Configuring Shares and Permissions

[Previous] [Next]

As has been mentioned before, the whole point of a network is to share resources among the users. However, sharing is also an extension of the security features that begin with user accounts and passwords. Your goal as a system administrator is to make sure that everyone can use the resources they need without compromising the security of files and other resources. Three types of capabilities can be given to users:

  • Rights Assigned to built-in groups but the administrator can extend rights to groups or individuals. (Rights are covered earlier in this chapter.)
  • Shares Directories or drives that are shared on the network.
  • Permissions File system capabilities that can be granted to individuals or to groups.

In the normal course of events, you'll deal with rights only rarely. However, shares and permissions are at the heart of an administrator's responsibilities.

On an NTFS volume, Windows 2000, like Windows NT Server, allows security that's so granular it's practically microscopic. Permissions of various types can be set including on individual files. This presents quite a temptation to the administrator to micro-manage every resource. Our best advice is to not give in to this temptation. Start with the least restriction possible and add restrictions only when required.

REAL WORLD  Differences Between Shares and Permissions
Shares and permissions, although they sound very much alike, are not at all the same and it's important to understand the differences. Shares apply to drives and directories. Until a drive or folder is shared over the network, users can't see it or gain access to it. Once a folder is shared, everyone on the network has, by default, access to all files in the folder, and to all subfolders of that folder and so on.

On a FAT volume, a drive or folder can be shared and then additional restrictions added in the form of share permissions. These permissions apply only at the drive or folder level—not at the file level—and are limited to allowing or denying Full Control, Read, and Change.

On NTFS volumes, directories have the same share permissions as those on a FAT volume, but another layer of permission is available beyond that. Each folder has a Security Property window that allows more precise restrictions. Each file also has a Security Properties window, allowing access to be granted or denied for individual files. These folder permissions and file permissions can restrict access both across the network and locally. For example, you can leave the share permission for a folder at the default setting, allowing Full Control to Everyone and use the Security properties windows to set more restrictive permissions by group or individual—wither for the folder as a whole or file-by-file within the folder.

Share permissions determine the maximum access over the network. This means if you set share permissions to allow Read but deny Change, all users will be restricted to Read only when they access the share over the network. You can, however, grant a user more extensive access through folder or file permissions, and this expanded access will be available when the user logs on locally. Or you can block the inheritance of permissions on a subfolder and give a user Full Control of the subfolder over the network—while the parent folder remains Read only.

Shares have no effect on users who can log on locally. For someone who will be logging on locally to an NTFS partition, access can be restricted by using permissions.

Using Special Shares

In addition to shares created by a user or administrator, the system creates a number of special shares that shouldn't be modified or deleted. The special share you're most likely to see is the ADMIN$ share which appears as C$, D$, E$, and so on. These shares allow administrators to connect to drives that are otherwise not shared.

Special shares exist as part of the operating system's installation. Depending on the computer's configuration, some or all of the following special shares may be present. None of them should be modified or deleted.

  • ADMIN$ Used during the remote administration of a computer. The path is always the location of the folder in which Windows was installed (that is, the system root). Only Administrators, Backup Operators, and Server Operators can connect to this share.
  • driveletter$ The root folder of the named drive. Only Administrators, Backup Operators, and Server Operators can connect to these shares on a Windows 2000 Server. On a Windows 2000 Professional computer, only Administrators and Backup Operators can connect to these shares.
  • IPC$ Used during remote administration and when viewing shared resources. This share is essential to communication and you do not want to change, modify, or delete it.
  • NETLOGON Used by the Net Logon service of a server running Windows NT Server while processing domain logons. This resource is provided for servers only, not for Windows NT Workstation.
  • PRINT$ A resource that supports shared printers.
  • REPL$ Created on a server when a fax client is sending a fax.

To connect to an unshared drive on another computer, use the address bar in any window and enter the address (Figure 9-24), using the syntax


Figure 9-24. Connecting to an unshared drive on a remote computer.

