9-1
9
Administering Shared
Folders
Exam Objectives in this Chapter:■ Manage and troubleshoot access to shared folders.
❑ Create and remove shared folders.
❑ Control access to shared folders by using permissions.
Why This Chapter Matters
In Chapter 8, “Securing Resources with NTFS Permissions,” you learned about NTFS File System permissions for Microsoft Windows XP Professional. You use NTFS permissions to specify which users and groups are allowed to access files and folders and how NTFS permissions control what users are allowed to do with the contents of the file or folder. Remember that NTFS permissions are available only on NTFS volumes and that NTFS security is in effect whether a user gains access to the file or folder at the local computer or over the network.
In this chapter, you will learn how to share folders and make the folders accessi-ble over the network. You access a computer’s folders and their contents by first sharing the folders, and then accessing the folders across the network from a remote computer. Shared folders provide a way to restrict access to file resources that are located on file allocation table (FAT) or FAT32 partitions. In this chapter, you will learn how to share folders and how to restrict access to shared folders by using permissions.
Lessons in this Chapter:
■ Lesson 1: Introduction to Shared Folders . . . .9-2 ■ Lesson 2: Combining Shared Folder Permissions and NTFS Permissions. . . 9-20
Before You Begin
To complete this chapter, you must have a computer that meets the minimum hard-ware requirements listed in the preface, “About This Book.” You must also have Win-dows XP Professional installed on the computer.
Lesson 1: Introduction to Shared Folders
You use shared folders to provide network users with access to file resources. When a folder is shared, users with appropriate permissions can access the folder over the net-work.
After this lesson, you will be able to
■ Explain Simple File Sharing
■ Identify shared folder permissions
■ Identify the requirements for sharing a folder
■ Identify the characteristics of shared folder permissions
■ Share a folder
■ Assign shared folder permissions
■ Create multiple share names for a shared folder
■ Modify a shared folder
■ Connect to a shared folder
■ Explain the use of administrative shares
■ Manage shared folders by using the Computer Management utility
■ Explain guidelines for assigning shared folder permissions Estimated lesson time: 60 minutes
Simple File Sharing
Simple File Sharing, as its name implies, is a simplified sharing model that allows users to easily share folders and files with other local users on the same computer or with users in a workgroup without configuring NTFS permissions and standard shared folders. On computers running Windows XP Professional that are members of a work-group, you can use Simple File Sharing or you can disable Simple File Sharing and use shared folder permissions. On computers running Windows XP Professional that are members of a domain, Simple File Sharing is not available.
Exam Tip If you are not able to access the Security tab of a file or folder’s Properties dia-log box or if you cannot assign shared folder permissions to a folder, Simple File Sharing is probably enabled.
When Simple File Sharing is enabled, users have only one choice to make—whether a folder is shared or not. When a user shares a folder, that folder is accessible to all net-work users. Also, with Simple File Sharing, the user cannot assign shared folder
missions. To enable or disable Simple File Sharing, in any open folder, click Tools and then click Folder Options. In the Folder Options dialog box, on the View tab, in the Advanced Settings list, select or clear the Use Simple File Sharing (Recommended) check box.
Note The remainder of this chapter assumes that you are not using Simple File Sharing.
Shared Folder Permissions
When Simple File Sharing is disabled, you can control how users gain access to a shared folder by assigning shared folder permissions. Shared folder permissions are simpler than NTFS permissions. Table 9-1 explains what each of the shared folder per-missions allows a user to do, presented from most restrictive to least restrictive.
You grant or deny shared folder permissions. Generally, it is best to grant permissions to a group rather than to individual users. You should deny permissions only when it is necessary to override permissions that are otherwise applied, for example, when it is necessary to deny permission to a specific user who belongs to a group to which you have granted the permission. If you deny a shared folder permission to a user, the user will not have that permission. For example, to deny all remote access to a shared folder, deny the Full Control permission.
Requirements for Sharing a Folder
To create shared folders on a computer running Windows XP Professional, you must be a member of the Administrators or Power Users groups. Also, users who are granted the Create Permanent Shared Objects user right are allowed to share folders. You can share only folders; you cannot share individual files. If you need to provide users net-work access to files, you must share the folder that contains the files.
Table 9-1 Shared Folder Permissions This Shared Folder
Permission Allows the User to
Read Display folder names, file names, file data, and attributes; run program files; and change folders within the shared folder
Change Create folders, add files to folders, change data in files, append data to files, change file attributes, and delete folders and files; also allows the user to perform actions that are permitted by the Read permission Full Control Change file permissions, take ownership of files, and perform all tasks
Exam Tip Users of the Administrators or Power Users groups can share a folder. Users who have been assigned the Create Permanent Shared Objects user right can also share folders.
Characteristics of Shared Folder Permissions
You can share any folder on a computer so that network users can access the folder. The following are characteristics of shared folder permissions:
■ Shared folder permissions apply to folders, not individual files. Because you can apply shared folder permissions only to the entire shared folder and not to indi-vidual files or subfolders in the shared folder, shared folder permissions provide less detailed security than NTFS permissions.
■ Shared folder permissions do not restrict users who access the folder locally by logging on to the computer. They apply only to users who connect to the folder over the network.
■ Shared folder permissions are the only way to secure network resources on a FAT volume, because NTFS permissions are not available on FAT volumes.
■ The default shared folder permission is Read, and it is assigned to the Everyone group when you share the folder.
