Microsoft

Create and control shared folders in Windows XP

With Windows XP's default reliance on simple file sharing, the process got a little bit cloudier. This article clears up any confusion and shows you how to take more discrete control of sharing permissions.

Creating file shares in Windows 2000 was easy: Right-click on the folder, click Properties, click the Sharing tab, and away you go. It worked right out of the box.

Not so with Windows XP, in which file sharing is more problematic because it’s disabled by default. This is a more secure default configuration; users have to knowingly and actively enable file sharing for it to work.

As in previous versions of Windows, Windows XP lets you create shares through three primary interfaces:
  • Windows Explorer
  • The Computer Management console
  • The Command Prompt

Create a share using Windows Explorer
The most common way to create shared files is via Windows Explorer. If you have a Windows XP computer that is a member of a Windows 2000 or Windows NT 4.0 domain, everything works pretty much as it used to. However, getting file sharing to work on a Windows XP computer that is a member of a workgroup can make for a wild ride. Let’s look at the steps involved in creating a file share on a Windows XP Professional computer that’s a workgroup member:
  1. Create a new folder on the desktop and leave the name as New Folder. Right-click on the New Folder icon and click on the Sharing And Security command.
  2. This will open the New Folder Properties dialog box with the Sharing tab exposed, as shown in Figure A. Notice that you can’t immediately start sharing the folder. In the Network Sharing And Security area, you have two choices: Network Setup Wizard or If You Understand The Security Risks But Want To Share Files Without Running The Wizard, Click Here. The former option opens a somewhat arcane wizard that’s aimed at home or SOHO users who don’t have system administrators on staff. The wizard helps set up home networking features, such as IP address configuration and workgroup name. As a system admin, you don’t need to use the wizard. Just click on the latter option to start sharing files and folders.

Figure A
Avoid the sharing wizard, which is targeted for home users.

  1. You’re not out of the woods yet. You’ll next see the dialog box shown in Figure B. If you select Use The Wizard To Enable File Sharing (Recommended), you’ll see the same wizard you tried to avoid earlier. Select Just Enable File Sharing and click OK.

Figure B
Again, refuse XP's persistence that you use the wizard.

  1. After you enable file sharing, you’ll see the screen shown in Figure C. This dialog box represents the simple file sharing method of sharing files. Notice the two frames: Local Sharing And Security and Network Sharing And Security. If you’re used to Windows NT 4.0 or Windows 2000, you’ll find this nomenclature somewhat odd. The Local Sharing And Security settings are related to NTFS access controls placed on the folder and its contents. When you use simple file sharing, other users won’t have access to the folder or its contents unless you drag the folder into the Shared Documents folder. This is because NTFS access control lists (ACLs) prevent users from accessing the files. The ACLs on the Shared Documents folder allow everyone almost full control of what is contained in that folder. However, this isn’t “sharing” as we’re used to thinking about it, because file shares are accessible over the network. To share the folder, you must place a check mark in Share This Folder On The Network check box.

Figure C
The Sharing tab appears after you allow file sharing.

  1. Next, the Allow Network Users To Change My Files option becomes available and is selected by default, as shown in Figure D. If you don’t want users to have the ability to write or change the file, you must remove the check mark from this check box. Click Apply and then click OK.

Figure D
You may want to turn off the default Allow Network Users To Change My Files option.


When you share a folder using simple file sharing, the Everyone group is given permission to access the folder. If the Allow Network Users To Change My Files option is selected, then Everyone can write to and change the files. Someone at Microsoft must have thought this simple file sharing routine was easier than the traditional methods, but I find it very confusing. The problem with simple file sharing is that you have no idea what the exact share and NTFS permissions are on the folder. Simple file sharing completely hides NTFS permissions not only on folders, but also on all files.

Let’s fix this problem. Perform the following steps so that you can view the actual share and NTFS permissions on the folder:
  1. Open the New Folder.
  2. In the New Folder window, click the Tools menu and click the Folder Options command.
  3. Click on the View tab and scroll down to the bottom of the list of options, as shown in Figure E. Remove the check mark from the Use Simple File Sharing (Recommended) option. Click Apply and then click OK.

Figure E
This last check box will enable or disable simple file sharing.

  1. Close the New Folder window. Right-click on the New Folder icon on the desktop and select the Sharing And Security command.
  2. The Properties dialog box will have changed, as shown in Figure F. The Sharing tab shows a more traditional set of options, and the Security tab, on which you can view NTFS permissions, will now appear. To see the share permissions on this folder, click the Permissions button.

Figure F
Create a share using traditional methods.

  1. Now you can see that the actual share permission is Everyone Full Control, as shown in Figure G. This is the share permission when you set simple file sharing to allow network users to change files. Click Cancel to close the Permissions dialog box.

Figure G
Simple file sharing gives Everyone full control.

