Managing Access to Shared Folders
Terms you'll need to understand:
Simple file sharing
Offline files/client-side caching
NT File System (NTFS)
Built-in security principals
Access control list (ACL)
Access control entry (ACE)
Taking ownership of objects
Internet Information Server (IIS)
Internet Printing Protocol (IPP)
Techniques you'll need to master:
Creating network shares
Configuring share permissions
Configuring options for offline files
Setting basic and advanced NTFS permissions
Viewing effective permissions
Learning how to turn on auditing
Installing and managing Internet Information Server
Connecting to printers over the Internet
Why do we have computer networks anyway? Well, they empower us to collaborate on projects and share information with others, whether they're around the corner or across the globe. If you're working on a Windows XP Professional system that is connected to a network, you can share one or more of that system's folders with other computers and users on that network. Drive volumes and folders are not automatically shared for all users in Windows XP Professional. Members of the Administrators group and the Power Users group, discussed later in this chapter, are the only users who retain the rights to create shared network folders.
Managing Access to Shared Folders
Windows XP Professional implements a new feature called Simple File Sharing, which is enabled by default when the computer is stand-alone or a member of a network workgroup. Simple File Sharing is disabled when the computer is a member of a Windows domain. Simple File Sharing creates a Shared Documents folder, inside of which it creates two subfolders, Shared Pictures and Shared Music. Remote users who access a shared folder over the network always authenticate as the Guest user account when Simple File Sharing is enabled. The Properties sheet for a shared folder under Simple File Sharing configures both share permissions and NTFS permissions (if the shared folder is stored on an NTFS volume) simultaneouslyyou are not allowed to configure the two permissions separately. For example, you cannot make a shared folder private, under Simple File Sharing, unless the folder resides on an NTFS volume.
To turn off Simple File Sharing for a stand-alone system, or for a computer that is a member of a workgroup, perform the following steps:
Open a window in either My Computer or Windows Explorer.
Click Tools|Folder Options from the menu.
Click the View tab.
Clear the Use Simple File Sharing (Recommended) checkbox under the Advanced Settings section.
The Shared Documents, Shared Pictures, and Shared Music folders are not available if the Windows XP Professional computer is a member of a Windows domain.
Creating Shared Folders from My Computer or Windows Explorer
To share a folder with the network with Simple File Sharing disabled, you can use My Computer or Windows Explorer and follow these steps:
Open a window in either My Computer or Windows Explorer.
Right-click the folder that you want to share and then select Sharing And Security from the pop-up menu.
Click the Share This Folder button.
Type in a Share Name or accept the default name. Windows XP uses the actual folder name as the default Share Name.
Type in a Comment, if you desire. Comments appear in the Browse list when users search for network resources. Comments can help users to locate the proper network shares.
Specify the User Limit: Maximum Allowed or Allow This Number Of Users. Windows XP Professional permits a maximum of 10 concurrent network connections per share. Specify the Allow This Number Of Users option only if you need to limit the number of concurrent users for this share to fewer than 10.
Click OK to create the shared folder. The folder now becomes available to others on your network.
To remove a network share, right-click the shared folder and choose the Sharing And Securiy option. Click the Do Not Share This Folder option button and click OK. The folder will no longer be shared with the network.
The Security tab of an NTFS folder's properties dialog box is not displayed when Simple File Sharing is enabled and the computer is not a member of a Windows domain. To display the Security tab so that you can view and work with NTFS permissions for folders and files, open a window in My Computer or Windows Explorer and select Tools|Folder Options. Click the View tab and clear the checkbox entitled Use Simple File Sharing (Recommended).
Creating Shared Folders from the Shared Folders MMC Snap-in
To share a folder with the network with Simple File Sharing disabled, you may use the Shared Folders MMC snap-in from a custom console, or you can use the Shared Folders snap-in as part of the Computer Management Console by following these steps:
Right-click the My Computer icon and select Manage, or open an empty Microsoft Management Console window and add the Shared Folders snap-in for the local computer.
Expand the Shared Folders node and click Shares.
Right-click the Shares subnode and select New File Share.
Type the path and folder name in the Folder To Share box, or click Browse to locate it.
Type a name for the share in the Share Name box, and optionally, type in a Share Description.
Select one of the basic share permissions listed, or click Customize Share And Folder Permissions to define your own share permissions. The default selection is All Users Have Full Control. Remember, these are share permissions that apply only to users accessing this share remotely over the networknot NTFS security permissions!
Click Finish and then click Yes or No when prompted to create another shared folder.
