Windows NT Server 4.0 Administration Notes


Module 5: Securing Network Resources with Shared Folder Permissions

Shared Folder Permissions
  • Shared folders are used to give users access to network applications, data and user home folders:
  1. Network application folders centralize administration by designating one location for configuring and upgrading software.
  2. Data folders provide a central location for users to store and access common files.
  3. User home folders provide a central location for backing up users’ data.

Note: Using shared folders is the only way to secure network resources on a FAT volume.

The following describes the shared folder permissions :

  • Full Control (default):
    • Change file permissions
    • Take ownership of files on NTFS volumes
    • Perform all tasks permitted by the Change permission
  • Change:
    • Create folders and add files
    • Change data in files
    • Change file attributes
    • Delete folders and files
    • Perform all tasks permitted by the Read permission
  • Read:
    • Display folder and file names
    • Display the data and the attributes of files
    • Run program files
    • Change to folders within a folder
    • NOTE: Can't delete files here, only copy
  • No Access:
    • Establishes only a connection to the shared folder. Access to the folder is denied and the contents don't appear.
How User and Group Permissions Are Applied
  • Permissions are applied in the following ways:
    1. When a user is assigned permission to a shared folder and that user is a member of a group to which a different permission is assigned, the user's effective permissions are the combination of the user and the group permissions. ==> the MOST PERMISSIVE PERMISSION APPLIES
    2. The only exception on this rule is the No Access permission. This one always overrides any other permission assigned to a user or to any group to which the user belongs. No Access Always Wins!
  •  Guidelines for sharing folders:
    • Use intuitive share names so that users can easily recognize and locate resources (Apps)
    • Use share names and folder names that are readable by all client operating systems.
O/S Share Name Folder Name
Windows NT and 95 12 characters 255 characters
MS-DOS 8.3 characters 8.3 characters
    • Organize disk resources so that folders with the same security requirements are located within one folder hierarchy.
  • Guidelines for Assigning Permissions:
    • Determine which groups need access to each resource and what level of access they require.
    • Assign permissions to groups instead of users to simplify administration.
    • Add global groups to local groups and then assign permissions to the local group.
    • Assign permissions to only the groups that need access to the resource.
    • Assign to a resource the most restrictive permissions that allow network users to perform required tasks.
    • Remove the default permission Everyone, Full Control from the group for a new shared folder. Use Domain Users - Read instead.
      • Everyone group includes even Guests; Domain Users includes only the account you created.

Note: When a folder is shared, the Everyone group is automatically assigned Full Control permission.

  • Guidelines for Network Application Folders:

When you share application folders, consider the following points:

  • Create a common shared folder and organize your applications under it.
  • Assign the Administrators group Full Control permissions to the Apps folder.
  • Remove Full Control from the Everyone group and assign Read permission to the Users group. This provides more security because the Users group includes only accounts you created, whereas the Everyone group includes anyone who has access.
  • Assign Change permissions to groups responsible for upgrading and troubleshooting application software.
  • Guidelines for Data Folders:
  • Public Data; when you share a public folder, consider the following points:
    • Use centralized data folders so that data can be consistently backed up.
    • Create and share a Public folder on a volume separate from the operating system and applications.
    • Assign the Change permission to Users. This will provide users with a central, publicly accessible location to store and share files with others.
  • Working Data; when you share a data folder for working files , consider the following points:
    • Create and share a Data folder on a volume separate from the operating system and applications.
    • Share lower-level data folders to the appropriate groups when you need to restrict access to those folders.
  • Guidelines for Home Folders on a FAT volume:

To create home folders for users on a FAT volume using only shared folder permissions to restrict access, follow these guidelines:

  1. Create a central folder named \Users on a volume separate from the operating system and applications.
  2. Create a folder in \Users for each user account, with the same name as their user name.
  3. On a FAT volume, share each user's home folder and assign only the respective user Full Control permission to his or her home folder. This is the only way to protect users’ folders on a FAT volume.
  4. To specify the user's home folder, when the user logs on, in User Manager for Domains, type a UNC path in the Home Directory To box that includes the server name and the %username% variable.
  5. To ensure privacy, do not share the top-level folder Users.

Note: On a FAT volume, you need to create and share home folders before you specify the home folder path in User Manager for Domains.

Requirements for Sharing a Folder:

Any folder on an NT computer can be shared.
The following table lists the groups and operating system requirements required to share a folder.
 

Group

Operating System

Administrators Any computer running Windows NT
Server Operators Only Windows NT Server Domain Controllers (PDC, BDC)
Power Users Only Windows NT Server Member Servers and Windows NT Workstation

Note: If the volume is NTFS, then the user must have at least the List permission to share a folder.

  • Sharing a folder:
    • Three tabs: General, Tools and Sharing.
    • Sharing tab has following options:
    • Share Name; adding $ hides the shared folder from users browsing the computer.
    • Comment
    • User Limit (NT WS max 10; NT Server no limit)
    • Permissions - sets permissions on folder ONLY, if accessed over the network
    • New Share (a folder can be shared multiple times with different names and permissions, but this increases administration)
    • Now apply permissions
      • use Sharing, Properties, Permissions Tab
      • click Add, then Add Users or Groups and assign permissions


 


 

  • Accessing Shared Folders:

In Windows NT Explorer click Map Network Drive and configure the following options:

  • Drive:
    • Assign a drive letter to the shared folder.
    • Drive letters that are used by local devices do not appear in the Drive list.
  • Path: Enter a UNC path.
  • Connect As: Connects to the shared folder using a different user account
  • Reconnect At Logon. This options requires a "Domain\Username" format
  • Using the Run command:
  • Two advantages:
    • Drive letter is not required, which conserves memory.
    • The user can browse all shared folders on a computer.

    To do this, use Run,  then type only the UNC path to the computer \\computername. This displays all the shared folders.


E-mail Me! Comments and suggestions? E-mail me at grantwil@sk.sympatico.ca
Last Updated: Wednesday, March 10, 1999 Grant Wilson, Tisdale, SK. Canada