Chapter 8

Configuring and Managing Shared Folder Security

Shared Folder

Sharing allowing other users to access the information in in folders and files you have created

This sharing can be done on a network. A shared folder can contain

application datauser documentseven software

Shared Folder Permissions

To control user access to a shared folder, shared folder permissions are assigned

Each type of data requires different shared folder permissions.

The shared folder permissions are; Read - Display folder names, file names, file

data, and attributes; run program files; and change folders within the shared folder.

Change - Create folders, add files to folders, change data in files, append data to files, change file attributes, delete folders and files; also allows the user to perform actions permitted by the Read permission.

Full Control - Change file permissions, take ownership of files, and perform all tasks permitted by the Change permission.

you can allow or deny shared folder permissions

it is best to allow permissions and to assign permissions to a group rather than to individual users.

Characteristics of Shared Folder Permissions:

Shared folder permissions apply to folders, not individual files.

Because you can apply shared folder permissions only to the entire shared folder and not to individual files or subfolders in the shared folder, they provide less detailed security than NTFS permissions

Shared folder permissions don’t restrict access to users who gain access to the folder at the computer where the folder is stored.

Shared folder permissions are the only way to secure network resources on a FAT volume.

The default shared folder permission is Read, and it is assigned to the Everyone group when you share the folder.

General Guidelines for Shared Folder Permissions:

Determine which groups need access to each resource and the level of access that they require. Document the groups and their permissions for each resource.

Assign permissions to groups instead of user accounts to simplify access administration.

Assign to a resource the most restrictive permissions that still allow users to perform required tasks.

Organize resources so that folders with the same security requirements are located within a folder.

Use intuitive share names so users can easily recognize and locate resources.

Do not deny access to the Everyone group. Instead, completely remove the Everyone group from the permissions. Denying access to Everyone denies access even to administrators.

How Shared Folder Permissions are applied

Multiple permissions - A user can be a member of multiple groups, each with different permissions that provide different levels of access to a shared folder.

The user’s effective permissions are a combination of the user and group permissions.

Denied permissions take precedence over any permissions that you otherwise allow for user accounts and groups.

If you deny a shared folder permission to a user, the user won’t have that permission, even if you allow the permission for a group the user belongs to.

NTFS permissions - Shared folder permissions are sufficient to gain access across the network to files and folders on a FAT volume but not on an NTFS volume.

When users gain access to a shared folder on an NTFS volume, they need the shared folder permission and also the appropriate NTFS permissions for each file and folder to which they gain access.

A user’s effective permission for a shared folder on an NTFS volume is the more restrictive of the shared and NTFS permissions

When you copy a shared folder, the original folder is still shared but the copy is not.

When you rename or move a shared folder, it is no longer shared.

When a folder is deleted, the folder share is deleted as well.

Planning Shared Folders

When you plan shared folders, you can reduce administrative overhead and ease user access by putting resources into folders according to common access requirements.

Shared folders can contain applications and data. By consolidating data and applications into shared folders according to function, you gain the following benefits:

Ease of use - By centralizing files in just a few shared folders, you make them easier for users to find.

Simpler configuration - When files are consolidated into common folders, it is easier to apply permissions.

Centralized administration - If data folders are centralized, you can back them up more easily and you can upgrade application software more easily.

Requirements for Shared Folders

In Windows XP Professional, members of the built-in Administrators and Power Users groups can share folders.

By default, in a Windows Server domain, members of the Domain Admins and Server Operators groups can share folders on any machine in the domain.

Shared Application Folders

Shared application folders are used for applications that are installed on a network server and that can be used from client computers.

The main advantage of sharing applications is that you don’t need to install and maintain most components of the applications on each computer

Although program files for applications can be stored on a server, configuration information for most network applications is often stored on each client computer.

When you share application folders, consider the following points:

Create one shared folder for applications, and organize all of your applications under this folder. This designates one location for installing and upgrading software.

Assign the Administrators group Full Control permission for the applications folder so members of this group can manage the application software and control user permissions.

Assign Change permission to groups that are responsible for upgrading and troubleshooting applications.

Remove any permissions for the Everyone group, and assign Read permission to the Users group.

Create a separate shared folder outside your application folder hierarchy for any application for which you need to assign different permissions. Then assign the appropriate permissions to that folder.

Shared Data Folders

Shared folder data is divided into two typesPublic data - Public data folders are used by

larger groups of users who all need access to common data.

Working data – Working data folders are used by members of a team who need access to shared files

Public Data

When you share a common public data folder, do the following:Use centralized data folders so data can be

backed up easily.Assign Change permission to the Users

group for the common data folder

Working Data

When you share working data shared foldersAssign Full Control permission to the

Administrators group for a central data folder so administrators can perform maintenance.

Share lower-level data folders below the central folder by assigning Change permission to the appropriate groups when you need to restrict access to those folders.

Administrative Shared Folders

Windows XP Professional automatically shares folders for administrative purposes.

These shares are marked with a dollar sign ($), which hides them from users who view shared resources in My Network Places.

The root of each lettered volume, the system root folder, the connection point for interprocess communication (IPC), and the location of the printer drivers are hidden shared folders

Combining Shared Folder and NTFS Permissions

You share folders to provide network users with access to resources.

If you are using a FAT volume, which has no security of its own, the shared folder permissions are the only resource available to provide security

If you are using an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in each shared folder.

When you use shared folder permissions on an NTFS volume, the following rules apply: You can apply NTFS permissions to files and

subfolders in the shared folder. You can even apply different NTFS permissions to each file and each subfolder in a shared folder.

In addition to shared folder permissions, users must have NTFS permissions to the files and subfolders in shared folders to access those files and subfolders.

When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.