Section 9.3: Shared Folder Permissions

Shared folder permissions apply to folders, not individual files. Since you can apply shared folder permissions only to the entire shared folder, and not to individual files or subfolders in the shared folder, shared folder permissions provide less detailed security than NTFS permissions.

Shared folder permissions are only applied to users who connect to the folder over the network and not to users who gain access to the folder at the computer where the folder is stored.

Shared folder permissions can secure network resources on a FAT or FAT32 volume, on which you cannot implement NTFS permissions.

The default shared folder permission is Full Control, and it is assigned to the Everyone group when you share the folder.

Table 9.3: Shared Folder Permissions

Permission

Allows the user to...

Read

Display folder names, filenames, file data, and attributes; run program files; and change folders within the shared folder.

Change

Create folders, add files to folders, change data in files, append data to files, change file attributes, delete folders and files, plus, it allows the user to perform actions permitted by the Read permission.

Full Control

Change file permissions, take ownership of files, and perform all tasks permitted by the Change permission.

You can also allow or deny shared folder permissions. Applying shared permissions to user accounts and groups affects access to a shared folder. Denying permission takes precedence over the permissions that you allow.

Note: Multiple Shared Folder Permissions Combine: A user's effective permissions for a resource are the sum of the Shared Folder permissions that you assign to the individual user account and to all of the groups to which the user belongs. In other words, if a user has Read permission for a folder and is a member of a group with Change permission for the same folder, the user has both Read and Change permissions for that folder.

Note: Denying Shared Folder Permissions Overrides Other Permissions: Denied permissions take precedence over any permissions that you may have granted the user accounts and groups. If you deny a shared folder permission to a user, the user will not have that permission, even if you allow the permission for a group of which the user is a member.

Note: Copied or Moved Shared Folders Are Not Shared: When you copy a shared folder, the original shared folder is still shared, but the copy is not shared. When you move a shared folder, it is no longer shared.

9.3.1: Shared Application Folders

Applications that are installed on a network server and can be used by users from their client computers must be placed in shared application folders. The advantage of shared applications is that you do not need to install and maintain most components of the applications on each computer. The program files for the applications can be stored on the server, while configuration information for the applications can be stored on each client computer.

You should create one shared folder for applications and organize all of your applications under this folder. When you combine all applications under one shared folder, you designate one location for installing and upgrading software.

You should assign the Administrators group the Full Control permission for the applications folder so that they can manage the application software and control user permissions.

You should remove the Full Control permission from the Everyone group and assign the Read permission to the Users group. This provides more security because the Users group includes only user accounts that you created, whereas the Everyone group includes anyone who has access to network resources, including the Guest account.

Note: Removing a permission form a user account or a group differs from Denying the permission to that user or group. If you deny a shared folder permission to a user, the user will not have that permission, even if you allow the permission for a group of which the user is a member. If you remove a permission form a user account, the user may still have the permission by virtue of his or her membership to another group that has been granted that permission.

You should assign the Change permission to groups that are responsible for upgrading and troubleshooting applications.

You should create a separate shared folder outside your shared application folder for any application for which you need to assign different permissions. You can then assign the appropriate permissions to that folder.

9.3.2: Data Folders

A collective group of workers that work on a common project can use data folders to exchange public and working data over the network. Working data folders can be used by members of a team to access shared files. Public data folders are used by larger groups of users who all need access to common data.

9.3.3: Administrative Shared Folders

Windows Server 2003 automatically shares folders for administrative purposes. These shares are appended with a dollar sign ($), which hides the shared folder from users who browse the computer. The root of each volume, the system root folder, and the location of the printer drivers are all hidden shared folders that you can gain access to across the network.

The root of each volume on a hard disk is automatically shared, and the share name is the drive letter appended with a dollar sign ($). When you connect to this folder, you have access to the entire volume. You use the administrative shares to remotely connect to the computer to perform administrative tasks. Windows Server 2003 assigns the Full Control permission to the Administrators group.

The system root folder, which is C:Winnt by default, is shared as Admin$. Administrators can gain access to this shared folder to administer Windows Server 2003 without knowing in which folder it is installed.

Only members of the Administrators group have access to this share. Windows Server 2003 assigns the Full Control permission to the Administrators group.

When you install the first shared printer, the %systemroot%System32SpoolDrivers folder is shared as Print$. This folder provides access to printer driver files for clients. Only members of the Administrators, Server Operators, and Print Operators groups have the Full Control permission. The Everyone group has the Read permission.

Note: You can hide additional shared folders by appending a dollar sign to the end of the share name. Only users who know the folder name will then be able to access it if they also possess the proper permissions to it.