Security Alert If you share a folder and do not change the default shared folder permis-sions (where the Everyone group is assigned the Read permission), the shared folder is effec-tively not protected from people reading the contents of the folder across the network. In this case, restriction from reading the folder depends entirely on local NTFS permissions.
How to Share a Folder
When you share a folder, you can give it a share name, provide comments to describe the folder and its content, control the number of users who have access to the folder, assign permissions, and create multiple share names for the folder.
To share a folder, complete the following steps:
1. Log on with a user account that is able to share folders.
2. Right-click the folder that you want to share, and then click Properties.
3. On the Sharing tab of the Properties dialog box, click Share This Folder and con-figure the options shown in Figure 9-1 and described in Table 9-2.
F09us01
Figure 9-1 Use the Sharing tab of a folder’s Properties dialog box to share a folder.
How to Assign Shared Folder Permissions
After you share a folder, the next step is to specify which users have access to the shared folder by assigning shared folder permissions to selected user accounts and Table 9-2 Sharing Tab Options
Option Description
Share Name The name that users from remote locations use to connect to the shared folder. You must enter a share name. By default, this is the same name as the folder. You can type in a different name up to 80 characters long.
Comment An optional description for the share name. The comment appears in addition to the share name when users at client computers browse the server for shared folders. This comment can be used to identify contents of the shared folder. User Limit The number of users who can concurrently connect to the shared folder. If you click Maximum Allowed as the user limit, Windows XP Professional sup-ports up to 10 connections.
Permissions The shared folder permissions that apply only when the folder is accessed over the network. By default, the Everyone group is assigned Read for all new shared folders.
Caching The settings to configure offline access to this shared folder. This feature is cov-ered in Chapter 10, “Managing Data Storage.”
New Share The settings to configure more than one share name and set of permissions for this folder. This button appears only when the folder has already been shared. You will learn how to create multiple shares in the section “How to Create Mul-tiple Share Names for a Shared Folder.”
groups. To assign permissions to user accounts and groups for a shared folder, use the following steps:
1. On the Sharing tab of the Properties dialog box of the shared folder, click Permis-sions.
2. In the Permissions dialog box for the folder, ensure that the Everyone group is selected and then click Remove.
3. In the Permissions dialog box, click Add.
4. In the Select Users Or Groups dialog box (shown in Figure 9-2), in the Enter The Object Names To Select text box, type the name of the user or group to which you want to assign permissions. Repeat this step for all user accounts and groups to which you want to assign permissions.
Tip If you want to enter more than one user account or group at a time, separate the names by a semicolon. If you want to ensure the names are correct, click Check Names.
F09us02
Figure 9-2 Select a user or a group to which to assign permissions.
5. Click OK.
6. In the Permissions dialog box for the shared folder, click the user account or group, and then, under Permissions, select the Allow check box or the Deny check box for the appropriate permissions for the user account or group.
How to Create Multiple Share Names for a Shared Folder
You might want to grant different permissions on a shared folder. You can create mul-tiple share names for the same folder and assign each a different set of permissions. To share a folder with multiple share names, open the folder’s Properties dialog box and then click New Share. In the New Share dialog box (shown in Figure 9-3), you assign a new share name, limit the number of connections to the share, and click Permissions to grant the permissions for the shared folder.
F09us03
Figure 9-3 Create an additional share name for a shared folder.
How to Modify a Shared Folder
For existing shared folders, you can stop sharing the folder, modify the share name, and modify shared folder permissions.
To modify a shared folder, complete the following steps:
1. In the Properties dialog box of the shared folder, click the Sharing tab. 2. To complete the appropriate task, use the steps in Table 9-3.
Caution If you stop sharing a folder while a user has a file open, the user might lose data. If you click Do Not Share This Folder and a user has an open connection to the shared folder, Windows XP Professional displays a dialog box notifying you of that fact.
How to Connect to a Shared Folder
You can access a shared folder on another computer by using My Network Places, the Add Network Place Wizard, or the Run command.
To connect to a shared folder using My Network Places, complete the following steps: Table 9-3 Steps to Modify a Shared Folder
To Do This
Stop sharing a folder Click Do Not Share This Folder.
Modify the share name Click Do Not Share This Folder to stop sharing the folder, and click Apply. Then click Share This Folder, and type the new share name in the Share Name text box.
Modify shared folder permissions
Click Permissions. In the Permissions dialog box, click Add to add a user account or group so that you can specify permis-sions for a specific user or group, or click Remove to remove a user account or group. In the Select Users, Computers, Or Groups dialog box, click the user account or the group whose permissions you want to modify, and then select Allow or Deny for the appropriate permissions.
1. Click Start, and then click Control Panel.
Note When you first use My Network Places, Windows XP Professional adds it to your Start menu. If My Network Places is listed on your Start menu, click it and proceed to step 4.
2. In the Control Panel window, click Network And Internet Connections.
3. In the Network And Internet Connections window, under See Also, click My Net-work Places.
4. Double-click the share you want to access.
Note If the share you want to connect to is listed, when you double-click it, you are con-nected. If the share that you want to connect to is not listed, go to step 5.
5. If the share you want to connect to is not listed, click Add A Network Place. The Welcome To The Add Network Place Wizard page is displayed.
6. Click Next.
7. On the Where Do You Want To Create This Network Place page, select Choose Another Network Location, and then click Next.