Generally, if you are working with shared folders residing on NTFS volumes, it is a good idea to leave all share permissions at their default setting: EveryoneFull Control. Use NTFS security permissions to specify access control levels for both users and groups. By having only one set of permissions to manage, security access levels are less confusing, and you avoid possible conflicts with share permissions. In addition, NTFS security permissions apply to both remote network users and local users, so users cannot circumvent security permissions by logging on to the local computer.
To remove a shared folder from the Shared Folders snap-in, simply right-click the shared folder and select Stop Sharing. Click Yes and the folder will no longer be shared on the network.
Using Automatically Generated Hidden Shares
Windows XP Professional automatically creates shared folders by default each and every time the computer is started. These default shares are often referred to as hidden or administrative shares because a dollar sign ($) is appended to their share names, which prevents the shared folder from being displayed on the network Browse list; users cannot easily discover that these shares exist. When users browse through the My Network Places window, for example, they cannot see that such hidden shares even exist; Microsoft Windows Networking does not allow hidden shares to be displayed. The default hidden network shares include the following:
C$, D$, E$, and so onOne share gets created for the root of each available hard drive volume on the system.
ADMIN$This shares the %systemroot% folder with the network (for example, C:\Windows).
IPC$This share is used for interprocess communications (IPCs). IPCs support communications between objects on different computers over a network by manipulating the low-level details of network transport protocols. IPCs enable the use of distributed application programs that combine multiple processes working together to accomplish a single task.
print$This share holds the printer drivers for the printers installed on the local machine. When a remote computer connects to a printer over the network, the appropriate printer driver is downloaded to the remote PC.
Although you can temporarily disable hidden shares, you cannot delete them without modifying the Registry (which is not recommended), because they get re-created each time the computer restarts. You can connect to a hidden share, but only if you provide a user account with administrative privileges along with the appropriate password for that user account. Administrators can create their own custom administrative (hidden) shares simply by adding a dollar sign to the share name of any shared folder. Administrators can view all the hidden shares that exist on a Windows XP Professional system from the Shared Folders MMC snap-in.
Connecting to Shared Resources on a Windows Network
Users and network administrators have several options available to them for connecting to shared network resources. These options include the following:
Type in a Universal Naming Convention (UNC) path from the Start|Run dialog box in the format \\servername\sharename.
Navigate to the share from the My Network Places window.
Employ the net use command from a command prompt window.
If you want to connect to a shared folder named "samples" that resides on a Windows computer named SALES7, click Start|Run, type "\\SALES7\samples", and click OK. At this point, you are connected to that shared resource, provided that you possess the proper user ID, password, and security permissions needed to access the shared folder.
Connecting to Network Resources with the My Network Places Window
You can connect to a network share from My Network Places. To use the My Network Places window, perform the following steps:
Click Start|My Network Places.
In the right-hand Network Tasks section, click the Add A Network Place link, which reveals the Add Network Place Wizard.
Click Next, click Choose Another Network Location, and then click Next again.
Enter the Internet Or Network Address, or click Browse to locate the network share by viewing the available network resources. You can connect to one of the following types of resources:
A shared folder using the following syntax: \\server\share
A Web folder using the following syntax: http://webserver/share
An FTP site using the following syntax: ftp://ftp.domain.name
Click Next to enter a name for the network place or accept the default name.
Click Next again to view a summary of the Network Place that you are adding.
Click Finish to establish the connection to the shared folder, provided that you have the proper permissions. A list of network resources to which you have already connected is then displayed within the My Network Places window.
For Command-Line Junkies: The Net Share and Net Use Commands
You can create and delete shared folders from the command line instead of using the GUI. Windows XP offers several Net commands that you use from the command line. You can view all of the available Net commands by typing "Net /?" at a command prompt window. To create a new shared folder, you simply type "Net Share share_name=x:\folder_name", where share_name represents the name you want to assign to the shared folder, x: represents the drive letter where the folder resides, and folder_name represents the actual name of the folder. For help with the various options and syntax of the Net Share command, type "Net Share /?" at the command prompt.
You also have the option of connecting to network shares via the Net Use command. For help with the various options and syntax of the Net Use command, type "net use /?" at the command prompt. To connect to a remote resource from the command line, follow these steps:
Open a command prompt window (click Start|All Programs|Accessories|Command Prompt, or click Start|Run, type CMD, and click OK).
At the command prompt, type "net use X: \\servername\sharename" and press Enter, where X: is a drive letter that you designate (for example, net use M: \\sales7\samples). If you possess the appropriate permissions for that network share, you should see the message The Command Completed Successfully displayed in your command prompt window.
