CHAPTER 10

ADMINISTERING SHARED FOLDERS

You use NTFS permissions to specify which users and groups can gain access to files and folders and

what specify which users and groups can gain access to files and folders and what these permissions

allow users to do with the contents of files or folders.

NTFS permissions are only available on NTFS volumes. NTFS security is effective whether a user

gains access to the file or folder at the computer or over the network.

Sharing folders is the only way to make folders and their contents available over the network. Shared

folders also provide another way to secure file resources, one that can be used on file allocation table

(FAT) or FAT32 partitions.

Lesson 1: Understanding Shared Folders

Microsoft Windows 2000 allows you to designate folders to share with others.

Shared Folders

Shared folders provide network users centralized access to network files. When a folder is shared, all

users by default can connect to the shared folder and gain access to the folder’s content. A shared folder

can contain applications, data, or a user’s personal data in a home directory. Each type of data requires

different shared folder permissions.

Shared Folder Permissions

You can assign shared folder permissions to user and group accounts to control what users can do

with the content of a shared folder. The following are characteristics of shared folder permissions:

Shared folder permissions apply to folders, not individual files. Because you can only

apply shared folder permissions to the entire shared folder, and not to individual files

or subfolders in the shared folder, shared folder permissions provide less detailed

security than NTFS permissions.

=====================================================================

winads10.html PAGE 2 2002/02/28

Shared folder permissions do not restrict access to users who gain access to the folder at the

computer where the folder is stored. They only apply to users who connect to the folder

over the network.Shared folder permissions are the only way to secure network resources

on a FAT volume. NTFS permissions are not available on FAT volumes. The default

shared folder permission is Full Control, and it is assigned to the Everyone group when you

share the folder.

NOTE: By default, a shared folder appears in Microsoft Windows explorer as an icon of hand holding

and shared folder.

You can allow or deny shared folder permissions. Generally, it is best to allow permissions and to assign

permissions to a group rather than to individual users. Deny permission only when it is necessary to

override permissions that are otherwise applied.

If you deny a shared folder permission to a user, the user will not have the permission.

How Shared Folder Permissions are Applied

Applying shared permissions to user accounts and groups affects access to a shared folder.

Denying permission takes precedence over the permissions that you allow.

Multiple Permission Combine for Effective Permissions

A user can be a member of multiple groups, each with different permissions that provide different

levels of access to a shared folder. When you assign permission to a user for a shared folder, and

that user is a member of a group to which you assigned a different permission, the user’s effective

permissions are the combination of the user and group permission.

Deny Overrides Other Permissions

Denied permissions take precedence over any permissions that you otherwise allow for user

accounts and groups.

NTFS Permissions are Required on NTFS Volumes

Shared folder permissions are sufficient to gain access to files and folders on a FAT volume, but

not on an NTFS volume. On a FAT volume, users can gain access to a shared folder for which

hey have permissions, as well as all of the folder’s contents. When users gain access to a shared

folder on an NTFS volume, they need the shared folder permissions and also the appropriate

NTFS permissions for each file and folder to which they gain access.

=====================================================================

winads10.html PAGE 3 2002/02/23

Copied, Moved, or Renamed Shared Folders are NO Longer Shared

When you copy a shared folder, the original shared folder is still shared, but the copy is not

shared. When you move or rename a shared folder, it is no longer shared.

Guidelines for Shared Folder Permissions

Determine which groups need access to each resource and the level of access that they require.
Document the groups and their permissions for each resource.
Assign permissions to groups instead of user accounts to simplify access administration.
Assign to a resource the most restrictive permissions that still allow users to perform required

tasks. For example, if users need only to read information in a folder and they will never delete or

create files, assign the Read permission.

Organize resources so that folders with the same security requirements are located within a folder.
Use intuitive share names so that users can easily recognize and locate resources.

Windows 2000 provides 8.3 character equivalent names, but the resulting names might not be intuitive

to users. For example, a Windows 2000 folder named Accountants Database would appear as

Account~1 on client computers running MS-DOS, Windows 3.1 and Windows for Workgroups.

Lesson Summary:

Shared folder permissions are the only way to secure file resources on FAT volumes.

Shared folder permissions apply to folders, not individual files.

=====================================================================

winads10.html PAGE 4 2002/02/23

The shared folder permissions are Read, Change and Full Control. Read permissions

allows users to view file names and subfolders names and view data in files.

Full Control permissions allows users to change file permissions and take ownership

of NTFS volumes, and to perform all tasks permitted by the Change permission.

The default shared folder permission is Full Control, and it is assigned to the Everyone

group when you share the folder.

Lesson 2: Planning Shared Folders

When you plan shared folders, you can reduce administrative overhead and ease user access.