8. On the What Is The Address Of This Network Place page, shown in Figure 9-4, you can type a Universal Naming Convention (UNC) path to the folder (for exam-ple, \\computer_name\sharedfolder_name) and click Next.
F09us04
Figure 9-4 Type the UNC for the share that you want to access.
Tip You can also use the Other Locations On Your Network page to make a network connec-tion shortcut to a Web share (http://Webserver/share) or a File Transfer Protocol (FTP) site (ftp://ftp.microsoft.com).
9. On the What Do You Want To Name This Place page, type a friendly name for this page and then click Next.
10. In the Completing The Add Network Place Wizard, click Finish.
To connect to a shared folder using the Run command, complete the following steps: 1. Click Start, click Run, type \\computer_name in the Open text box, and then
click OK.
Windows XP Professional displays shared folders for the computer. 2. Double-click the shared folder to which you want to connect.
What Are Administrative Shares?
Windows XP Professional automatically shares some folders for administrative pur-poses. These administrative shares are marked with a dollar sign ($) at the end of the share name. Administrative shares are hidden from users who browse the com-puter. The root of each volume, the system root folder, and the location of the printer drivers are hidden shared folders that you can access across the network by typing in the exact name of the share.
Table 9-4 describes the purpose of the administrative shared folders that Windows XP Professional automatically provides.
Table 9-4 Windows XP Professional Administrative Shared Folders Share Purpose
C$, D$, E$, and so on
The root of each volume on a hard disk is automatically shared, and the share name is the drive letter with a dollar sign ($). When you connect to this folder, you have access to the entire volume. You use the administrative shares to remotely connect to the computer to perform administrative tasks. Windows XP Professional assigns the Full Control permission to the Administrators group. Admin$ The system root folder, which is C:\Windows by default, is shared as Admin$.
Administrators can access this shared folder to administer Windows XP Profes-sional without knowing in which folder it is installed. Only members of the Administrators group have access to this share. Windows XP Professional assigns the Full Control permission to the Administrators group.
Print$ When you install the first shared printer, the %systemroot%\System32\ Spool\Drivers folder is shared as Print$. This folder provides access to printer driver files for clients. Only members of the Administrators and Power Users groups have the Full Control permission. The Everyone group has the Read per-mission.
Hidden shared folders are not limited to those that the system automatically creates. You can share an additional hidden share by simple adding a dollar sign to the end of the share name. Only users who know the folder name can access it if they also pos-sess the proper permissions.
Exam Tip You often can use the built-in administrative shares to access resources on a computer when you cannot otherwise gain access. In particular, the Admin$ share is useful because it allows you to access the system root folder of a computer. You can also type the drive letter followed by a dollar sign (for example, C$) to access a particular drive.
How to Manage Shared Folders by Using Computer Management
You can also manage shared folders by using the Computer Management utility. Available shared folder management options are as follows:
■ View a list of all folders that are currently shared ■ Create additional shared folders
■ View and edit the properties of shared folders ■ Stop sharing a folder
■ Manage users that are connected to shared folders ■ Remotely manage shared folders on other computers
How to View a List of Shared Folders in Computer Management
You can view all folders that are currently shared in a single location within Computer Management. To view shared folders, follow these steps:
1. Start Computer Management, either by right-clicking My Computer and selecting Manage, or from the Administrative Tools folder in Control Panel.
2. Expand the System Tools node.
3. Under the System Tools node, expand the Shared Folders node, and then select the Shares folder. Shared folders are displayed in the details pane, as shown in Fig-ure 9-5.
F09us05
Figure 9-5 View shared folders in Computer Management.
How to Create Additional Shared Folders by Using Computer Management
You can easily share folders by using Computer Management. To share a folder, com-plete the following steps:
1. In Computer Management, right-click the Shares folder (in the Shared Folders node) and select New File Share.
The Create A Shared Folder Wizard appears. 2. Click Next.
3. On the Set Up A Shared Folder page, type the path to be shared, the share name, and the share description. Click Next to continue.
4. If the folder to be shared does not exist, Windows opens a dialog box asking whether or not you want to create the folder. Click Yes to create the folder and continue.
5. On the Shared Folder Permissions page, select the appropriate permissions option and click Next.
View and Edit the Properties of Shared Folders by Using Computer Management
You can view and edit the properties of any shared folder through Computer Manage-ment by right-clicking the shared folder and selecting Properties. Figure 9-6 shows the Properties dialog box of a shared folder named Public Files. On the Security tab of new shares that you create, you can also manage the NTFS permissions of the folder.
F09us06
Figure 9-6 Use Computer Management to modify the properties of a shared folder. How to Stop Sharing a Folder
You can also use Computer Management to stop sharing a folder (or a particular share name for a folder). To stop sharing a folder in Computer Management, use the follow-ing steps:
1. Start Computer Management, either by right-clicking My Computer and selecting Manage, or from the Administrative Tools folder in Control Panel.
2. Expand the System Tools node.
3. Under the System Tools node, expand the Shared Folders node, and then select the Shares folder.
4. In the Details pane, right-click the share that you want to stop, and then click Stop Sharing.
This action does not delete the folder; it merely stops sharing the folder under the particular share name.