To connect to the system root folder (the folder in which Windows is installed) on another computer, use the syntax


Other special shares such as IPC$ and PRINT$ are created and used solely by the system. NETLOGON is a special share on Windows 2000 and Windows NT servers and is used while processing domain logon requests.

Shares and Permissions on NTFS vs. FAT

On partitions formatted using FAT, you can restrict files only at the folder level, only over the network, and only if the folder is shared. For someone who logs on locally, the shares have no effect.

On an NTFS volume, directories can be shared and also restricted further by means of permissions. On an NTFS volume, you should use folder and file permissions for security control both locally and over the network and allow Full Control access to Everyone on the share.

Sharing a Folder

The easiest way to create shared folders is to use the Configure Your Server tool from the Administrative Tools menu. To do so, follow these steps:

  1. Open Configure Your Server and click File Server in the left column.
  2. Click the link Start the Shared Folder Wizard to open the Create Shared Folder dialog box.
  3. Enter the name and path of the folder and a share name (Figure 9-25).
  4. click to view at full size.

    Figure 9-25. Selecting a folder to be shared.

  5. Select the share permissions you want to assign to the folder (Figure 9-26) bearing in mind that it's almost always better to control access through permissions rather than shares. Click Finish when you're done.
  6. click to view at full size.

    Figure 9-26. Selecting share permissions.

You can set shares directly by right-clicking a folder, choosing Properties from the shortcut menu, then clicking the Sharing tab.

REAL WORLD  Share Names and File Names in MS-DOS
If you have MS-DOS based machines on your network (that includes Windows versions through 3.11) that will be accessing a shared folder, you must follow the 8.3 naming convention in the share name. A share name that doesn't conform to the MS-DOS 8.3 naming standard will not be seen at all by users with MS-DOS or Windows 3.x machines.

The names of files or directories can have up to 255 characters. MS-DOS users connecting to the file or folder over the network will see the name in the 8.3 format. Windows NT will truncate the long names down to a size that a MSDOS machine can recognize but will not do so for share names. Yes, it's odd. Windows 2000 converts long names to short names using the following rules:

  • Spaces are removed.
  • Characters not allowed in MS-DOS names are replaced by underscores (_).
  • The name is shortened to its first six remaining characters, and then a tilde and a digit are added. For the first file, the digit will be 1. For a second file using the same six characters, the digit will be 2. For example, your file named Budget Figures for March will be shortened to BUDGET~1. A second file, called Budget Figures for the Second Quarter, will be shortened to BUDGET~2.
  • If the long name has any periods followed by other characters, the last period and the next three characters are used as the file extension in the short version of the file name. So a file called December.Sales.Presentation will be shortened to DECEMB~1.PRE.

As you can see, long file names when truncated may be quite mysterious. If your network includes MS-DOS computers, you may want to continue using MSDOS naming conventions for the first six characters. The budget files used above as examples would then be MARBUD~Budget Figures for March.XLS and 2NDQTR~Budget Figures for the Second Quarter.XLS. To the DOS computer, the files would appear as MARBUD~1.XLS and 2NDQTR~1.XLS.

Creating a New Share for a Shared Folder

A single folder might be shared more than once. For example, one share might include Full Control for Administrators and another share for users might be more restricted. To add a new share, follow these steps:

  1. Find the shared folder in Windows Explorer, and right-click on it. Choose Sharing from the shortcut menu.
  2. In the dialog box that opens, click the New Share button.
  3. In the New Share dialog box (Figure 9-27), enter a new Share Name. (Each share must have a unique name.) Set a user limit, if necessary.
  4. Click Permissions to restrict access. Again, by default, the shared folder gives Full Control to all users.

Figure 9-27. Adding a New Share.

Stopping Folder Sharing

To remove a folder from being shared, open Computer Management from the Administrative Tools menu. Expand System Tools, then Shared Folders, and then Shares. Right-click the shared folder in the details pane, and choose Stop Sharing from the shortcut menu.

In Windows NT, when users are connected to a folder you are about to stop sharing, you are warned in a dialog box. This doesn't happen in Windows 2000. If you stop sharing a folder that users are connected to, the users are dropped out of the folder without warning and they may lose data.

