My Computer, and choose Manage.
Expand Shared Folders, click Shares, and double-click Information Technology.
Click the Share Permissions tab, shown in Figure 4.10.

Figure 4-10. The Share Permissions tab
Select Information Technology users.
In the Allow column, clear the Change permission check box.

What is the effective difference between clearing the Allow check box and selecting the Deny check box?
Click the Security tab, and click the Information Technology Folder group.
Clear all the permissions except Allow Read, and click OK to close the Properties dialog box.

Lesson Review

If you set NTFS permissions on a shared folder that allow Full Control to the Domain Admins group and no other permissions, but the share security settings allow Full Control to the Everyone group, what are the effective permissions for the folder?
Why is it important to rely on NTFS permissions for share security?
Why should you set share permissions when NTFS permissions can perform the same security function on an NTFS volume?

Lesson Summary

Shares have ACLs that can be used to prevent users from connecting to the share through the file server service.
Share permissions cannot be used to prevent access to specific files or folders within a share. Share permissions are effective on all supported file system types.
The more restrictive of either the share or the NTFS permission is a user's effective permission. Either security service can be used to prevent access to shared folders, but NTFS security cannot be circumvented by other methods that provide access to the file.
You should rely on NTFS security to secure shares, and use share security as a supplemental security mechanism.