Home > Articles

Managing Access to Shared Folders

This chapter is from the book

Terms you'll need to understand:

  • Shared folders

  • Hidden shares

  • Simple file sharing

  • Offline files/client-side caching

  • Share permissions

  • NT File System (NTFS)

  • NTFS permissions

  • User rights

  • Built-in security principals

  • Access control list (ACL)

  • Access control entry (ACE)

  • Taking ownership of objects

  • Auditing

  • Internet Information Server (IIS)

  • Internet Printing Protocol (IPP)

Techniques you'll need to master:

  • Creating network shares

  • Configuring share permissions

  • Configuring options for offline files

  • Setting basic and advanced NTFS permissions

  • Viewing effective permissions

  • Learning how to turn on auditing

  • Installing and managing Internet Information Server

  • Connecting to printers over the Internet

Why do we have computer networks anyway? Well, they empower us to collaborate on projects and share information with others, whether they're around the corner or across the globe. If you're working on a Windows XP Professional system that is connected to a network, you can share one or more of that system's folders with other computers and users on that network. Drive volumes and folders are not automatically shared for all users in Windows XP Professional. Members of the Administrators group and the Power Users group, discussed later in this chapter, are the only users who retain the rights to create shared network folders.

Managing Access to Shared Folders

Windows XP Professional implements a new feature called Simple File Sharing, which is enabled by default when the computer is stand-alone or a member of a network workgroup. Simple File Sharing is disabled when the computer is a member of a Windows domain. Simple File Sharing creates a Shared Documents folder, inside of which it creates two subfolders, Shared Pictures and Shared Music. Remote users who access a shared folder over the network always authenticate as the Guest user account when Simple File Sharing is enabled. The Properties sheet for a shared folder under Simple File Sharing configures both share permissions and NTFS permissions (if the shared folder is stored on an NTFS volume) simultaneously—you are not allowed to configure the two permissions separately. For example, you cannot make a shared folder private, under Simple File Sharing, unless the folder resides on an NTFS volume.

To turn off Simple File Sharing for a stand-alone system, or for a computer that is a member of a workgroup, perform the following steps:

  1. Open a window in either My Computer or Windows Explorer.

  2. Click Tools|Folder Options from the menu.

  3. Click the View tab.

  4. Clear the Use Simple File Sharing (Recommended) checkbox under the Advanced Settings section.

  5. Click OK.

NOTE

The Shared Documents, Shared Pictures, and Shared Music folders are not available if the Windows XP Professional computer is a member of a Windows domain.

Creating Shared Folders from My Computer or Windows Explorer

To share a folder with the network with Simple File Sharing disabled, you can use My Computer or Windows Explorer and follow these steps:

  1. Open a window in either My Computer or Windows Explorer.

  2. Right-click the folder that you want to share and then select Sharing And Security from the pop-up menu.

  3. Click the Share This Folder button.

  4. Type in a Share Name or accept the default name. Windows XP uses the actual folder name as the default Share Name.

  5. Type in a Comment, if you desire. Comments appear in the Browse list when users search for network resources. Comments can help users to locate the proper network shares.

  6. Specify the User Limit: Maximum Allowed or Allow This Number Of Users. Windows XP Professional permits a maximum of 10 concurrent network connections per share. Specify the Allow This Number Of Users option only if you need to limit the number of concurrent users for this share to fewer than 10.

  7. Click OK to create the shared folder. The folder now becomes available to others on your network.

NOTE

To remove a network share, right-click the shared folder and choose the Sharing And Securiy option. Click the Do Not Share This Folder option button and click OK. The folder will no longer be shared with the network.

CAUTION

The Security tab of an NTFS folder's properties dialog box is not displayed when Simple File Sharing is enabled and the computer is not a member of a Windows domain. To display the Security tab so that you can view and work with NTFS permissions for folders and files, open a window in My Computer or Windows Explorer and select Tools|Folder Options. Click the View tab and clear the checkbox entitled Use Simple File Sharing (Recommended).

Creating Shared Folders from the Shared Folders MMC Snap-in

To share a folder with the network with Simple File Sharing disabled, you may use the Shared Folders MMC snap-in from a custom console, or you can use the Shared Folders snap-in as part of the Computer Management Console by following these steps:

  1. Right-click the My Computer icon and select Manage, or open an empty Microsoft Management Console window and add the Shared Folders snap-in for the local computer.

  2. Expand the Shared Folders node and click Shares.

  3. Right-click the Shares subnode and select New File Share.

  4. Type the path and folder name in the Folder To Share box, or click Browse to locate it.

  5. Type a name for the share in the Share Name box, and optionally, type in a Share Description.

  6. Click Next.

  7. Select one of the basic share permissions listed, or click Customize Share And Folder Permissions to define your own share permissions. The default selection is All Users Have Full Control. Remember, these are share permissions that apply only to users accessing this share remotely over the network—not NTFS security permissions!