To plan shared folders, you must determine which resources you want shared, and then organize

resources according to function, use and administration needs.

Shared folders can contain applications and data. Use shared application folders to centralize

administration.

Application Folders

Shared application folders are used for applications that are installed on a network server and they

can be used from client computers. The main advantage of shared applications is that you do not

need to install and maintain most components of the application on each computer.

Create one shared folder for applications and organize all of your applications under this folder.
Assign the Administrators group the Full Control permissions for the application folder so that

Administrators can manage the application software and control user permissions.

Remove the Full Control permission from the Everyone group and assign Read permission to the

Users group. Assign the Change permission to groups that are responsible for upgrading and

troubleshooting applications.

Create a separate shared folder outside you application folder hierarchy for any application

for which you need to assign different permissions. Then assign the appropriate permissions

to that folder.

=====================================================================

winads10.html PAGE 5 2002/02/23

Data Folders

Users on a network use data folders to exchange public and working data. Working data folders

are used by members of a team who need access to shared files. Public data folders are used by

larger groups of users who all need access to common data.

When you use data folders, create and share common data folders on a volume that is separate

from the operating system and applications. Data files should be backed up frequently, and with

data folders on a separate volume, you can conveniently back them up.

Public Data

When you share a common public data folder, do the following:

Use centralized data folders so that data can be easily backed up.

Assign the Change permission to the Users group for the common data folder. Users will be

able to gain access to the folder and read, create, or change files in it.

Working Data

When you share a data folder for working files, do the following:

Assign the Full Control permission to the Administrators group for a central data folder

so that administrators can perform maintenance more easily.

Share lower-level data folders below the central folder with the Change permission

for the appropriate groups when you need to restrict access to those folders.

NOTE: Because an administrator will always be able to take ownership of a file, your organization

may find it necessary to encrypt files and folders to meet security requirements. You can find more

information about encryption in the “File encryption overview” topic in system help and by

researching on your own.

IMPORTANT: Leave the Everyone Group as Full Control at the Root drive levels, for Example at

C:\, D:\ E:\ etc. Then you can fine tune the permissions on the folders as they get more nested and

detailed. You can also eliminate all uses from A drive and CD-ROM.

=====================================================================

winads10.html PAGE 6 2002/02/23

Lesson Summary:

When you use shared application folders, you should assign the Administrators group the Full

Control permission for the applications folders so that members of this group can manage the

application software and control user permissions.

You should also remove the Full Control permission from the Everyone group and assign

Read permission to the Users group.

This provides more security because the Users group includes only user accounts that you

created, whereas the Everyone group includes anyone who has access to network resources,

including the Guest account.

Data files should be backup up frequently, and with data folders on a separate volume, you

can conveniently back them up.

Lesson 3: Shared Folders

You can share resources with others by sharing folders containing those resources. When you share

a folder, you can control access to the folder by limiting the number of users who can simultaneously

gain access to it. And you can also control access to the folder and its contents by assigning

permissions to selected users and groups. To access a shared folder, users must first have

appropriate permissions and then make a connection to it.

Requirements for Sharing Folders

In Windows 2000, members of the built-in Administrators, Server Operators, and Power Users

groups are able to share folders. The groups that can share folders and the machines on which

they can share folders depend on the following requirements:

In a Windows 2000 domain, the Administrators and Server Operators groups can share folders

residing on any machines in the domain. The Power Users group is a local group and can only

share folders residing on the stand-alone server or computer running Windows 2000 professional

where the group is located.

In a Windows 2000 workgroup, the Administrators and Power Users groups can share folders

on the stand-alone server or the computer running Windows 2000 Professional on which the

group exists.

NOTE: If the folder to be shared resides on an NTFS volume, users must also have at least

the Read permission for that folder to be able to share it.

=====================================================================

winads10.html PAGE 7 2002/02/23

IMPORTANT: With the Modify permissions you can do almost all the same permissions as

with Full Control, but you cannot have the task of Changing Permissions.

Administrative Shared Folders

Windows 2000 automatically shared certain folders for administrative purposes. These shares are

appended with a dollar sign ($). The $ hides the shared folder from users who browse the computer.

The root of each volume, the system root folder, and the location of the printer drivers are all hidden

shared folders that you can access from across the network.

=======================================================================

Share Purpose

=======================================================================

C$, D$, E$, and so on The root of each volume on a hard disk is

automatically shared, and the share name is the

drive letter appended with a dollar sign ($).

Admin$ The systemroot folder, which is C:\WINNT by

Default, is shared as Admin$. Administrators can

gain access to this shared folder to administer

Windows 2000 without knowing the folder in

which it is installed.

Print$ When you install the first shared printer, the

systemroot\System32\Spool\Drivers folder is

Shared as Print$.

