Lesson 1:?Understanding Shared Folders
You use shared folders to provide network users with access to file resources. When a folder is shared, users can connect to the folder over the network and access the files it contains. However, to access the files, users must have permissions to access the shared folders.
After this lesson, you will be able to
- Use shared folders to provide access to network resources
- Describe how permissions affect access to shared folders
Estimated lesson time: 30 minutes
Shared Folder Permissions
A shared folder can contain applications, data, or a user's personal data, called a home folder. Each type of data requires different shared folder permissions.
The following are characteristics of shared folder permissions:
- Shared folder permissions apply to folders, not individual files. Because you can apply shared folder permissions only to the entire shared folder and not to individual files or subfolders in the shared folder, they provide less detailed security than NTFS permissions.
- Shared folder permissions don't restrict access to users who gain access to the folder at the computer where the folder is stored. They apply only to users who connect to the folder over the network.
- Shared folder permissions are the only way to secure network resources on a FAT volume. NTFS permissions aren't available on FAT volumes.
- The default shared folder permission is Full Control, and it is assigned to the Everyone group when you share the folder.
A shared folder appears in Windows Explorer as an icon of a hand, shown in Figure 9.1, holding the shared folder.
To control how users gain access to a shared folder, you assign shared folder permissions. Table 9.1 explains what each of the shared folder permissions allows a user to do, presented from most restrictive to least restrictive.
Table 9.1??Shared Folder Permissions
You can allow or deny shared folder permissions. Generally, it is best to allow permissions and to assign permissions to a group rather than to individual users. Deny permissions only when it is necessary to override permissions that are otherwise applied, for example, when it is necessary to deny permission to a specific user who belongs to a group to which you have given the permission. If you deny a shared folder permission to a user, the user won't have that permission. For example, to deny all access to a shared folder, deny the Full Control permission.
How Shared Folder Permissions Are Applied
Applying shared permissions to user accounts and groups affects access to a shared folder. Denying permission takes precedence over the permissions that you allow. The following list describes the effects of applying permissions:
- Multiple permissions.??A user can be a member of multiple groups, each with different permissions that provide different levels of access to a shared folder. When you assign permission to a user for a shared folder and that user is a member of a group to which you assigned a different permission, the user's effective permissions are the combination of the user and group permissions. For example, if a user has Read permission and is a member of a group with Change permission, the user's effective permission is Change, which includes Read.
- Deny permissions.??Denied permissions take precedence over any permissions that you otherwise allow for user accounts and groups. If you deny a shared folder permission to a user, the user won't have that permission, even if you allow the permission for a group of which the user is a member.
- NTFS permissions.??Shared folder permissions are sufficient to gain access to files and folders on a FAT volume but not on an NTFS volume. On a FAT volume, users can gain access to a shared folder for which they have permissions, as well as all of the folder's contents. When users gain access to a shared folder on an NTFS volume, they need the shared folder permission and also the appropriate NTFS permissions for each file and folder to which they gain access. A user's effective permission for a shared folder on a NTFS volume is the more restrictive of the shared and NTFS permissions.
When you copy a shared folder, the original folder is still shared, but the copy is not. When you rename or move a shared folder, it is no longer shared.
Guidelines for Shared Folder Permissions
The following list provides some general guidelines for managing your shared folders and assigning shared folder permissions:
- Determine which groups need access to each resource and the level of access that they require. Document the groups and their permissions for each resource.
- Assign permissions to groups instead of user accounts to simplify access administration.
- Assign to a resource the most restrictive permissions that still allow users to perform required tasks. For example, if users only need to read information in a folder and they will never delete or create files, assign the Read permission.
- Organize resources so that folders with the same security requirements are located within a folder. For example, if users require Read permission for several application folders, store those folders within the same folder. Then share this folder instead of sharing each individual application folder.
- Use intuitive share names so that users can easily recognize and locate resources. For example, for the Application folder, use Apps for the share name. You should also use share names that all client operating systems can use.
Table 9.2 describes share and folder naming conventions for different client computer operating systems.
Table 9.2??Client Computer Operating Systems and Share Name Length
Microsoft Windows XP Professional provides 8.3-character equivalent names, but the resulting names might not be intuitive to users. For example, a Windows XP Professional folder named Accountants Database would appear as Account~1 on client computers running MS-DOS, Windows 3.x, and Windows for Workgroups.
Practice:?Applied Permissions
In the following practice, User101 has been assigned permissions to access resources as an individual and as a member of a group, as shown in Figure 9.2.
Determine which effective permissions are assigned for User101 and User2.
- User101 is a member of Group1, Group2, and Group3. Group1 has Read permission. Group2 has Full Control permission for FolderA, and Group3 has change permissions assigned for FolderA. What are User101's effective permissions for FolderA?
- User102 has been granted the Full Control shared folder permission for FolderB as an individual user. User102 is a member of the Managers group, which has been granted Change permission for FolderB, and a member of the Sales group, which has been denied all access to FolderB. What are User102's effective permissions for FolderB?
Lesson Review
The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."
- Because you use NTFS permissions to specify which users and groups can access files and folders and what these permissions allow users to do with the contents of the file or folder, why do you need to share a folder or use shared folder permissions?
- Which of the following permissions are shared folder permissions? (Choose all answers that are correct.)
- Read
- Write
- Modify
- Full Control
- ______________________ (Denied /Allowed) permissions take precedence over ____________ (denied /allowed) permissions on a shared folder.
- When you copy a shared folder, the original folder is ___________________ (no longer shared /still shared) and the copy is ______________________ (not shared /shared).
- When you move a shared folder, the folder is ______________________ (no longer shared /still shared).
- When you rename a shared folder, the folder is ______________________ (no longer shared /still shared).
Lesson Summary
- You can make a folder and its contents available to other users over the network by sharing the folder.
- Using shared folder permissions is the only way to secure file resources on FAT volumes.
- Shared folder permissions apply to folders, not individual files.
- Shared folder permissions don't restrict access to users who gain access to the folder at the computer where the folder is stored. Shared folder permissions apply only to users who connect to the folder over the network.
- The three shared folder permissions are Read, Change, and Full Control.
- The default shared folder permission is Full Control, and it is assigned to the Everyone group when you share the folder.