|
|
Folder sharing is used whenever one computer user needs access to a file on another computer's file system. Once a folder is shared, all files and subfolders receive the same shared permissions. Shared permissions apply to the entire folder and not to specific files. Both NTFS and FAT volumes require that shared folder permissions be set for network users to gain access. FAT volumes have no local user authentication, but shared permissions provide security for remote users. Only NTFS volumes can apply file permissions to the objects in a shared folder.
Several additional user rules govern the use of shared folders:
The effective permission is an accumulation of the user's individual and group membership rights.
Deny permissions always cancel corresponding Allow permissions.
A copy of a shared folder does not retain the "shared" status.
Shared folder status is discarded when a folder is moved.
Shared folders work in the same manner for Windows Server 2003 domains and workgroups. The only measurable difference is in who can create them. In a Windows Server 2003 domain environment, the built-in Administrators and Server Operators groups can establish shared folders throughout the domain. In the workgroup, the Administrators and Power Users groups have authority to share folders on the individual server. These two groups can also share folders on standalone servers and on Windows 2000 Professional and Windows XP installations.
The creation of a shared folder is similar to application of permissions to a file or folder. The following steps set shared permissions:
Log on with administrative privileges.
Open Explorer and right-click Properties on a folder you want to share.
Select the Sharing tab and click Share this folder, as shown in Figure 9.20.
Click Permissions. The Permissions for Software Config dialog box appears, as shown in Figure 9.21.
Three levels of available permissions are presented for each of the named users or groups. Select the Allow permission(s) that apply. While you can also Deny a specific right, it is generally advisable to use an affirmative approach.
Read allows a user to open files and see subfolder names.
Change allows all privileges offered by Read permissions and allows users to change file contents and delete and create files and subfolders.
Full Control allows all privileges offered by Change and adds the ability to take ownership and modify permissions.
The default share permissions give full control to Everyone. If you want to ensure folder security only to users and groups you add, remove the Everyone group by selecting Everyone and clicking Remove. To add users or groups,
Click Add (Figure 9.21).
The Select Users, Computers, or Groups dialog appears.
NOTE
The From this location menu displays your domain and other trusted domains. You may add users or groups and then assign shared permissions. Note that a user account in a trusted domain must be selected from its domain, not the local domain.
Using the Locations dialog box (Figure 9.22), select the domain where the user or group resides.
Type the name of a desired group or user in the Enter the Object names to select box and click Check Names. Select an object and click Add.
Click OK.
NOTE
In connecting to shared folders, there are three common scenarios:
The user is accessing a shared folder in your domain. In this case, she can use her user name and password in the standard form.
The user is accessing a shared folder from another untrusted domain. She must use a user name and account for the domain in which the share resides.
The user is accessing a shared folder from another trusted domain. Important: She must use a user name and password from her home domain. The user name should be in the form domainname\username.
Once a share has been created, clients may connect to the folder using one of three methods: (1) map a network drive; (2) use My Network Places; and (3) use the Start 
Run menu option.
Mapping a network drive makes a remote shared folder available to the local machine via Explorer or My Computer. From all appearances, the remote shared folder looks local. Mapping follows these steps:
From My Computer, select Tools select Map Network Drive.
Select the drive letter to be associated with the remote share from the Drive drop-down list (Figure 9.23).
Click Browse, then search for the desired network share. Ensure that the share is addressed in the form \\servername\sharedfolder.
From this dialog, you may also log on to the share with another user name. (This is required for access to a share in a trusted domain.)
The new folder share will be accessible from My Computer as the Drive letter.
My Network Places can also facilitate access to a shared folder. To use it, follow these steps:
From My Network Places, find the computer containing the share. If you have trouble connecting to the desired computer, click Search, enter the computer name, and click Search Now.
Open the desired shared folder. If required, enter the appropriate user name according to the preceding note.
Another approach to gaining access to a shared folder is the Run command. To use the this option:
Start select Run. The Run window appears as shown in Figure 9.24.
Enter the name of the server with the path to the desired share in the form \\servername\sharefolder.
Click OK.
A share may be accessed from Internet Explorer using the share's Uniform Naming Convention (UNC) name. From the URL address field, enter the share name in the form \\servername\sharefolder. A shared folder address may be added to the Favorites list for convenient access.
Windows Server 2003 special shares are system root folders accessible to the network but not necessarily visible to normal users. There are several types of administrative share folder, as shown in Table 9.6.
Additional shares may be added for different services. For instance, the Certificate Authority adds its own share when installed. The Shared Folders snap-in may be added to any management console to display all shared folders (Figure 9.25).
The Sessions node displays users and systems currently accessing network shares. The administrator can selectively terminate connections or terminate all sessions at once (Figure 9.26).
The Open Files node displays the files currently being accessed from shares. Individual files may be closed or all files may be closed at once (Figure 9.27).
|
Share Name |
Description |
|---|---|
|
Admin$ |
The root system folder is by default C:\Winnt, but may have been placed in a different volume or under a different name during installation. The Administrator group is granted full control and is the only group with any access to this shared folder for remote administration. |
|
Drive$ |
Each volume is associated with a disk drive designation. A$ and B$ are reserved for floppy disk volumes. C$ through Z$ are designations for hard disks, CD-ROMs, and removable media. The Administrator group has full control over these volumes. |
|
IPC$ |
Shared memory space for interprocess communication when accessing remote shares and remotely administering a computer. |
|
NETLOGON |
Space used by the Net Logon service during logon. Startup/logon scripts are accessed here. |
|
print$ |
Used for shared printers and contains the device drivers. Administrators, Server Operators, and Print Operator group members have full control over this shared folder. |
|
SYSVOL |
Used by the Net Logon service and provides access to Active Directory information. |
NOTE
With Windows Server 2003, it is now possible to use Group Policy to set up Netlogon properties. This simplifies the steps to configure domain members when adjusting Netlogon settings. To use this feature go to the Active Directory Snap-in Group Policy. This can be applied to the properties of any domain, organizational unit, or site object.
While the permissions associated with a shared folder are automatically inherited by the files and subfolders, it is possible to apply additional permissions to individual files on an NTFS volume. Doing so provides greater security for the contents of a shared folder. Both the NTFS permissions and shared folder permissions are applied to objects. Remember that the most restricted set of permissions is used. For example, if the shared folder permits a user only Read permissions, Read will be the overriding permission level even if an individual file delegates the user Full Control NTFS permissions.
Like users, computers, and printers, files and folders may be published to the Active Directory. The Active Directory provides a way to locate published files and folders and secures permissions on the resources. To publish a file or folder, share out the folder and complete the following:
Open the Active Directory Users and Computers snap-in.
Right-click the desired domain node or Active Directory container and select New Share Folder.
Enter a name for the share to publish in the Shared Folder Name field.
Enter a path to the network share in the Network Path field in the form \\servername\sharedfolder. Click OK.
The shared file or folder should now appear in the Active Directory and be available for lookup from the Global Catalog.
|
|
|
| Top |