Share Permissions

Share permissions establish the maximum range of access available. Other permission assignments (on an NTFS volume) can be more restrictive but can't expand beyond the limits established by the share permissions. Table 9-8 summarizes the three types of access, from most restrictive to least restrictive.

Table 9-8. Types of share permissions

Share Permission Type of Access
Read Allows viewing of file and subfolder names, can always view and clear the security log.
Change Allows the access under Read, plus allows adding files and subdirectories to the shared folder, changing data in files, and deleting files and subdirectories.
Full Control Allows all the access under Change plus allows changing permissions (NTFS volumes only) and taking ownership (NTFS volumes only).

Setting Share Permissions

To set share permissions for a folder, right-click on the folder and choose Sharing from the shortcut menu. Click the Permissions button to open the dialog box shown in Figure 9-28. The type of access is set by the list at the bottom. Use the Add and Remove buttons to change who has access. Share permissions can be assigned to individual users, to groups, and to the special identities Everyone, System, Interactive, Network, and Authenticated Users.

Figure 9-28. Setting share permissions.

Mapping Shared Directories and Drives

After traipsing through My Network Place's various windows to find a shared folder, users can simply double-click the folder to open it and access its contents. For easier access, right-click the shared folder and drag it to the desktop. Select Create Shortcut Here after releasing the mouse button.

For frequent use, it's simple to map a folder or drive so that it appears in Windows Explorer (or My Computer) as simply another local drive.

A mapped drive is even better than a shortcut in one important respect: if you're using older programs, they're not going to recognize the network places and will not be able to open or save files anywhere other than your own computer. If you map a drive, the program cooperates because the drive on the other computer appears (to the program at least) to be local.

You can set up these connections for users or they can do it for themselves. Here's how it's done:

  1. Open My Network Places and find the shared resource you want to map.
  2. Right-click the object and choose Map Network Drive from the shortcut menu. The dialog box that appears (Figure 9-29) has three adjustable entries:
    • Drive This is the letter that the new folder or drive will be assigned on the local computer.
    • Connect Using A Different User Name If the mapping is for anyone other than the current user, click this link and supply the user name and password.
    • Reconnect At Logon Select this box to automatically make the connection at logon to the computer where this resource physically resides.

  3. Click Finish when you're done.

click to view at full size.

Figure 9-29. Mapping a network resource.

Disconnecting from Mapped Resources

To get rid of a mapped drive or folder, you can highlight it and right-click. Choose Disconnect from the shortcut menu (Figure 9-30).

click to view at full size.

Figure 9-30. Disconnecting a mapped resource.

Working with Shared Folders

You can see a list of shares, current sessions, and open files by opening Computer Management from the Administrative Tools menu and then expanding Shared Folders (Figure 9-31).

click to view at full size.

Figure 9-31. Viewing shared folders.

Expand Shares to see a list of the shared folders plus the following information about each folder:

  • The path to the shared resource
  • The type of connection (Windows, Macintosh, NetWare)
  • The number of users connected to the share
  • A description of the share

Expand Sessions in the console tree to see the following information about the users who are currently connected:

  • The user name and the name of the user's computer
  • The type of connection (Windows, Macintosh, NetWare)
  • The number of files opened by the user on this share
  • The time elapsed since the connection was established
  • The time since the user last initiated an action
  • Whether the user is connected as a guest

Expand Open Files in the console tree for a list of the files currently open. In the details pane, you can see the name of the file, who opened it, the type of connection, the number of locks on the file (if any), and the share permissions that were granted when the file was opened.

For regular viewing of shares, it may be more efficient to make an MMC that contains the Shared Folders snap-in. You can add a Shared Folders snap-in for several servers and switch among them easily (Figure 9-32).

click to view at full size.

Figure 9-32. Viewing shared folders on multiple servers.

Microsoft Windows 2000 Server Administrator's Companion, Vol. 1
Microsoft Windows 2000 Server Administrators Companion (IT-Administrators Companion)
ISBN: 1572318198
EAN: 2147483647
Year: 2000
Pages: 366 © 2008-2017.
If you may any questions please contact us: