CHAPTER 5

                SECURING NETWORK RESOURCES WITH

                                     SHARE PERMISSIONS

 

Lesson 1:  Introduction to Shared Folders ……………..                  174

Lesson 2:  Guildelines for Planning Shared Folders ……                 181

Lesson 3:  Sharing Folders ………………………………                 192

Lesson 4:  Connecting to Shared folders  ……………….                 200

 

 

Shared Folders give users centralized access to network files.  This chapter explains how to share

folders and how to assign permission for gaining access to the shared folder to user and group

accounts.

 

Lesson 1:  Introduction to Shared Folders

 

Windows NT enables you to designate disk resources that you want to share with others.  For

example, when a folder is shared, authorized users can make connections to the folder (and

access it files) from their own computers. 

 

What are Shared Folders?

 

Shared folders give network users centralized access to network files.  When a folder is shared,

all users by default can connect to the shared folder and gain access to the folder’s content. 

 

You can assign share permissions to user and group accounts to control what users can do with

the content of a shared folder.  For example, if you want a user to only view files, you can assign

the user’s account (or a group of which the user is a member) the Read permission; if you want a

user to modify and add new files and folders, you can assign the Change permission.

 

Read = Read only

Change = Modify and add files and folders

 

A shared folder appears in Windows NT Explorer and My computer as an icon of a hand holding

the shared folder and is often referred to simply as a share.

 

NOTE:  By default, the built-in Everyone group is automatically assigned Full Control permission

to all shared folders.

 

 

 

 

=====================================================================

 

wntadm5.html                                                 PAGE 2                                                    2001/10/27

 

 

Why Share folders?

 

Shared folders are used to give users access to network programs, data and user home folders:

 

Network program folders centralize administration by designating one location for configuring and

upgrading software. 

Data folders provide a central location for users to store and access common files.

User home folders provide a central location for users to store their own files.  If home folders are

stored on a network server, they provide a central location for maintaining and backing up users’ data.

 

NOTE:  If the volume where the folder is located is formatted as FAT (file allocation table), share

permissions are the only way to secure disk resources.  If  the volume is formatted with the Windows

NT File System (NTFS), NTFS permissions can be assigned for additional security.

 

 

Share Permissions

 

To control how users access a shared folder, you can assign share permissions to users, groups, or both.

 

The following illustration shows the hierarchy of share permissions, from most restrictive at the bottom to

least restrictive at the top.

 

 

 

 

 

LEAST                                              FULL CONTROL

RESTRICTIVE

           

                                                              CHANGE 

 

 

 

                                                       READ

MOST

RESTRICTIVE

                                       NO ACCESS

 

 

 

 

 

 

 

=====================================================================

 

wntadm5.html                                                 PAGE 3                                                    2001/10/27

 

 

The following table describes the four share permissions.

 

=====================================================================

This permission                      Gives users the ability to

=====================================================================

Full Control                            Modify file permissions

(default permission                Take Ownership of files on NTFS volumes.

for the Everyone                    Perform all tasks permitted by the Change and

Group)                                    Read permissions.

 

 

Change                                   Create folder and add files

                                                Change data in files.

                                                Append data to files.

                                                Change file attributes.

                                                Delete folders and files.

                                                Perform all tasks permitted by the Read

                                                permissions.

 

Read                                       Display folder names and file names.

(execute)                                 Display the data and attributes of files.

                                                Run program files.

                                                Access other folders within that folder.

 

No Access                              Establish only a connection to the shared folder. 

                                                Access to the folder is denied and the contents

                                                Do not appear.  This the most restrictive permission,

                                                and is useful for high security.  The No Access

                                                permission overrides other permissions.

 

=====================================================================

 

Limitations of share Permissions

 

Share permissions are effective only when a user connects to the folder over the network.  They do

not prevent users from gaining access to the folder while sitting at the computer where the folder

resides.

 

On Computes running Windows NT Server, where users do not have the Log on locally user right,

this is not a problem.  However, on computers running Windows NT Workstations, users are

automatically assigned this user right that can bypass share permissions on their local computer.

 

If the volume where the folder resides is formatted with NTFS, you can secure local resources with

NTFS permissions.

 

 

 

=====================================================================

 

wntadm5.html                                                 PAGE 4                                                   2001/10/27

 

 

 

How share Permissions are Applied

 

You can assign a user permissions to access a shared folder directly or as a member of a group. 

