As has been mentioned before, the whole point of a network is to share resources among the users. However, sharing is also an extension of the security features that begin with user accounts and passwords. Your goal as a system administrator is to make sure that everyone can use the resources they need without compromising the security of files and other resources. Users can have three types of capabilities, as follows:
In the normal course of events, you'll deal with rights only rarely. However, shares and permissions are at the heart of an administrator's responsibilities.
On an NTFS volume, Windows 2000, like Windows NT Server, allows security that's so granular it's practically microscopic. Permissions of various types can be set, including permissions on individual files. This presents quite a temptation to the administrator to micro-manage every resource. Our best advice is to not give in to this temptation. Start with the least restriction possible and add restrictions only when required.
Real World
Differences Between Shares and Permissions
Shares and permissions, although they sound very much alike, are not at all the same, and it's important to understand the differences. Shares apply to drives and directories. Until a drive or folder is shared over the network, users can't see it or gain access to it. Once a folder is shared, everyone on the network has, by default, access to all files in the folder, and to all subfolders of that folder, and so on.
On a FAT volume, a drive or folder can be shared and then additional restrictions added in the form of share permissions. These permissions apply only at the drive or folder level—not at the file level—and are limited to allowing or denying Full Control, Read, and Change.
On NTFS volumes, directories have the same share permissions as those on a FAT volume, but another layer of permission is available beyond that. Each folder has a Security Properties dialog box that allows more precise restrictions. Each file also has a Security Properties dialog box, allowing access to be granted or denied for individual files. These folder permissions and file permissions can restrict access both across the network and locally. For example, you can leave the share permission for a folder at the default setting, allowing Full Control to Everyone, and use the Security Properties dialog boxes to set more restrictive permissions by group or individual—whether for the folder as a whole or file-by-file within the folder.
Share permissions determine the maximum access over the network. This means if you set share permissions to allow Read but deny Change, all users will be restricted to Read only when they access the share over the network. You can, however, grant a user more extensive access through folder or file permissions, and this expanded access will be available when the user logs on locally. Or you can block the inheritance of permissions on a subfolder and give a user Full Control of the subfolder over the network—while the parent folder remains Read only.
Shares have no effect on users who can log on locally. For users who will be logging on locally to an NTFS partition, you can restrict access by using permissions.
In addition to shares created by a user or administrator, the system creates a number of special shares that shouldn't be modified or deleted. The special share you're most likely to see is the ADMIN$ share, which appears as C$, D$, E$, and so on. These shares allow administrators to connect to drives that are otherwise not shared.
Special shares exist as part of the operating system's installation. Depending on the computer's configuration, some or all of the following special shares might be present. None of them should be modified or deleted.
To connect to an unshared drive on another computer, use the address bar in any window and enter the address (Figure 9-24), using the syntax
\\computer_name\[driveletter]$
Figure 9-24. Connecting to an unshared drive on a remote computer.
To connect to the system root folder (the folder in which Windows is installed) on another computer, use the syntax
\\computer_name\admin$
Other special shares such as IPC$ and PRINT$ are created and used solely by the system. NETLOGON is a special share on Windows 2000 and Windows NT servers and is used while processing domain logon requests.
Adding a $ sign to the end of a share name hides the share from all users. To access a hidden share, you will need to explicitly specify it; you will not be able to browse the network for that share.
On partitions formatted using FAT, you can restrict files only at the folder level, only over the network, and only if the folder is shared. For someone who logs on locally, the shares have no effect. Needless to say, this security is inadequate for most companies.
On an NTFS volume, folders can be shared and also restricted further by means of permissions. Also, use folder and file permissions for security control both locally and over the network and allow Full Control access to Authenticated Users on the share (we recommend that you replace the Everyone permission with Authenticated Users).
The easiest way to create shared folders is to use the Configure Your Server tool from the Administrative Tools folder. To do so, follow these steps:
Figure 9-25. Selecting a folder to be shared.
Figure 9-26. Selecting share permissions.
You can set shares directly by right-clicking a folder, choosing Properties from the shortcut menu, and then clicking the Sharing tab.