Controlling Access to Shared Folders
When you, as a network administrator, grant access to shared resources over the network, the shared data files become very vulnerable to unintentional, as well as intentional destruction or deletion by others. This is why network administrators must be vigilant in controlling data access security permissions. If access permissions to shared folders are too lenient, shared data may become compromised. On the other hand, if access permissions are set too stringently, the users who need to access and manipulate the data may not be able to do their jobs. Managing access control for shared resources can be quite challenging.
Shared Folder Properties: Configuring Client-Side Caching (Offline Files)
By right-clicking a shared folder and selecting Sharing, you can modify some of the shared folder's properties. You can specify whether network users can cache shared data files on their local workstations. To configure offline access settings for the shared folder, click the Caching button to display the Cache Settings dialog box. The default is to allow caching of files whenever you create a new shared folder. To disable this feature, you must clear the Allow Caching Of Files In This Shared Folder checkbox in the Cache Settings dialog box. If you allow caching of files for a shared folder, you must choose from three options in the Caching Settings dialog box:
Automatic Caching Of DocumentsThis option relies on the workstation and server computers to automatically download and make available offline any opened files from the shared folder. Older copies of files are automatically deleted to make room for newer and more recently accessed files. To ensure proper file sharing, the server version of the file is always opened.
Automatic Caching Of Programs And DocumentsThis setting is recommended for folders that contain read-only data, or for application programs that have been configured to be run from the network. This option is not designed for sharing data files, and file sharing in this mode is not guaranteed. Older copies of files are automatically deleted to make room for newer and more recently accessed files.
Manual Caching Of DocumentsThis is the default caching setting. This setting requires network users to manually specify any files that they want available when working offline. This setting is recommended for folders that contain user documents. To ensure proper file sharing, the server version of the file is always opened.
Click OK in the Caching Settings dialog box after making any configuration changes for offline access to the shared folder.
The default cache size is configured as 10 percent of the client computer's available disk space. You can change this setting by selecting Tools|Folder Options from the menu bar of any My Computer or Windows Explorer window. The Offline Files tab of the Folder Options dialog box displays the system's offline files settings, as shown in Figure 3.1.
Figure 3.1 The Offline Files tab of the Folder Options dialog box.
The Offline Files feature is also known as Client-Side Caching (CSC). The default location on Windows XP computers for storage of offline files is %systemroot%\CSC (for example, C:\Windows\CSC). You can use the Cachemov.exe tool from the Windows 2000 Professional Resource Kit, or the Windows 2000 Server Resource Kit to relocate the CSC folder onto a different drive volume. The Cachemov.exe utility moves the CSC folder to the root of the drive volume that is specified. After the CSC folder has been moved from its default location, all subsequent moves place it in the root of the drive volumeCachemov.exe never returns the folder to its original default location.
Shared Folder Permissions
In addition to the Caching button, located at the bottom of the Sharing tab of a shared folder's Properties dialog box, is the Permissions button. The caption next to this button reads To Set Permissions For Users Who Access This Folder Over The Network, Click Permissions. However, these "share" permissions are intended solely for backward-compatibility purposes; you should actually avoid changing the default settings on share permissions (Everyone:Allow Full Control) unless a share resides on a file allocation table (FAT) or FAT32 drive volume, which provides no file system security. In most circumstances, you should store all data and applications on NT File System (NTFS) drive volumes. In fact, as a general rule, you should format (or convert) all system drive volumes as NTFS. With the availability of third-party tools, as well as the native Windows XP Recovery Console, which permit command-line access to NTFS drives (even if the system won't boot), it's difficult to argue against NTFS for all drives in Windows XP.
Microsoft has positioned the NTFS file system as the preferred file system for Windows XP by making features such as security permissions, auditing, data compression, data encryption, reparse points, multiple named data streams, and Volume Shadow Copy Technology available only on NTFS drive volumes.
Network share permissions have their roots back in the days of Windows for Workgroups 3.11, before Windows NT and NTFS. Share permissions provided a way for administrators to control access to files for network users. Only three permissions are available: Full Control, Change, and Read. These three permissions can be explicitly allowed or denied. The default is Allow Full Control for the Everyone group. For shared folders that reside on FAT or FAT32 drives, share permissions do offer some degree of access control for network users. However, they provide no security for local access! Share permissions apply only to access over the network; these permissions have absolutely nothing to do with the underlying file system, which is why NTFS permissions are preferred. If you have a mixture of share permissions and NTFS permissions on the same folder, troubleshooting access control issues becomes more difficultuse either share permissions or NTFS permissions, not both.