If you assign different permissions to multiple groups of which the user is a member, the user gets all

the permissions, unless one of the permissions is the No Access permission.

 

 

There are two rules for how share permissions are applied:

 

•  When you assign permissions to a user and also to a group of which the user is a member, the user’s

effective permissions are the least restrictive permissions that result from the combination of the

user and group permissions.

•  When you assign the No Access permission, the No access permission overrides all other

permissions that are assigned to the user or to the groups of which the user is a member.  No

access always becomes the effective permission.

 

 

Video Summary on Permissions:

 

There are two kinds of folder permissions, they are Shared Folder Permissions and NTFS Permissions. 

NTFS Permissions combined with Shared Folder Permissions the effective permissions are the

combination of the user and group permissions.  If No Access is either the user or group permissions,

then the most restrictive or No access becomes the effective permission.  No Access always

overrides.

 

Shared folder Permissions FAT Only:

 

• Provide access to the network resources
• Permissions apply to all folders
• Effective permissions are the combination of permissions, with the exception of No Access.

 

Share permissions are used with FAT.  They only apply across the network, they do not apply

locally, the least restrictive will apply, unless it is NO ACCESS.

 

 

NTFS Permissions:

 

• Provide security on folders and files
• Effective permissions are the combination of permissions
• Can be assigned to other folders in the same hierarchy

 

NOTE:  Unlike “Shared Folder Permissions”, NTFS permissions can be assigned to other folders

and files in the same hierarchy for additional security.

 

 

 

=====================================================================

 

wntadm5.html                                                 PAGE 5                                                    2001/10/27

 

 

 

Summary:

 

When shared folder permissions are combined with NTFS permissions, the most restrictive

permission becomes the effective permission.

 

Together, they provide the highest level of security for folders and files.

 

 

Multiple Permissions  (page 177)

 

In the following illustration, User 1 is assigned Full Control permission to the shared folder named

Public.  Full Control is the least restrictive permission, User1 is also a member of the Everyone

group to which a different permission, Read, is assigned.  User1 ‘s effective permissions are the

combination of the user and group permissions, in this case, Full Control (Full control includes

the permissions Read and change.  Full control has almost no restrictions, so therefore it is the

least restrictive.

 

The No Access Permission

 

In the following illustration, User 1 is assigned Read permission to the shared folder named Public. 

User 1 is also a member of the Sales group to which a different permission, No Access, is

assigned.  Therefore, User1’s effective permissions are none because the No Access permission

overrides any other permissions assigned to a user or to groups to which the user belongs.

 

Example of Applied Permissions  (page 178)

 

The following two illustrations show two examples of applied share permissions.  Examine each

illustration and determine the effective permissions for User 1.

 

Example A shows that User1 is a member of Group1, Group2, Group3, and Group4.  Group1

does not have any permissions for Folder-A.  Group2 has read permissions, Group3 has Change

permission, and Group4 has Full Control permission for shared Folder-A.

 

The Answer is Full control is the effective permission for User’1.  Full Control already included

Read and Change.  Don’t forget the effective permissions are the least restrictive.

 

 

Example B shows that User1 is a member of Group1, Group2, and Group3. Group1 does not

have any permissions for Folder-B.  Group2 has Change permission and Group3 has Read

permission.  Additionally, User 1 is assigned the No Access permission.

 

In Example B, No Access is the effective permission, to Folder-B.  No Access over-rides all

other permissions.

 

 

 

 

=====================================================================

 

wntadm5.html                                                 PAGE 6                                                    2001/10/27

 

 

Lesson 2:  Guidelines for Planning Shared Folders

 

Before you begin sharing folders, you need to determine what resources to share and to whom. 

For a network to be successful, network programs, public and working data, and user home

folders must be easily accessible to authorized users. 

 

When Sharing folders consider the following:

 

•  Determine which folders on your servers users are to use, and then organize them so

that folders with the same security requirements are located within one folder hierarchy. 

For example, if users require Read permission to several program folders, store those

folders within the same folder.

•  Use intuitive share names so that users can easily recognize and locate resources. 

For example, of the folder Application, use the share name Apps.

•  Use share names and folder names that are readable by all client operating systems.

The following table describes share and folder naming conventions.

 

 

=====================================================================

Client                                                  Share Name               Folder Name

=====================================================================

Windows 95 and up, Windows 9X    12 characters                 255 characters

Windows NT                                       80 character                 255 characters

 

MS-DOS, Windows 3.x and              8.3 characters               8.3 characters

Windows for Workgroups

 

=====================================================================

 

NOTE:  For client operating systems that can only read 8.3 characters, Windows NT

provides 8.3 character equivalent names, but the resulting names are not always intuitive

for users.  For example, a folder named Accountants Database, would appear as

Accoun~1 to clients running MS-DOS, Windows 3.x and Windows for Workgroups.

 

 

Examples of Shared Folders

 

How you organize folders may help you to secure data.  For example, if you group folders

with the same security requirements in one hierarchy, you only have to share the top-level

 

 

=====================================================================

 

wntadm5.html                                                 PAGE 7                                                    2001/10/27

 

 

 

folder.  Users with the appropriate permissions have the same level of access to the contents

of the shared folder, but cannot access folders that are at the higher level or at the same level

as the shared folder.(look at the example on page 182)

 

 

Guidelines for Assigning Permissions:

 

When you assign share permissions to users and groups, use the following general guidelines:

 

•  Determine which groups need access to each resource and what level of access they require. 

Sales may only require read, Administrators group may require Full Control etc.

 

•  Create a local group on the computer for each shared resource.  If the resource resides on a

member server or computer running Windows NT Workstation, the local group for the resource

is created on that computer.  If the resource resides on a domain controller, the local group is

created from any computer running User Manager for Domains.

 

•  Assign permissions to only the groups that need access to the resource.

 

•  Assign the most restrictive permission (but one that allows users to perform required tasks) for

the resource to the local group.  For example, if users need only to read information in a folder,

and they will never delete or create files, then assign the Read permission for those users.

 

•  For greater security, remove the Full control permission from the Everyone group because the

Everyone group contains all user accounts who have access to your network, and Everyone

includes the Guest account.  If you want all users to have access to the resource, use the Users

group instead.  In a domain, the users group only contains domain user accounts that you created. 

In a workgroup, the Users group contains local user accounts.

 

 

Guidelines for Sharing Network Program Folders:

 

In a large network, one or more servers may be dedicated to storing programs.  In a small

network, one server may be used for both programs and data.  The program folders that you

share will vary with each network.

 

 

=====================================================================

 

wntadm5.html                                                 PAGE 8                                                   2001/10/27

 

 

 

Consider the following guidelines when planning network program folders:

(see page 184)

 

•  Create a shared folder for organizing your programs, for example Apps.
•  Assign the Administrator group Full Control permission to the Apps folder for Administrative

access.

•  Remove the Full Control permission from the Everyone group and assign read permission to

the Users group to provide tighter security.

•  Assign the Change permission to groups responsible for upgrading and troubleshooting software.
•  Share individual program folders to the appropriate groups only when you need to restrict access

to those folders.  For example, to give members of Group1 access to only the spreadsheet

program, share the folder for the spreadsheet program and assign Group1 the appropriate

permission.

 

 

 

Guidelines for Sharing Data Folders

 

Data folders are used by network users to exchange or share common files.  In planning shared data

folders, consider creating shared folders for keeping information that is public to employees of the

company. 

 

If your hard disk has more than one volume, create and share a data folders on a volume separate

from the operating system and programs.  Having data folders in one location streamlines backup

procedures.  Additionally, in the unlikely event that the operating system volume needs to be

reformatted, public data will remain intact.

 

 

Public Data Folders

 

Public data folders contain files that employees need to gain access to for reading purposes only,

 for example benefits information or blank expense report forms.

 

•   Assign the Full control permission to the user who provides the information in the public

 folders and to the Administrators group

•   Assign the Read permission to all users who need to gain access to the data.

 

Working Data Folders

 

Working data folders give employees a central location for storing and exchanging working files. 

Most employees need the ability to add and remove files from common working data folders.

 

 

 

=====================================================================

 

wntadm5.html                                                 PAGE 9                                                    2001/10/27

 

 

 

•  Assign the Change permission to all users who need to exchange files with others.
•  Assign the Full Control permission to the Administrators group.
•  Share lower-level data folders to the appropriate groups when you need to restrict

access to those folders.

 

For example, to protect data in the Accountants folder, share that folder to only the Accountants

group and assign that group Change permission.  Then, members of the Accounts group can

access the Accountants shared folder.  Administrators have access by connecting to the Data

shared folder.