Manage Users That Are Connected to Shared Folders
To view the users that are connected to the server, expand the Shared Folders node in Computer Management and then select the Sessions folder. Occasionally, you might need to disconnect users from the computer so that you can perform maintenance tasks on hardware or software. To disconnect users from the server, do one of the fol-lowing:
■ To disconnect a single user, right-click the user name in the Sessions folder, and then select the Close Session option from the action menu.
■ To disconnect all users from the server, right-click the Sessions folder, and then select the Disconnect All Sessions option from the action menu.
To view users that have shared files and folders open, under Shared Files, select the Open Files option. The details pane displays the files and folders that are currently in use on the server. This information is valuable if you are trying to work with a shared folder or file and need to know who is currently accessing the resource so that you can ask that person to disconnect.
Guidelines for Shared Folder Permissions
The following list provides some general guidelines for managing your shared folders and assigning shared folder permissions:
■ Determine which groups need access to each resource and the level of access that they require. Document the groups and their permissions for each resource. ■ Assign permissions to groups instead of user accounts to simplify access
adminis-tration.
■ Assign to a resource the most restrictive permissions that still allow users to per-form required tasks. This practice is known as the principle of least privilege. For example, if users only need to read information in a folder and they will never delete or create files, assign the Read permission.
■ Organize resources so that folders with the same security requirements are located within a folder. For example, if users require Read permission for several applica-tion folders, store those folders within the same folder. Then share this folder instead of sharing each individual application folder.
■ Use intuitive share names so that users can easily recognize and locate resources. For example, for the Application folder, use Apps for the share name. You should also use share names that all client operating systems can use.
Table 9-5 describes share and folder naming conventions for different client computer operating systems.
Windows XP Professional provides 8.3-character equivalent names, but the resulting names might not be intuitive to users. For example, a Windows XP Professional folder named Accountants Database would appear as Accoun~1 on client computers running MS-DOS, Windows 3.x, and Windows for Workgroups.
Real World
Shared Folder Permissions on Large Networks
On small networks, you are likely to find that either Simple File Sharing or shared folder permissions are used to control access to files and folders on the network. Even when drives are formatted with the NTFS file system, most people on small networks just do not use NTFS permissions.
On large company networks, you find just the opposite. Administrators typically rely on NTFS permissions and leave the default shared folder permissions (or remove the Everyone group and provide the Users group full access) in place because NTFS permissions do a much better job of securing data. Because of the way that shared folder permissions and NTFS permissions interact, NTFS sions secure data for both local and network access. Adding shared folder permis-sions is really unnecessary and in fact complicates the permispermis-sions that administrators must work with. The exception to this is on computers running older versions of Windows (for example, Windows 98 or Windows Me) that do not support the NTFS file system; these systems must use shared folder permissions if their data is to be shared on the network.
Practice: Managing Shared Folders
In this practice, you will determine the effective shared permissions of users, share a folder, create an additional share name for a shared folder, and stop the sharing of a folder.
Exercise 1: Calculate Effective Shared Permissions
In the following exercise, User101 has been assigned permissions to access resources as an individual and as a member of a group, as shown in Figure 9-7.
Table 9-5 Client Computer Operating Systems and Share Name Length
Operating System Share Name Length
Windows 2000 and later 80 characters
Windows NT, Windows 98, and Windows 95 12 characters MS-DOS, Windows 3.x, and Windows for Workgroups 8.3 characters
F09us07
Figure 9-7 Identify effective permissions.
Determine which effective permissions are assigned for User101 and User102.
1. User101 is a member of Group1, Group2, and Group3. Group1 has Read permis-sion. Group2 has Full Control permission for FolderA, and Group3 has change permissions assigned for FolderA. What are User101’s effective permissions for FolderA?
2. User102 has been granted the Full Control shared folder permission for FolderB as an individual user. User102 is a member of the Managers group, which has been granted Change permission for FolderB, and a member of the Sales group, which has been denied all access to FolderB. What are User102’s effective permissions for FolderB? User101 Group1 Group2 Group3
?
FolderA User102 Full Control Managers Sales?
FolderB R CP FC CP FC 2 1Exercise 2: Create a Shared Folder
1. Click Start, and then click My Documents.
2. In the My Documents window, click the File menu, point to New, and then click Folder.
3. The new folder appears in the window with the name highlighted. Type Public Files for the name of the folder.
4. Right-click the Public Files folder, and click Sharing and Security.
5. In the Public Files Properties dialog box, on the Sharing tab, click Share This Folder, and then click Apply.
6. What new button appears on the dialog box after you click Apply?
7. Click Permissions.
8. In the Permissions for Public Files dialog box, in the Group Or User Names list, click Everyone and then click Remove.
9. Click Add.
10. In the Select Users Or Groups dialog box, type Users and then click OK.
11. In the Permissions for Public Files dialog box, in the Group Or User Names list, click Users.
12. In the Permissions for Users list, in the Allow column, select the Change check box.
13. Click OK, and leave the Public Files dialog box open for the next exercise.
Exercise 3: Create an Additional Share Name for a Folder
1. In the Public Files dialog box, click New Share.
2. In the New Share dialog box, in the Share Name text box, type Public Files 2. 3. In the Comment text box, type Power Users.
4. Click Permissions.
5. In the Permissions for Public Files 2 dialog box, in the Group Or User Names list, click Everyone and then click Remove.
