Introduction to folder sharing

Sharing allows resources to be designated as being available to all users over a network. When a folder is shared, users can log into the folder from across the network and access the files within, as though the folder were located on the hard drive of the computer they are currently using.

In order to increase network security, permissions can be applied to these resources to limit the actions that users can perform on them.
Once a folder is shared, users who have permission to it can access all the files and folders contained within.

Why share folders?

Folders are shared so that users can access applications, data, and user home folders over the network.

• Keeping information together: Network application folders centralise system administration by specifying a single place for configuring and updating software.
• Saving disk space: Data folders give users a central location to store and access files that they all use.
• Data security: User home folders give users a central location for backing up their data.

Using shared folders is the only way to ensure the security of network resources in a FAT volume.

Shared folder permissions

Permissions may be applied to folders, and control the use of resource by a given user. In FAT, there are four different permissions:

• Full Control (default permission) lets users change file permissions. On NTFS volumes, the users can also own files and carry out any tasks that the permission allows.
• Change lets users create folders and add files, as well as modify and add file data. They can also change file attributes, delete folders and files, and perform any tasks authorised by the Read permission.
• Read lets a user see the names of folders and files, see file data and attributes, run program files, and browse within folders.
• No Access only allows a user to connect to the shared folder. Access to the folder is forbidden and its contents are not shown.

Permissions granted to the user will not take effect until the next time he or she logs in (meaning that this system is non-dynamic). Note that by default, "Full Control" permission is granted to the user group "Everyone." Therefore, before doing anything else, this group and its associated permissions must be deleted. Likewise, NEVER give "No Access" permission to the "Everyone" group, since the Administrator is part of this group. Your computer will be completely inaccessible and the only solution will be to reinstall Windows NT.

These two examples are a perfect illustration of security holes in Windows NT 4.0.

Granting permissions to users and groups

A user can have permissions attributed to him or her directly, or as a member of a group. Sometimes, a user may even be part of several groups that have different permissions on the same shared folder. Here is how these permissions are handled:

• The user's permissions combine the differing permissions given to the different groups. Thus, a user in a group with "Read" permission on a folder who is also part of a group with "Full Control" permission on that same folder will have "Full Control" permission.
• The only exception is the "No Access" permission, which is fully restrictive. If a user is part of both a group with "Full Control" permission on a folder and a group with "No Access" permission, the user will not be able to access that folder.

Last update on Thursday October 16, 2008 02:43:16 PM.This document entitled « Sharing and permissions in Windows NT » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.