  8. Click Finish and then click Yes or No when prompted to create another shared folder.

TIP

Generally, if you are working with shared folders residing on NTFS volumes, it is a good idea to leave all share permissions at their default setting: Everyone–Full Control. Use NTFS security permissions to specify access control levels for both users and groups. By having only one set of permissions to manage, security access levels are less confusing, and you avoid possible conflicts with share permissions. In addition, NTFS security permissions apply to both remote network users and local users, so users cannot circumvent security permissions by logging on to the local computer.

To remove a shared folder from the Shared Folders snap-in, simply right-click the shared folder and select Stop Sharing. Click Yes and the folder will no longer be shared on the network.

Using Automatically Generated Hidden Shares

Windows XP Professional automatically creates shared folders by default each and every time the computer is started. These default shares are often referred to as hidden or administrative shares because a dollar sign ($) is appended to their share names, which prevents the shared folder from being displayed on the network Browse list; users cannot easily discover that these shares exist. When users browse through the My Network Places window, for example, they cannot see that such hidden shares even exist; Microsoft Windows Networking does not allow hidden shares to be displayed. The default hidden network shares include the following:

  • C$, D$, E$, and so on—One share gets created for the root of each available hard drive volume on the system.

  • ADMIN$—This shares the %systemroot% folder with the network (for example, C:\Windows).

  • IPC$—This share is used for interprocess communications (IPCs). IPCs support communications between objects on different computers over a network by manipulating the low-level details of network transport protocols. IPCs enable the use of distributed application programs that combine multiple processes working together to accomplish a single task.

  • print$—This share holds the printer drivers for the printers installed on the local machine. When a remote computer connects to a printer over the network, the appropriate printer driver is downloaded to the remote PC.

Although you can temporarily disable hidden shares, you cannot delete them without modifying the Registry (which is not recommended), because they get re-created each time the computer restarts. You can connect to a hidden share, but only if you provide a user account with administrative privileges along with the appropriate password for that user account. Administrators can create their own custom administrative (hidden) shares simply by adding a dollar sign to the share name of any shared folder. Administrators can view all the hidden shares that exist on a Windows XP Professional system from the Shared Folders MMC snap-in.

Connecting to Shared Resources on a Windows Network

Users and network administrators have several options available to them for connecting to shared network resources. These options include the following:

  • Type in a Universal Naming Convention (UNC) path from the Start|Run dialog box in the format \\servername\sharename.

  • Navigate to the share from the My Network Places window.

  • Employ the net use command from a command prompt window.

If you want to connect to a shared folder named "samples" that resides on a Windows computer named SALES7, click Start|Run, type "\\SALES7\samples", and click OK. At this point, you are connected to that shared resource, provided that you possess the proper user ID, password, and security permissions needed to access the shared folder.

Connecting to Network Resources with the My Network Places Window

You can connect to a network share from My Network Places. To use the My Network Places window, perform the following steps:

  1. Click Start|My Network Places.

  2. In the right-hand Network Tasks section, click the Add A Network Place link, which reveals the Add Network Place Wizard.

  3. Click Next, click Choose Another Network Location, and then click Next again.

  4. Enter the Internet Or Network Address, or click Browse to locate the network share by viewing the available network resources. You can connect to one of the following types of resources:

    • A shared folder using the following syntax: \\server\share

    • A Web folder using the following syntax: http://webserver/share

    • An FTP site using the following syntax: ftp://ftp.domain.name

  5. Click Next to enter a name for the network place or accept the default name.

  6. Click Next again to view a summary of the Network Place that you are adding.

  7. Click Finish to establish the connection to the shared folder, provided that you have the proper permissions. A list of network resources to which you have already connected is then displayed within the My Network Places window.

For Command-Line Junkies: The Net Share and Net Use Commands

You can create and delete shared folders from the command line instead of using the GUI. Windows XP offers several Net commands that you use from the command line. You can view all of the available Net commands by typing "Net /?" at a command prompt window. To create a new shared folder, you simply type "Net Share share_name=x:\folder_name", where share_name represents the name you want to assign to the shared folder, x: represents the drive letter where the folder resides, and folder_name represents the actual name of the folder. For help with the various options and syntax of the Net Share command, type "Net Share /?" at the command prompt.

You also have the option of connecting to network shares via the Net Use command. For help with the various options and syntax of the Net Use command, type "net use /?" at the command prompt. To connect to a remote resource from the command line, follow these steps:

  1. Open a command prompt window (click Start|All Programs|Accessories|Command Prompt, or click Start|Run, type CMD, and click OK).