6. Click Add.
8. In the Permissions for Public Files dialog box, in the Group Or User Names list, click Power Users.
9. In the Permissions for Users list, in the Allow column, select the Full Control check box, and then click OK.
10. In the New Share dialog box, click OK.
11. What new button is added to the Public Files Properties dialog box?
12. Click OK.
Lesson Review
Use the following questions to help determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. You can find answers to these questions in the “Questions and Answers” section at the end of this chapter.
1. Because you use NTFS permissions to specify which users and groups can access files and folders and what these permissions allow users to do with the contents of the file or folder, why do you need to share a folder or use shared folder per-missions?
2. Which of the following permissions are shared folder permissions? (Choose all that apply.)
a. Read b. Write
c. Modify d. Full Control
3. ______________________ (Denied /Allowed) permissions take precedence over ____________ (denied /allowed) permissions on a shared folder.
4. When you copy a shared folder, the original folder is ___________________ (no longer shared /still shared) and the copy is ______________________ (not shared / shared).
5. When you move a shared folder, the folder is ______________________ (no longer shared /still shared).
6. When you rename a shared folder, the folder is ______________________ (no longer shared /still shared).
7. Windows XP Professional automatically shares folders for administrative purposes. These shares are marked with a __________________, which hides them from users who browse the computer.
8. The system root folder, which is C:\Windows by default, is shared as ____________. Administrators can access this shared folder to administer Windows XP Professional without knowing in which folder it is installed. Only members of the Administrators group have access to this share. Windows XP Professional assigns the Full Control permission to the Administrators group.
Lesson Summary
■ Simple File Sharing is a simplified sharing model that allows users to share or not share a folder instead of applying NTFS and shared folder permissions. Simple File Sharing is enabled by default on computers running Windows XP Professional that are members of a workgroup. Simple File Sharing is not available on computers that are members of a domain.
■ The three shared folder permissions are Read, Change, and Full Control.
■ To share a folder, you must be a member of the Administrators or Power Users groups, or have the Create Permanent Shared Objects user right assigned to your account.
■ The characteristics of shared folder permissions include:
❑ Shared folder permissions apply to folders, not individual files.
❑ Shared folder permissions apply only to users who connect to the folder over the network.
❑ Using shared folder permissions is the only way to secure file resources on FAT volumes.
❑ The default shared folder permission is Read, and it is assigned to the Every-one group when you share the folder.
■ When you share a folder, you can give it a share name, provide comments to describe the folder and its content, control the number of users who have access to the folder, assign permissions, and share the same folder multiple times.
■ After sharing a folder, control access to that folder by assigning shared folder per-missions.
■ You can create multiple share names for a single folder and assign different per-missions to each share name.
■ For existing shared folders, you can stop sharing the folder, modify the share name, and modify shared folder permissions.
■ You can connect to a shared folder by using My Network Places, My Computer, or the Run dialog box.
■ Windows XP Professional automatically shares folders for administrative purposes. These shares are marked with a dollar sign ($), which hides them from users who browse the computer.
■ You can use Computer Management to view, create, and modify shared folders, as well as to view users that are connected to each share. You can also use Computer Management to remotely manage shared folders on other computers.
■ You should practice the principle of least privilege when assigning shared folder permissions by allowing users only the access they need to do their job. You should grant permissions to groups rather than users. You should also try to arrange folders so that resources with the same security requirements are grouped.
Lesson 2: Combining Shared Folder Permissions and NTFS
Permissions
You share folders to provide network users with access to resources. If you are using a FAT volume, the shared folder permissions are the only resource available to provide security for the folders that you have shared and the folders and files they contain. If you are using an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in the shared folders. When you combine shared folder permissions and NTFS permissions, the more restric-tive permission is always the overriding permission.
After this lesson, you will be able to
■ Calculate effective permissions for folders that have shared folder and NTFS permis-sions
■ Explain the rules when combining shared folder permissions and NTFS permissions
■ Combine shared folder permissions and NTFS permissions Estimated lesson time: 15 minutes
How to Calculate Effective Permissions for Folders That Have Shared
Folder and NTFS Permissions
When users connect to shared folders that are located on NTFS volumes, share permis-sions and NTFS permispermis-sions will combine to control the actions that a user can per-form. Determining effective permissions can be somewhat difficult when both NTFS and shared permissions are involved.
Calculating effective permissions for resources within a shared folder on an NTFS par-tition is a three-step process.
1. Calculate the NTFS effective permissions for the user.
2. Calculate the shared folder effective permissions for the user.
3. Analyze the results of steps 1 and 2, and select the result that is the more restrictive of the two. This will be the user’s effective permission for the shared folder.
Rules When Combining Shared Folder Permissions and
NTFS Permissions
When you use shared folder permissions on an NTFS volume, the following rules apply:
■ You can apply NTFS permissions to files and subfolders in the shared folder. You can apply different NTFS permissions to each file and subfolder contained in a shared folder.
■ In addition to shared folder permissions, users must have NTFS permissions for the files and subfolders contained in shared folders to access those files and sub-folders. This is in contrast to FAT volumes, in which permissions for a shared folder are the only permissions protecting files and subfolders in the shared folder. ■ When you combine shared folder permissions and NTFS permissions, the more
restrictive permission is always the overriding permission.
In Figure 9-8, the Users group has the shared folder Full Control permission for the Public folder and the NTFS Read permission for FileA. The Everyone group’s effective permission for FileA is the more restrictive Read permission. The effective permission for FileB is Full Control because both the shared folder permission and the NTFS per-mission allow this level of access.
F09us08
Figure 9-8 Combine shared folder permissions and NTFS permissions.
Practice: Combining Permissions
Figure 9-9 shows examples of shared folders on NTFS volumes. These shared folders contain subfolders that have also been assigned NTFS permissions. Determine a user’s effective permissions for each example.
Users Public R CP FC File A File B NTFS permission NTFS permission NTFS volume • Apply NTFS permissions to files and subfolders.
F09us9
Figure 9-9 Combine permissions for each group.
1. In the first example, the Data folder is shared. The Sales group has the shared folder Read permission for the Data folder and the NTFS Full Control permission for the Sales subfolder. What are the Sales group’s effective permissions for the Sales subfolder when they gain access to the Sales subfolder by making a connec-tion to the Data shared folder?
2. In the second example, the Users folder contains user home folders. Each user home folder contains data accessible only to the user for whom the folder is named. The Users folder has been shared, and the Users group has the shared folder Full Control permission for the Users folder. User1 and User2 have the NTFS Full Control permission for their home folder only and no NTFS permissions for other folders. These users are all members of the Users group. What permissions does User1 have when he or she accesses the User1 subfolder by making a
con-NTFS volume Sales Group Data 1 NTFS permission R FC Sales NTFS volume
Users Group Users
2 NTFS permission FC FC User1 User2 NTFS permission FC User1 User2
nection to the Users shared folder? What are User1’s permissions for the User2 subfolder?
Lesson Review
Use the following questions to help determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. You can find answers to these questions in the “Questions and Answers” section at the end of this chapter.
1. If you are using both shared folder and NTFS permissions, the ______________ (least/most) restrictive permission is always the overriding permission.
2. Which of the following statements about combining shared folder permissions and NTFS permissions are true? (Choose all that apply.)
a. You can use shared folder permissions on all shared folders.
b. The Change shared folder permission is more restrictive than the Read NTFS permission.
c. You can use NTFS permissions on all shared folders.
d. The Read NTFS permission is more restrictive than the Change shared folder permission.
3. Which of the following statements about shared folder permissions and NTFS per-missions are true? (Choose all that apply.)
a. NTFS permissions apply only when the resource is accessed over the net-work.
b. NTFS permissions apply whether the resource is accessed locally or over the network.
c. Shared folder permissions apply only when the resource is accessed over the network.
d. Shared folder permissions apply whether the resource is accessed locally or over the network.
4. If needed, you can apply different ______________________ permissions to each folder, file, and subfolder.
Lesson Summary
■ To combine shared folder and NTFS permissions, you should take the following steps:
a. Calculate the NTFS effective permissions for the user.
b. Calculate the shared folder effective permissions for the user.
c. Analyze the results of steps 1 and 2, and select the result that is the more restrictive of the two. This will be the user’s effective permission for the shared folder.
■ On a FAT volume, the shared folder permissions are the only available way to pro-vide security for the folders you have shared and for the folders and files they con-tain. On an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in the shared fold-ers. On an NTFS volume, you can apply different NTFS permissions to each file and subfolder in a shared folder.
Case Scenario Exercise
In this exercise, you will read a scenario about planning shared folders and then answer the questions that follow. If you have difficulty completing this work, review the material in this chapter before beginning the next chapter. You can find answers to these questions in the “Questions and Answers” section at the end of this chapter.
Scenario
You are an administrator working for a company named Contoso, Ltd., a manufacturer of telephone systems used in airplanes. You are planning how to share resources on servers in the company’s main office. Record your decisions in the table at the end of this exercise. Figure 9-10 illustrates a partial folder structure for the servers at the man-ufacturing company.
F09us10
Figure 9-10 A partial folder structure for the servers at a manufacturing company
You need to make resources on these servers available to network users. To do this, determine which folders to share and which permissions to assign to groups, including the appropriate built-in groups. Base your planning decisions on the following criteria: ■ Members of the Managers group need to read and revise documents in the
Man-agement Guidelines folder. Nobody else should have access to this folder. ■ Administrators need complete access to all shared folders, except for Management
Guidelines.
■ The customer service department needs its own network location to store working files. All customer service representatives are members of the Customer Service group. Users User_name Server1 C: Applications Spreadsheet Server3 D: Word processing Project management Data Customer service Server2 C: Public Database Customers D: Management guidelines
■ All employees need a network location to share information with each other. ■ All employees need to use the spreadsheet, database, and word processing
soft-ware.
■ Only members of the Managers group should have access to the project manage-ment software.
■ Members of the CustomerDBFull group need to read and update the customer database.
■ Members of the CustomerDBRead group need to read only the customer database. ■ Each user needs a private network location to store files, which must be accessible
only to that user.
■ Share names must be accessible from computers running Windows 95 and later, as well as from non-Windows-based platforms.
Questions
Record your answers in this table.
Troubleshooting Lab
You are an administrator for a company named Contoso, Ltd., which is a distributor of high-end fabrics sold at custom furniture retailers across the United States. You are working with Sandra, a manager in the Sales department. Sandra is trying to work with a file named Winter Products, which is located in a shared folder named Brochures. She can access the file in a shared folder, but cannot save the file after making changes. Folder Name and Location Shared Name Groups and Permissions Example:
Sandra is a member of the following groups: ■ Sales
■ Users
■ Sales Managers
NTFS permissions are configured as shown in Figure 9-11.Shared folder permissions are configured as shown in Figure 9-12.
F09us11
Figure 9-11 Examine the NTFS permissions for the Brochures folder.
F09us12
Why can Sandra open the file but not save it in the shared folder? How would you solve the problem?
Chapter Summary
■ Sharing a folder makes the folder available to users on the network. You should understand the following points about shared folders:
❑ Simple File Sharing is enabled by default on computers running Windows XP Professional that are members of a workgroup. Simple File Sharing is not available on computers that are members of a domain.
❑ The three shared folder permissions are Read, Change, and Full Control.
❑ To share a folder, you must be a member of the Administrators or Power Users groups, or have the Create Permanent Shared Objects user right assigned to your account.
❑ You can share folders, but not individual files.
❑ You can share folders on NTFS or FAT volumes.
❑ You can create multiple share names for a single folder.
❑ Windows XP Professional automatically shares folders for administrative pur-poses. These shares are marked with a dollar sign ($), which hides them from users who browse the computer.
❑ You can use Computer Management to view, create, and modify shared folders, as well as to view users that are connected to each share. You can also use Com-puter Management to remotely manage shared folders on other comCom-puters. ■ When shared folder permissions and NTFS permissions exist on a folder, you can
calculate the overall effective permissions by calculating the effective shared folder permissions, then calculating the effective NTFS permissions, and then applying the more restrictive of those two.
Exam Highlights
Before taking the exam, review the key points and terms that are presented in this chapter. You need to know this information.
Key Points
■ If you cannot access the Security tab of a file or folder’s Properties dialog box or if you cannot assign shared folder permissions to a folder, Simple File Sharing is probably enabled.
■ Users of the Administrators or Power Users groups can share a folder. Users who have been assigned the Create Permanent Shared Objects user right can also share folders.
■ You often can use the built-in administrative shares to access resources on a com-puter when you cannot otherwise gain access. In particular, the Admin$ share is useful because it allows you to access the system root folder of a computer. You can also type the drive letter followed by a dollar sign (for example, C$) to access a particular drive.
Key Terms
administrative share Hidden shares that Windows XP Professional creates automat-ically so that administrators can access resources on a computer.
Computer Management A console that provides access to a number of manage-ment utilities for administering a computer, including the ability to create, manage, and monitor shared folders.
effective permissions The permissions level that a user actually has, taking all per-mission sources into account.
hidden share A method of preventing users who are browsing the network from viewing the share. If you append the dollar sign ($) to a share name, it becomes hidden. Built-in administrative shares are examples of hidden shares.
shared folder permissions Permissions assigned to shared folders that control access to the folder over the network. Shared folder permissions include Read, Change, and Full Control.
shared folders Folders made accessible to users on the network.
Simple File Sharing A type of sharing that is used when a Windows XP computer has not joined a domain or is running Windows XP Home Edition.
Questions and Answers
Lesson 1 Practice: Exercise 1
Page 9-14
1. User101 is a member of Group1, Group2, and Group3. Group1 has Read permis-sion. Group2 has Full Control permission for FolderA, and Group3 has change permissions assigned for FolderA. What are User101’s effective permissions for FolderA?
Because User101 is a member of Group1, Group2, and Group3, User101’s effective permis-sion is Full Control, which includes all capabilities of the Read permispermis-sion and the Change per-mission.
2. User102 has been granted the Full Control shared folder permission for FolderB as an individual user. User102 is a member of the Managers group, which has been granted Change permission for FolderB, and a member of the Sales group, which has been denied all access to FolderB. What are User102’s effective permissions for FolderB?
User102 has been granted Full Control to FolderB, but because User102 is a member of the Managers group and the Sales group, User102’s effective permission is denied Full Control access to FolderB. Denied permission overrides all other permissions.
Lesson 1 Practice: Exercise 2
Page 9-16
1. What new button appears on the dialog box after you click Apply?
A button named New Share appears in the Properties dialog box for a folder after you share the folder for the first time. This button allows you to create additional shares.
Lesson 1 Practice: Exercise 3
Page 9-16
1. What new button is added to the Public Files Properties dialog box?
After creating an additional share, a button named Remove Share is added to the dialog box. You can use this button to remove the additional share name.
Lesson 1 Review
Page 9-17
1. Because you use NTFS permissions to specify which users and groups can access files and folders and what these permissions allow users to do with the contents of the file or folder, why do you need to share a folder or use shared folder per-missions?
Although NTFS security is effective whether a user gains access to the file or folder at the com-puter or over the network, NTFS permissions do not make folders available over the network. Sharing folders is the only way to make folders and their contents available over the network. Shared folder permissions provide another way to secure file resources. They can be used on FAT or FAT32 partitions, as well as NTFS partitions, whereas NTFS permissions are available only on NTFS volumes.
2. Which of the following permissions are shared folder permissions? (Choose all that apply.) a. Read b. Write c. Modify d. Full Control
The correct answers are A and D. The available shared folder permissions are Read, Change, and Full Control. B and C are not correct because Write and Modify are not valid shared folder permissions.
3. ______________________ (Denied /Allowed) permissions take precedence over ____________ (denied /allowed) permissions on a shared folder.
Denied permissions take precedence over allowed permissions on a shared folder.
4. When you copy a shared folder, the original folder is ___________________ (no longer shared /still shared) and the copy is ______________________ (not shared / shared).
When you copy a folder, the original folder is still shared and the copy is not shared.