Real World
Share Names and Filenames in MS-DOS
If you have MS-DOS-based machines on your network (that includes Windows versions through 3.11) that will be accessing a shared folder, you must follow the 8.3 naming convention in the share name. A share name that doesn't conform to the MS-DOS 8.3 naming standard will not be seen at all by users with MS-DOS or Windows 3.x machines.
The names of files or folders can have up to 255 characters. MS-DOS users connecting to the file or folder over the network will see the name in the 8.3 format. Windows NT truncates the long names down to a size that an MS-DOS machine can recognize but does not do so for share names. Yes, it's odd. Windows 2000 converts long names to short names using the following rules:
As you can see, long filenames when truncated can be quite mysterious. If your network includes MS-DOS computers, you may want to continue using MSDOS naming conventions for the first six characters. The budget files just used as examples would then be MARBUD~Budget Figures for March.XLS and 2NDQTR~Budget Figures for the Second Quarter.XLS. To the MS-DOS computer, the files would appear as MARBUD~1.XLS and 2NDQTR~1.XLS.
A single folder might be shared more than once. For example, one share might include Full Control for Administrators and another share for users might be more restricted. To add a new share, follow these steps:
Figure 9-27. Adding a new share.
To remove a folder from being shared, launch Computer Management from the Administrative Tools folder. Expand System Tools, then Shared Folders, and then Shares. Right-click the shared folder in the details pane, and choose Stop Sharing from the shortcut menu.
In Windows NT, when users are connected to a folder you are about to stop sharing, you are warned in a dialog box. This doesn't happen in Windows 2000. If you stop sharing a folder that users are connected to, the users are dropped out of the folder without warning and they might lose data.
Share permissions establish the maximum range of access available. Other permission assignments (on an NTFS volume) can be more restrictive but can't expand beyond the limits established by the share permissions. Table 9-8 summarizes the three types of access, from most restrictive to least restrictive.
Table 9-8. Types of share permissions
Share Permission | Type of Access |
---|---|
Read | Allows viewing of file and subfolder names; can always view and clear the security log. |
Change | Allows the access under Read, plus allows adding files and subdirectories to the shared folder, changing data in files, and deleting files and subdirectories. |
Full Control | Allows all the access under Change plus allows changing permissions (NTFS volumes only) and taking ownership (NTFS volumes only). |
To set share permissions for a folder, right-click the folder and choose Sharing from the shortcut menu. Click Permissions to open the dialog box shown in Figure 9-28. The type of access is set by the list at the bottom. Use the Add and Remove buttons to change who has access. Share permissions can be assigned to individual users, to groups, and to the special identities Everyone, System, Interactive, Network, and Authenticated Users.
Figure 9-28. Setting share permissions.
After traipsing through My Network Place's various windows to find a shared folder, users can simply double-click the folder to open it and access its contents. For easier access, right-click the shared folder and drag it to the desktop. Select Create Shortcut Here after releasing the mouse button.
For frequent use, it's simple to map a folder or drive so that it appears in Windows Explorer (or My Computer) as simply another local drive. The following sections cover mapping network folders to drive letters, as well as disconnecting from mapped drives.
A mapped drive is even better than a shortcut in one important respect: if you're using older programs, they're not going to recognize the network places and will not be able to open or save files anywhere other than your own computer. If you map a drive, the program cooperates because the drive on the other computer appears (to the program at least) to be local.
You can link a network share to a drive letter using the following procedure:
Figure 9-29. Mapping a network resource.
To get rid of a mapped drive or folder, you can select it and right-click. Choose Disconnect from the shortcut menu (Figure 9-30).
Figure 9-30. Disconnecting a mapped resource.
You can see a list of shares, current sessions, and open files by opening Computer Management from the Administrative Tools folder and then expanding Shared Folders (Figure 9-31).
Figure 9-31. Viewing shared folders.
Expand Shares to see a list of the shared folders plus the following information about each folder:
Expand Sessions in the console tree to see the following information about the users who are currently connected:
Expand Open Files in the console tree for a list of the files currently open. In the details pane, you can see the name of the file, who opened it, the type of connection, the number of locks on the file (if any), and the share permissions that were granted when the file was opened.
For regular viewing of shares, it might be more efficient to make an MMC that contains the Shared Folders snap-in. You can add a Shared Folders snap-in for several servers and switch among them easily (Figure 9-32).
Figure 9-32. Viewing shared folders on multiple servers.