  2. At the command prompt, type "net use X: \\servername\sharename" and press Enter, where X: is a drive letter that you designate (for example, net use M: \\sales7\samples). If you possess the appropriate permissions for that network share, you should see the message The Command Completed Successfully displayed in your command prompt window.

Controlling Access to Shared Folders

When you, as a network administrator, grant access to shared resources over the network, the shared data files become very vulnerable to unintentional, as well as intentional destruction or deletion by others. This is why network administrators must be vigilant in controlling data access security permissions. If access permissions to shared folders are too lenient, shared data may become compromised. On the other hand, if access permissions are set too stringently, the users who need to access and manipulate the data may not be able to do their jobs. Managing access control for shared resources can be quite challenging.

Shared Folder Properties: Configuring Client-Side Caching (Offline Files)

By right-clicking a shared folder and selecting Sharing, you can modify some of the shared folder's properties. You can specify whether network users can cache shared data files on their local workstations. To configure offline access settings for the shared folder, click the Caching button to display the Cache Settings dialog box. The default is to allow caching of files whenever you create a new shared folder. To disable this feature, you must clear the Allow Caching Of Files In This Shared Folder checkbox in the Cache Settings dialog box. If you allow caching of files for a shared folder, you must choose from three options in the Caching Settings dialog box:

  • Automatic Caching Of Documents—This option relies on the workstation and server computers to automatically download and make available offline any opened files from the shared folder. Older copies of files are automatically deleted to make room for newer and more recently accessed files. To ensure proper file sharing, the server version of the file is always opened.

  • Automatic Caching Of Programs And Documents—This setting is recommended for folders that contain read-only data, or for application programs that have been configured to be run from the network. This option is not designed for sharing data files, and file sharing in this mode is not guaranteed. Older copies of files are automatically deleted to make room for newer and more recently accessed files.

  • Manual Caching Of Documents—This is the default caching setting. This setting requires network users to manually specify any files that they want available when working offline. This setting is recommended for folders that contain user documents. To ensure proper file sharing, the server version of the file is always opened.

Click OK in the Caching Settings dialog box after making any configuration changes for offline access to the shared folder.

NOTE

The default cache size is configured as 10 percent of the client computer's available disk space. You can change this setting by selecting Tools|Folder Options from the menu bar of any My Computer or Windows Explorer window. The Offline Files tab of the Folder Options dialog box displays the system's offline files settings, as shown in Figure 3.1.

Figure 3.1 The Offline Files tab of the Folder Options dialog box.

TIP

The Offline Files feature is also known as Client-Side Caching (CSC). The default location on Windows XP computers for storage of offline files is %systemroot%\CSC (for example, C:\Windows\CSC). You can use the Cachemov.exe tool from the Windows 2000 Professional Resource Kit, or the Windows 2000 Server Resource Kit to relocate the CSC folder onto a different drive volume. The Cachemov.exe utility moves the CSC folder to the root of the drive volume that is specified. After the CSC folder has been moved from its default location, all subsequent moves place it in the root of the drive volume—Cachemov.exe never returns the folder to its original default location.

Shared Folder Permissions

In addition to the Caching button, located at the bottom of the Sharing tab of a shared folder's Properties dialog box, is the Permissions button. The caption next to this button reads To Set Permissions For Users Who Access This Folder Over The Network, Click Permissions. However, these "share" permissions are intended solely for backward-compatibility purposes; you should actually avoid changing the default settings on share permissions (Everyone:Allow Full Control) unless a share resides on a file allocation table (FAT) or FAT32 drive volume, which provides no file system security. In most circumstances, you should store all data and applications on NT File System (NTFS) drive volumes. In fact, as a general rule, you should format (or convert) all system drive volumes as NTFS. With the availability of third-party tools, as well as the native Windows XP Recovery Console, which permit command-line access to NTFS drives (even if the system won't boot), it's difficult to argue against NTFS for all drives in Windows XP.

TIP

Microsoft has positioned the NTFS file system as the preferred file system for Windows XP by making features such as security permissions, auditing, data compression, data encryption, reparse points, multiple named data streams, and Volume Shadow Copy Technology available only on NTFS drive volumes.

Network share permissions have their roots back in the days of Windows for Workgroups 3.11, before Windows NT and NTFS. Share permissions provided a way for administrators to control access to files for network users. Only three permissions are available: Full Control, Change, and Read. These three permissions can be explicitly allowed or denied. The default is Allow Full Control for the Everyone group. For shared folders that reside on FAT or FAT32 drives, share permissions do offer some degree of access control for network users. However, they provide no security for local access! Share permissions apply only to access over the network; these permissions have absolutely nothing to do with the underlying file system, which is why NTFS permissions are preferred. If you have a mixture of share permissions and NTFS permissions on the same folder, troubleshooting access control issues becomes more difficult—use either share permissions or NTFS permissions, not both.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020