Section 6.1: Shared Files and Folders
You can share resources with other user on a network by sharing folders containing those resources. When you share a folder, you can control access to the folder by limiting the number of users who can simultaneously gain access to it, and you can also control access to the folder and its contents by assigning permissions to selected users and groups. Once you have shared a folder, users must connect to the shared folder and must have the appropriate permissions to gain access to it. In a Windows XP Professional workgroup, members of the built-in Administrators and Power Users groups can share folders on Windows XP Professional client computers and on the Windows 2000 stand-alone server which is part of the workgroup. In a Windows 2000 domain, the Administrators and Server Operators groups can share folders residing on any machines in the domain. The Power Users group is a local group and can share folders residing only on the stand-alone server or computer running Windows XP Professional where the group is located.
Note: The Power Users group is a local group and can only share folders residing only on the stand-alone server or computer running Windows XP Professional where the group is located.
6.1.1: Shared Folder Permissions
- Shared folder permissions apply to folders, not individual files. Since you can apply shared folder permissions only to the entire shared folder, and not to individual files or subfolders in the shared folder, shared folder permissions provide less detailed security than NTFS permissions.
- Shared folder permissions are only applied to users who connect to the folder over the network and not to users who gain access to the folder at the computer where the folder is stored.
- Shared folder permissions can secure network resources on a FAT or FAT32 volume, on which you cannot implement NTFS permissions.
- The default shared folder permission is Full Control, and it is assigned to the Everyone group when you share the folder.
Table 6.1: Shared Folder Permissions
Shared Folder Permission | Description |
---|---|
Read | Display folder names, filenames, file data, and attributes; run program files; and change folders within the shared folder. |
Change | Create folders, add files to folders, change data in files, append data to files, change file attributes, delete folders and files, plus, it allows the user to perform actions permitted by the Read permission. |
Full Control | Change file permissions, take ownership of files, and perform all tasks permitted by the Change permission. |
You can also allow or deny shared folder permissions. Applying shared permissions to user accounts and groups affects access to a shared folder. Denying permission takes precedence over the permissions that you allow.
Note: Multiple Shared Folder Permissions Combine: A user's effective permissions for a resource are the sum of the Shared Folder permissions that you assign to the individual user account and to all of the groups to which the user belongs. In other words, if a user has Read permission for a folder and is a member of a group with Change permission for the same folder, the user has both Read and Change permissions for that folder.
Note: Denying Shared Folder Permissions Overrides Other Permissions: Denied permissions take precedence over any permissions that you may have granted the user accounts and groups. If you deny a shared folder permission to a user, the user will not have that permission, even if you allow the permission for a group of which the user is a member.
Note: NTFS Permissions Are Also Required On NTFS Volumes: Shared folder permissions can be used to grant users access to files and folders on a FAT or FAT32 volume but not on an NTFS volume. On a FAT or FAT32 volume, you can grant users access to a shared folder as well as all of the files and subfolders contained in the shared folder. To grant users access to a shared folder on an NTFS volume, you must grant them the shared folder permission and the appropriate NTFS permissions for each file and folder that you want them gain access to.
Note: Copied or Moved Shared Folders Are Not Shared: When you copy a shared folder, the original shared folder is still shared, but the copy is not shared. When you move a shared folder, it is no longer shared.
6.1.2: Combining Shared Folder Permissions and NTFS Permissions
Shared folder permissions provide limited security for resources. You gain the greatest flexibility by using NTFS permissions to control access to shared folders. Also, NTFS permissions apply whether the resource is accessed locally or over the network. Therefore, a strategy for providing access to resources on an NTFS volume is to share folders with the default shared folder permissions and then control access by assigning NTFS permissions. When you share a folder on an NTFS volume, both shared folder permissions and NTFS permissions combine to secure file resources.
6.1.3: Shared Application Folders
Applications that are installed on a network server and can be used by users from their client computers must be placed in shared application folders. The advantage of shared applications is that you do not need to install and maintain most components of the applications on each computer. The program files for the applications can be stored on the server, while configuration information for the applications can be stored on each client computer.
- You should create one shared folder for applications and organize all of your applications under this folder. When you combine all applications under one shared folder, you designate one location for installing and upgrading software.
- You should assign the Administrators group the Full Control permission for the applications folder so that they can manage the application software and control user permissions.
You should remove the Full Control permission from the Everyone group and assign the Read permission to the Users group. This provides more security because the Users group includes only user accounts that you created, whereas the Everyone group includes anyone who has access to network resources, including the Guest account.
Note: Removing a permission form a user account or a group differs from Denying the permission to that user or group. If you deny a shared folder permission to a user, the user will not have that permission, even if you allow the permission for a group of which the user is a member. If you remove a permission form a user account, the user may still have the permission by virtue of his or her membership to another group that has been granted that permission.- You should assign the Change permission to groups that are responsible for upgrading and troubleshooting applications.
- You should create a separate shared folder outside your shared application folder for any application for which you need to assign different permissions. You can then assign the appropriate permissions to that folder.
6.1.4: Data Folders
A collective group of workers that work on a common project can use data folders to exchange public and working data over the network. Working data folders can be used by members of a team to access shared files. Public data folders are used by larger groups of users who all need access to common data.
6.1.5: Administrative Shares
Windows XP Professional automatically shares folders for administrative purposes. These shares are appended with a dollar sign ($), which hides the shared folder from users who browse the computer. The root of each volume, the system root folder, and the location of the printer drivers are all hidden shared folders that you can gain access to across the network.
- The root of each volume on a hard disk is automatically shared, and the share name is the drive letter appended with a dollar sign ($). When you connect to this folder, you have access to the entire volume. You use the administrative shares to remotely connect to the computer to perform administrative tasks. Windows XP Professional assigns the Full Control permission to the Administrators group.
- The system root folder, which is C:Winnt by default, is shared as Admin$. Administrators can gain access to this shared folder to administer Windows XP Professional without knowing in which folder it is installed. Only members of the Administrators group have access to this share. Windows XP Professional assigns the Full Control permission to the Administrators group.
- When you install the first shared printer, the systemrootSystem32SpoolDrivers folder is shared as Print$. This folder provides access to printer driver files for clients. Only members of the Administrators, Server Operators, and Print Operators groups have the Full Control permission. The Everyone group has the Read permission.
Note: You can hide additional shared folders by appending a dollar sign to the end of the share name. Only users who know the folder name will then be able to access it if they also possess the proper permissions to it.