 

 

 

Guidelines for Sharing Home Folders

 

On FAT volumes, when you create a user account and you want that user to have a home folder,

you must first create a home folder structure on the server.  You share individual home folders on

a FAT volume because share permissions are the only way to restrict access.

 

•   Create a central folder named Users on a volume separate from the operating system and

programs.  This streamlines backup and restore procedures.  If the operating system volume

requires reformatting, the volume containing the home folders will remain intact.

•   Create a folder in the Users folder for each user account, with the same name as his or

her user name.  For example, for the user name Ericb, create a folder named Ericb.

 

NOTE:  On a FAT volume, you need to create and share home folders before you specify

the home folder path in User Manager for Domains.  On an NTFS volume, this step is not

necessary.

 

•  Share each user’s home folder and assign only the respective user Full control permission to

his or her home folder.  This guarantees privacy to the user because he or she is the only

person who can connect to his or her home folder.  This is the only way to protect users’

folder on a FAT volume.

 

•   In User Manager for Domains, assign a home folder to each user account.

 

•   Only shared the top-level folder to the Administrators group.

You will also be able to perform administrative tasks on home folders by logging on to the

server locally, or by connecting to an administrative share (C$, D$, and so on), which

provides access to the root of the respective volume.

 

 

 

 

=====================================================================

 

wntadm5.html                                                 PAGE 10                                                   2001/10/27

 

 

 

Lesson 3:  Sharing Folders

 

To share a folder, you must be a member of the built-in Administrators, Server Operators or Power

User group on the computer where the shared folder is being shared.

 

NOTE:   On NTFS volumes, you can give a user the ability to share folders by assigning the user the

List permission to the folder.

 

 

 

Administrative Shares

 

Windows NT provides administrative share to make it easy to gain access to the root of a volume. 

The root of each volume on a hard disk is automatically shared, using the drive letter appended with

a dollar sign ($) for example, C$ and D$ and E$ etc.  The dollar sign hides the shared folder from

users who browse the computer.  When you connect to this folder, you have access to the entire

volume.  You use the administrative shares to remotely connect to the computer to perform

administrative tasks.

 

NOTE:  Windows NT also shares the systemroot folder as Admin$.  This is a special shared

folder that is required by the system only during remote administration.

 

 

Sharing a Folders

 

The first step in sharing a folder is to assign it a share name.  Share names are assigned on the

Sharing tab in the folder_name Properties.

 

 

Assigning Share Permissions

 

After you assign a share name, the next step is to specify which users can access the shared folder

by assigning permissions to selected users or groups.  By default, when a folder is shared, the

Everyone group is assigned the Full Control permission.  For most folders, you will want to

remove the Full control permission from Everyone and assign permissions to specific user and

group accounts.

 

 

 

 

=====================================================================

 

wntadm5.html                                                 PAGE 11                                                  2001/10/27

 

 

 

If you want to assign permissions to a user or group in a different domain:

 

•  A trust must exist between your computer’s domain and another domain on your network.  To

verify that your computer fits this  criteria, log off, press CTRL+ALT+DELETE, and then view

the names that appear in the Domain box.  If more than one name exits, then the trust is set-up.

•  You must have Administrator privileges for that domain.  To enable the Administrators group to

perform administration tasks in other domains, add the global group Domain Admins to the local

Administrators group on the computer in the domain that you want Administrators to administer.

 

 

Modifying Shared Folders

 

You can modify all shared folder options on the folder_name Properties dialog  box.

 

 

Lesson 4:  Connecting to Shared Folders

 

There are two ways to locate and connect to shared folders.  Once you share a folder, network

users can connect to it using the Map Network Drive command in Windows NT Explorer or the

RUN command.

 

 

Using the Map Network Drive Command

 

When you connect to a shared folder using the Map Network Drive command, the shared

folder appears as a drive on your computer, and the contents of the shared folder can be viewed

as if they were on your computer.  Because the drive letter is saved in a user profile, you can have

the connection re-established each time you log on.

 

 

Using the Run Command

Using the Run command the user can browse all shared folders on a computer without knowing the

share name assigned to a specific shared folder.  You only need to know the name of the computer.

 

The run command does not assign a drive letter to the shared folder, so the connection does not

appear within a program.