=========================================================================

Hidden shared folders are not limited to those that the system automatically creates. You can share

additional folders and append a $ to the end of the share name. Then, only users who know the folder

name and possess proper permissions can gain access to the folder.

NOTE: If you stop sharing a folder while a users has a file open, the user might lose data. If you click

Do Not Share This Folder and a user has a connection to the shared folder, Windows 2000 displays a

dialog box notifying you that a user has a connection to the shared folder.

By default, the Administrator and Server Operator have the sharing permission. Also, with a workgroup,

Administrator and Power Users have the default permission for sharing.

=====================================================================

winads10.html PAGE 8 2002/02/23

Connecting to a Shared Folder

There are four methods for gaining access to a shared folder on another computer:

Map to a network drive using the Map Network Drive Wizard
Add a Network place using the Add Network Place Wizard
Connect using the Run command
Connect using My Network Places

*** Did the exercises in the book pages 315-316, at home, and they worked **

Lesson Summary:

To share a folder, you must be a member of one of several groups, depending on the role

of the computer where the shared folder resides. You can control access to a shared folder

by limiting the number of users who can simultaneously gain access to it, and you can also

control access to the folder and its contents by assigning permissions to selected users and

groups.

Lesson 4: Combining Shared Folder Permissions and NTFS Permissions

You share folders to provide network users with access to resources. If you are using a FAT

volume, the shared folder permissions are all that is available to provide security for the folders

you have shared and the folders and files they contain. If you are using an NTFS volume, you

can assign NTFS permissions to individual users and groups to better control access to the files

and subfolders in the shared folder.

=====================================================================

winads10.html PAGE 9 2002/02/23

Strategies for Combining Shared Folder Permissions and NTFS Permissions

One strategy for providing access to resources on an NTFS volume is to share folders with the default

shared folder permissions and then control access by assigning NTFS permissions. When you share a

folder on an NTFS volume, both shared folder permissions and NTFS permissions combine to secure

file resources.

When you use shared folder permissions on an NTFS volume, the following rules apply:

You can apply NTFS permissions to files and subfolders in the shared folder. You can apply

different NTFS permissions to each file and subfolder that a shared folder contains.

In addition to shared folder permissions, users must have NTFS permissions for the files and

subfolders that shared folders contain to gain access to those files and subfolders. This is in

contrast to FAT volumes, where permissions for a shared folder are the only permissions

protecting files and subfolders in the shared folder.

When you combine shared folder permissions and NTFS permissions, the more restrictive

permission is always the overriding permission.

KNOW the ways to connect to a shared folder:

Right Click on the folder and click Sharing
Map a network drive using the Map Network Drive Wizard
Connect using the Run command
Connect using My Network Places

******** Do the exercises page 323 – 326 at home ****

HOW Do you know that it is a share name:

always has the \\ double backslash before the name to show that it is a UNC naming convention.

Lesson Summary:

On a FAT volume, the shared folder permissions are all that is available to provide security

for the folders that you have shared and for the folders and files they contain.

On an NTFS volume, you can assign NTFS permissions to individual users and groups

to better control access to the files and subfolders in the shared folders.

FAT + NTFS permissions = Most restrictive permissions are applied.

=====================================================================

winads10.html PAGE 10 2002/02/23

Lesson 5: Configuring Dfs to Gain Access to Network Resources

The Microsoft distributed file system (Dfs) for Windows 2000 Server provides users with

convenient access to shared folders that are distributed throughout a network. A single Dfs

shared folder serves as an access point to other shared folders in the network.

Understanding Dfs

The Microsoft Dfs for Windows 2000 Server allows system administrators to make it easy for users

to access and manage files that are physically distributed across a network. With Dfs, you can make

files distributed across multiple servers appear to users as if they reside in one place on the network.

Dfs organize shared folders that can reside on different computers. Users do not need to know

where a resource is on a network to gain access to it. Dfs facilitates administering multiple shared

folders.

To share file resources across the network, Dfs does the following:

Organizes resources in a hierarchy. Dfs uses a hierarchy of server shared called Dfs

share. To create a Dfs share, you must first create a Dfs root. A Dfs root is a container

for files and Dfs links.

Facilitates network navigation. A user who navigates a Dfs-managed shared folder

does not need to know the name of the server on which the folder is shared.

Facilitates network administration. Dfs also simplifies network administration. If a

server fails, you can move a link from one server to another without users being aware

of the change.

Preserves network permissions. A user can gain access to a shared folder through

Dfs as long as the user has the required permission to gain access to the shared folder. If

further restrictions

are necessary, NTFS permissions can be set.

NOTE: Only client computers with Dfs client software can gain access to Dfs resources.

Computers running Windows NT 4.0 and later or Windows 98 include a Dfs client. You must

download and install a Dfs client for Windows 95.

=====================================================================

winads10.html PAGE 11 2002/02/23

Reasons for Using Dfs

You should consider implementing Dfs if:

Users who access shared folders are distributed across a site or sites
Most users require access to multiple shared folders
Server load balancing could be improved by redistributing shared folders
Users require uninterrupted access to shared folders
Your organization has Web sites for either internal or external use

Dfs Topology

A Dfs topology consists of a Dfs root, one or more Dfs links, and one or more Dfs shared

folders (also known as replicas), to which each Dfs link points.

For domain-based Dfs, the domain server on which a Dfs root resides is known as a host server.

To users, a Dfs topology provides a unified and transparent access to the network resources

they need.

Because the host server for a domain-based Dfs is a member server within a domain, the Dfs

topology is automatically published to Active Directory by default, thus providing synchronization

of Dfs topologies across host servers. This in turn provides fault tolerance for the Dfs root and

supports optional replication of Dfs shared folders.

Creating a Dfs

The tasks for creating a Dfs are:

Create a Dfs root.
Create a Dfs link.
Add Dfs shared folders (optional).
Set replication policy.

Creating a Dfs Root

You can create a Dfs root on Windows 2000- FAT or NTFS partitions. However, the FAT file

system does not offer the security advantages of NTFS. When setting up a Dfs root, you have the

option of establishing either a domain or a standalone Dfs root.

=====================================================================

winads10.html PAGE 12 2002/02/23

Creating a Dfs Link

In a network environment, it might be difficult for users to keep track of the physical locations of

shared resources. When you use Dfs, the network and file system structures become transparent

to users. This enables you to centralize and optimize access to resources based on a single tree

structure.

After you create a Dfs root, you can create Dfs links. Currently, the maximum number of Dfs links

that you can assign to a Dfs root is 1000.

Adding a Dfs Shared folder

For each Dfs link, you can create a set of Dfs shared folders to which the Dfs link points. Within a

set of Dfs shared folders, you add the first folder to the set when you create the Dfs link, using the

Distributed File System console.

When you add Dfs shared folders, you can choose which folders will participate in replication. If you

set folders to participate in replication, you must then set the replication policy for the shared folders.

Setting Replication Policy

You can ensure that the content of folders is always available to users by replicating that content of

other roots or Dfs shared folders in the domain. You can replicate both Dfs roots and Dfs shared

folders. Replication copies the Content of one Dfs root to another, or from one Dfs shared folder

to another Dfs shared folder.

Setting Replication Policy for Dfs Shared Folders

When replicating a Dfs shared folder, Dfs stores a duplicate copy of the contents of the original

shared folder in another shared folder.

Replicating the Dfs shared folder is a two-step process. First, you add the Dfs shared folder to a

Dfs link, specifying that the folder will participate in replication. Then, you set the replication policy

or the set of Dfs shared folders associated with the link.

Automatic Replication

For domain Dfs roots only, you can enable Dfs to automatically replicate the contents of a Dfs shared

folder to other folders in the set of Dfs shared folders. This keeps the content of the Dfs shared folders

synchronized as changes to one or more of the Dfs shared folders occurs.

=====================================================================

winads10.html PAGE 13 2002/02/23

Although invisible to users and administrators, Dfs uses the File Replication Service (FRS) to perform

this function.

When you set replication policy, you select one of your Dfs shared folders as the initial master, which

then replicates its contents to the other Dfs shared folders in the Set of Dfs shared folders.

Manual Replication

For domain Dfs, if you do not enable FRS management of Dfs shared folders, you must maintain the

same content in all of the Dfs shared folders manually.

NOTE: Do not mix automatic and manual replication within a set of Dfs shared folders. Using one

method of replication exclusively ensures that the contents of the Dfs shared folders remain

ynchronized.

IMPORTANT: To complete the optional procedures in this practice, you must have two computers

running Windows 2000 Server. This practice also assumes that one of the two computers is configured

as a domain controller and the other computer is configured as a member server in the domain. If you

have only one computer, read through the steps in the procedures marked as optional to learn how to

perform them in the future.

Lesson Summary:

A Dfs share uses a tree structure containing a root and links. The links of the Dfs root

represent shared folders that can be physically located on different file servers.

When you use Dfs, the network and file system structures become transparent to users
After connecting to a Dfs root, users can browse and gain access to all resources below

the root, regardless of the location of the server on which the resource is located.

If a server fails, you can move a link from one server to another without users being aware

of the change. All that is required to move a link is a modification of the Dfs folder to refer

to the new server location of the shared folder. Users continue to use the same Dfs path for the link.