5. When you move a shared folder, the folder is ______________________ (no longer shared /still shared).
When you move a shared folder, the folder is no longer shared.
6. When you rename a shared folder, the folder is ______________________ (no longer shared /still shared).
When you rename a shared folder, the folder is no longer shared.
7. Windows XP Professional automatically shares folders for administrative purposes. These shares are marked with a __________________, which hides them from users who browse the computer.
Dollar sign ($)
8. The system root folder, which is C:\Windows by default, is shared as ____________. Administrators can access this shared folder to administer Windows XP Professional without knowing in which folder it is installed. Only members of the Administrators group have access to this share. Windows XP Professional assigns the Full Control permission to the Administrators group.
Lesson 2 Practice: Combining Permissions
Page 9-21
1. In the first example, the Data folder is shared. The Sales group has the shared folder Read permission for the Data folder and the NTFS Full Control permission for the Sales subfolder. What are the Sales group’s effective permissions for the Sales subfolder when they gain access to the Sales subfolder by making a connec-tion to the Data shared folder?
The Sales group has the Read permission for the Sales subfolder because when shared folder permissions are combined with NTFS permissions, the more restrictive permission applies.
2. In the second example, the Users folder contains user home folders. Each user home folder contains data accessible only to the user for whom the folder is named. The Users folder has been shared, and the Users group has the shared folder Full Control permission for the Users folder. User1 and User2 have the NTFS Full Control permission for their home folder only and no NTFS permissions for other folders. These users are all members of the Users group. What permissions does User1 have when he or she accesses the User1 subfolder by making a con-nection to the Users shared folder? What are User1’s permissions for the User2 subfolder?
User1 has the Full Control permission for the User1 subfolder because both the shared folder permission and the NTFS permission allow Full Control. User1 cannot access the User2 sub-folder because she or he has no NTFS permission to gain access to it.
Lesson 2 Review
Page 9-23
1. If you are using both shared folder and NTFS permissions, the ______________ (least/most) restrictive permission is always the overriding permission.
Most
2. Which of the following statements about combining shared folder permissions and NTFS permissions are true? (Choose all that apply.)
a. You can use shared folder permissions on all shared folders.
b. The Change shared folder permission is more restrictive than the Read NTFS permission.
c. You can use NTFS permissions on all shared folders.
d. The Read NTFS permission is more restrictive than the Change shared folder permission.
The correct answers are A and D. B is not correct because the Read NTFS permission is more restrictive than the Change shared folder permission. C is not correct because you can use NTFS permissions only on volumes formatted with NTFS, whereas you can use shared folder permissions on volumes formatted with NTFS or FAT.
3. Which of the following statements about shared folder permissions and NTFS per-missions are true? (Choose all that apply.)
a. NTFS permissions apply only when the resource is accessed over the net-work.
b. NTFS permissions apply whether the resource is accessed locally or over the network.
c. Shared folder permissions apply only when the resource is accessed over the network.
d. Shared folder permissions apply whether the resource is accessed locally or over the network.
The correct answers are B and C. A is not correct because NTFS permissions apply whether the resource is accessed locally or over the network. D is not correct because shared folder per-missions are applied only when a folder is accessed remotely over the network.
4. If needed, you can apply different ______________________ permissions to each folder, file, and subfolder.
NTFS
Case Scenario Exercise Questions
Page 9-24
You have two choices for permissions: you can rely entirely on NTFS permissions and assign Full Control for all shared folders to the Everyone group, or you can use shared folder permis-sions according to resource needs. The following suggested shared folders include required permissions if you decide to assign shared folder permissions.
■ Share Management Guidelines as MgmtGd. Assign the Full Control permission to the Manag-ers group.
■ Share Data as Data. Assign the Full Control permission to the Administrators built-in group. Folder Name and Location Shared Name Groups and Permissions Example:
■ Share Data\Customer Service as CustServ. Assign the Change permission to the Customer Service group.
■ Share Data\Public as Public. Assign the Change permission to the Users built-in group.
■ Share Applications as Apps. Assign the Read permission to the Users built-in group and the Full Control permission to the Administrators built-in group.
■ Share Project Management as ProjMan. Assign the Change permission to the Managers group and the Full Control permission to the Administrators built-in group.
■ Share Database\Customers as CustDB. Assign the Change permission to the CustomerDBFull group, the Read permission to the CustomerDBRead group, and the Full Control permission to the Administrators built-in group.
■ Share Users as Users. Create a folder for every employee below this folder. Assign the Full Con-trol permission to each employee for his or her own folder. Preferably, have Windows XP Profes-sional create the folder and assign permission automatically when you create each user account
Troubleshooting Lab
Page 9-26
Why can Sandra open the file but cannot save it in the shared folder? How would you solve the problem?
Sandra has the effective NTFS permissions necessary to open and save the file. The Sales group has the Read & Execute, List Folder Contents, and Read permissions. The Sales Manag-ers group has these permissions plus the Modify and Write permissions. To determine effective NTFS permissions, combine permissions from all sources.
For shared folder permissions, both the Sales and Sales Managers groups have only the Read permission. Because you choose the most restrictive permission when combining NTFS and shared folder permissions, Sandra ends up being able to read—but not change—files in the Brochures folder. To solve this problem, you should select the Change check box in the Allow column of the Permissions for Sales Managers list (see Figure 9-12).
