Planning Access to Shared Folders
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
When you plan access to shared folders, determine the type of permissions to use, who needs access to the folders, and the level of access that users require. You can also disable administrative shares and hide shared folders.
Determining the Type of Permissions to Use
Permissions define the type of access granted to a user or group for a file or folder. Windows Server 2003 offers two types of permissions:
NTFS permissions restrict local and remote access to files and folders on NTFS volumes. When you create a new folder, it inherits permissions from its parent folder. When you create a file in a folder, the file inherits permissions from the parent folder.
Share permissionsrestrict remote access to shared folders, but share permissions do not restrict access to users who log on to the server locally. Share permissions are available on both FAT and NTFS volumes.
To simplify administering and troubleshooting permissions, use NTFS permissions to control user and group access to file system resources.
Although NTFS is recommended as the primary method for securing folders, you must keep in mind that default share permissions are assigned when you share a folder, and the default share permissions have changed for Windows Server 2003. Windows 2000 and Windows XP grant the Everyone group the Full Control share permission, but Windows Server 2003 grants the Everyone group the Read share permission. This change increases the security of shared folders and helps prevent the spread of viruses.
Because the more restrictive permissions always apply when you use a combination of share and NTFS permissions, you might need to change the default share permissions if you want users to be able to add or change files in the folder. If you do not change the default share permissions, users will have the Read share permission even if you grant users NTFS permissions such as Write or Modify.
If you use a clustered file server, you must create share permissions by using the Cluster Administrator snap-in, not Windows Explorer. In addition, if you plan to use the Share Subdirectories option, you must use NTFS permissions to secure the subdirectories. For more information about these options, see "Planning Cluster Security" later in this chapter.
Determining Who Needs Access to the Folders
To increase security and prevent users from browsing through shared folders that are not relevant to their jobs, assign permissions only to groups that require access to the shared folders.
To reduce administrative overhead when assigning permissions, do the following:
Assign permissions to groups rather than to users.
Place users in global groups or universal groups, nest these groups within domain local groups, and then assign the domain local groups permissions to the folder.
You do not need to deny permissions for specific groups. When permission to perform an operation is not explicitly granted, it is implicitly denied. For example, if you allow the Marketing group, and only the Marketing group, permission to access a shared folder, users who are not members of the Marketing group are implicitly denied access. The operating system does not allow users who are not members of the Marketing group to access the folder.
Deny access to folders only in the following scenarios:
You want to exclude a subset of a group (for example, an individual user) that has permissions.
You want to exclude one or more special permissions when you have already granted Full Control to a user or group.
If you plan to redirect your users’ My Documents folders, note that each user is granted exclusive access to his or her My Documents folder on the file server. If you need to access a user’s My Documents folder, you have two choices: take ownership of the folder or follow the instructions provided in article Q288991, "Enabling the Administrator to Have Access to Redirected Folders" in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Determining the Level of Access That Users Require
Assign the most restrictive permissions that still allow users to perform required tasks. The following descriptions explain the permissions that are associated with folders on NTFS volumes.
Write Users can copy or paste new files and subfolders in the folder and change folder attributes. However, users cannot open or browse the folder unless you grant the Read permission. Assigning Write permission is useful for folders where users can file confidential reports, such as timesheets, that only the manager or shared folder administrator can read.
Read Users can see the names of files and subfolders in a folder and view folder attributes, ownership, and permissions. Users can open and view files, but they cannot change files or add new files. Assign the Read permission if users need only to read information in a folder and they do not need to delete, create, or change files.
List Folder Contents Users can see the names of files and subfolders in the folder. However, users cannot open files to view their contents.
Read & Execute Users have the same rights as those assigned through the Read permission, as well as the ability to traverse folders. Traverse folders rights allow a user to reach files and folders located in subdirectories, even if the user does not have permission to access portions of the directory path.
Modify Users can delete the folder and perform the actions permitted by the Write and Read & Execute permissions. Because Modify gives users the ability to delete the folder, use Modify permission only for administrators or for the group or department owner of the folder.
Full Control Users can change permissions, take ownership, delete subfolders and files, and perform the actions granted by all other permissions. Because Full Control gives users the ability to delete the folder, use Full Control permission only for administrators or for the group or department owner of the folder.
For more information about permissions and file servers, see "Permissions on a file server" in Help and Support Center for Windows Server 2003.
Determining Whether to Disable Administrative Shares
Windows Server 2003 creates shared folders, known as administrative shares, by default when you start a server or when you stop and then start the Server service. These folders are shared for administrative purposes, and they allow users and applications with the appropriate administrative rights to gain access to the system remotely. For example, some backup software applications use these shares to remotely connect to systems to back up data.
Administrative shares have default share permissions that restrict access to members of only a few security groups. Each share name is appended with a dollar sign ($), which hides the share from users who browse the server. One type of administrative share is the root folder of every volume (C$, D$, and so on).
You can disable these administrative shares temporarily or permanently. For more information about disabling administrative shares and an overview of remote administration, see the Storage Technologies Collection of the Windows Server 2003 Technical Reference (or see the Storage Technologies Collection on the Web at http://www.microsoft.com/reskit).
Determining Whether to Hide Shared Folders
You can hide a shared folder by appending a dollar sign ($) to the shared folder name. Hiding shared folders is useful when you want to make a shared folder available over the network while keeping it hidden from people browsing on the network.
Hiding shared folders does not necessarily make them more secure, because anyone who knows the name of the server and the shared folder can connect to it. Therefore, you must set the necessary NTFS permissions on the shared folder so that access is granted only to the appropriate groups.