  1. Click on the Security tab. You’ll see that the Everyone group has Modify, Read & Execute, List Folder Contents, Read, and Write NTFS permissions, as shown in Figure H. Click Cancel to close the New Folder Properties dialog box.

Figure H
The Security tab gives you a full run-down of the Everyone groups permissions.


Create a share using the Computer Management console
You can sometimes use the Computer Management console to create new file shares on a machine in a workgroup environment. I say sometimes because it appears that, on some occasions, this option isn’t available to Windows XP Professional computers that aren’t members of a domain. But, if the machine was at one time a member of a domain and then was removed from the domain, sometimes the option to use the Computer Management console to create a new share is available. I suspect this is related to whether simple file sharing is available or not, but I haven’t been able to identify consistent behavior in this area.

Note
This method always works when the machine is a member of a Windows 2000 domain.

Perform the following steps to create a file share using the Computer Management console:
  1. Click Start, then right-click on My Computer. Click the Manage command.
  2. Expand the System Tools node and then expand the Shared Folders node.
  3. Right-click on the Shares node and click the New File Share command.
  4. In the Create Shared Folder dialog box, shown in Figure I, type the information for Folder To Share, Share Name, and Share Description. Click Next.

Figure I
Make sure to type the full path to the folder or use the Browse button.

  1. On the second page of the wizard, shown in Figure J, select the option for the appropriate permissions. For maximum control, I suggest you select the Customize Share And Folder Permissions option. Click Finish after configuring the permissions. If you select the Customize option, you must click on the Custom button and configure the appropriate share and NTFS permissions or the Finish button won’t be available.

Figure J
Choose to control your share's properties.

  1. You’ll see a dialog box informing you that the share was created successfully. It will also ask if you want to create another share. Click No.

Create a share using the Command Prompt
Another popular way of creating file shares is to use the net share command line tool. Open a Command Prompt and type net share /?. You’ll see the screen shown in Figure K.

Figure K
The net share options are fairly straightforward.


You can create or delete shares using the net share command. For example, if you have a folder on the C: drive named STUFF, you can share the folder by issuing the following command:
net share STUFF=c:\STUFF

Some switches allow you to limit the number of users that can connect to the share at the same time and how file caching is performed for the share. Note that you cannot set share permissions using the net share command. If you don’t specify these options, the defaults for your installation will be used. These defaults are different depending on whether or not your machine is a member of a Windows 2000 domain.

Managing file shares
You can do several things to manage and manipulate file shares on your machine. Many file share management tasks can be performed from the Computer Management console. To manage file shares from the Computer Management console, perform the following steps:
  1. Click Start and right-click My Computer. Click the Manage command.
  2. Expand the System Tools node and then expand the Shared Folders node.
  3. Click on the Shares node, shown in Figure L. From here, you can view the current shares on the local computer and the number of current connections to a particular share. If you right-click on any of the shares, you can look at the share properties to view share and NTFS permissions. You can also unshare a folder by right-clicking on a share and selecting the Stop Sharing command. If you right-click the Shares node in the left pane, point to All Tasks, and click Send Console Message, you can send a net send message to the users connected to the share.

Figure L
The Shares node shows the status of your shares.

  1. Click on the Sessions node and you’ll see the screen shown in Figure M. In the right pane of the Sessions node, you can see which users are connected to the machine, how long they’ve been connected, and how many files the user has open. You can disconnect a particular user by right-clicking on the user entry in the right pane of the console.

Figure M
If you right-click the Sessions node in the left pane, you have the option to disconnect all users.

  1. Click the Open Files node in the left pane of the console, shown in Figure N. Here, you can see which files or shares are open and which user has them open. You can right-click on the open file and close the file. If you want to close all open files, right-click on the Open Files node in the left pane and click the Disconnect All Open Files command.

Figure N


Windows XP Home issues
Windows XP Home Edition works like Windows XP Professional, with the exception that you cannot undo the simple file-sharing feature. This is a major blow to Windows XP Home Edition users who use the NTFS file system. These users will never have access to the Security tab. Thus, they don’t have any GUI interface to configure NTFS permissions on files or folders. Here’s the workaround for this problem: the cacls command line tool. Cacls doesn’t represent much of a problem to system administrators who are accustomed to using command line tools, but this does present a significant barrier to nonprofessional home users.

Some improvements, with a little overhead
Windows XP provides some new ways to configure file shares. The goal of the new Windows XP methods and approach to file sharing is to improve the level of security on Windows XP machines. If you use simple file sharing, you must explicitly share a folder with the knowledge that everyone has at least Read access. If you decide to give Change access, then you know that all users have the ability to change a share’s contents. However, Windows XP does allow you to use more traditional methods of configuring file shares if you turn off simple file sharing.

 
0 comments

Editor's Picks