Microsoft

Understanding the new Windows 2000 permission scheme

If you're used to Windows NT, then the new permission scheme for Windows 2000 may seem a little confusing at first. For one thing, there's a new type of permission called Web sharing. Brien Posey discusses and evaluates these changes.


Windows 2000 handles permissions very differently from the way in which Windows NT does. Unlike Windows NT, which has two basic types of permissions, Windows 2000 has three permission types: share permissions, Web sharing, and file permissions. Windows NT had file and share permissions, but the file permissions in Windows 2000 have changed dramatically. Although share permissions in Windows 2000 work the same way as they did in Windows NT, several new features have been added. In addition to file and share permissions, Windows 2000 also contains a new permission type called Web sharing. In this Daily Drill Down, I’ll walk you through the new Windows 2000 permission structure, and I’ll explain how you can use these new permissions effectively.

Share permissions
The most basic type of permission is a share-level permission. Share permissions have existed in some form since Windows for Workgroups appeared. Basically, share permissions take a file on a hard disk and make it available to other people. If you’re using Windows 2000 in a domain environment, you can determine who can have access to a share; in a simple workgroup environment (like Windows 98), however, anyone who has the share password can access the share—regardless of their username. Usually, in a peer-to-peer (or workgroup) environment, access to a shared resource is controlled via multiple passwords. Thus, if users enter one password, they will receive full access to the share, but entering a different password might grant them read-only access to the same share.

To access the share permissions under Windows 2000, right-click on a file or directory that you would like to share. When you see the properties sheet, select the Sharing tab. Now, select the Share This Folder radio button to begin sharing the resource. As you can see in Figure A, you can set the share name to anything you want, and you can add a comment to help you remember the purpose of the share. You also can control how many people are allowed to access the share. Controlling the number of people who may access the share is handy for two reasons. First, if you’re sharing a resource off of an older computer, your system may not have enough power to support a large number of users who need to access a share. Your system may be able to support only five users. Second, if you’re sharing commercial software, you may have a ten-user license for that product. In this case, you’ll want to limit the number of users who can access the share to the number of licenses that you have.

Figure A
Select the Share This Folder radio button to begin sharing the resource.


There are two other buttons on this tab that deserve explanations. First, the Permissions button allows you to control who has access to the share. You can grant access to users and to groups. For example, you might grant a user full control, but you might grant a group read-only access. Unless you’re working in a peer-to-peer environment, however, you should always set a share to give everyone full control (assuming that the share resides on an NTFS partition).

The second button that you should know about is the Caching button. Clicking the Caching button displays the Cache Settings dialog box. This dialog box gives you the ability to make the folder available whether the client is connected to the network (and the share) or not. Enable or disable the caching option via the Allow Caching Of Files In This Shared Folder check box. Through the Settings drop-down menu, you can set the caching to Manual Caching For Documents, Automatic Caching For Documents, or Automatic Caching For Programs.

By default, the cache size is 10 percent of the client’s free hard disk space. The cached files are stored in a folder called Offline Files. This folder is located in the root directory of a client’s hard disk, but you can move it with the Cachemov.exe tool in the Windows 2000 Professional Resource Kit. Of course, the caching only works for clients who are running Windows 2000 Professional. If you want to change the size of the cache, you may do so by going into the Offline Files folder and selecting the Properties command from the folder’s File menu.

Web sharing
Web sharing is a new addition to Windows 2000. It allows you to share a file or folder across the Internet. (It also allows you to share a printer across the Internet; thus, someone on the other side of the world would be able to print to your printer.) To share a folder on the Web, you must right-click that folder. Then, select the Properties command from the context menu that appears. When you see the folder’s properties sheet, select the Web Sharing tab. By default, the folder is set not to be shared across the Internet, but you can change that setting by selecting the Share This Folder button. Next, you’ll see a dialog box similar to the one shown in Figure B. This dialog box requires you to set up an alias, some access permissions, and some application permissions.

Figure B
You must set up an alias and some access and application permissions.


The alias is the name of the folder, as it will appear on the Web. (Obviously, for security reasons, you wouldn’t want to include a drive letter or path in the alias.) Next, you must set the access permissions. You can allow read or write access (or both) from across the Web. You also can allow Web clients to access script source or to browse the folder’s contents. Just select the appropriate check box if you need that sort of access. Again, due to security concerns, you shouldn’t enable any permission across the Web that isn’t absolutely necessary. Finally, you must set some application permissions with this dialog box. You may disable applications, allow for the execution of scripts only, or enable all applications, including scripts.

File permissions
The final type of permission in Windows 2000 is file permission. File permissions are the most secure permissions, and they’re the preferred permissions for normal operations. File permissions may be applied only to those files and folders that reside on NTFS partitions. The advantage to file permissions is that they work no matter where a user is coming from. File permissions are as effective in protecting resources from users who come in from across the local network as they are in protecting resources from users who come in from across the Web. They even safeguard resources from dial-in users and users who sit down at the server console and attempt to gain access from there.

File permissions have changed drastically since Windows NT 4.0 appeared. To access a folder’s file permissions now, you must right-click a folder that resides on an NTFS partition. Then, select the Properties command from the context menu that appears. Next, you’ll see the Properties sheet. Select the Security tab, and you’ll see the permissions for the folder.

As you can see in Figure C, by default, each folder is set to allow Everyone to have Full Control. You’ll also notice that the various check boxes for changing permissions are grayed out. By default, the folder is set to inherit the permissions of its parent folder. Therefore, if a parent folder is set to full control, the folder you see will be set to allow full control, too.

Figure C
By default, Everyone has Full Control on all file permissions.


To get around this problem, simply deselect the Allow Inheritable Permissions From Parent To Propagate To This Object check box. That way, you’ll enable all of the other check boxes on the screen. Now, you’re free to set your own permissions. You need to keep a few things in mind if you enable the other check boxes. First, a specific denial always overrides an allowance. Second, if the listed permissions don’t get the job done (for whatever reason), you can click the Advanced button. Doing so allows you to add or edit users and groups and to apply more extensive permissions. Some of these advanced permissions tend to become very complex, and you probably won’t ever have to use them.

When you click the Advanced button, it reveals the Access Control Settings properties sheet for the folder. The Permissions tab is only one section of this properties sheet. You can use the other tabs to implement auditing and to change the folder’s owner. (Although these tabs don’t relate directly to setting file permissions, I mention them because many people have asked about the location of these two features.)

Best practices
Now that you know about the various types of permissions, I should tell you something about the preferred method of using them. File permissions are cumulative with Web sharing and share permissions; if you set one set of permissions for a user at the share level and a different set of permissions for a group at the file level, the permissions will combine in an effort to determine which access level to give to a user for a particular directory. If you use both types of permissions, things can become very confusing. It can become difficult to troubleshoot problems relating to why a user can’t access a specific resource or why another user has too much access to certain resources. To get around these difficulties, you should never restrict share permissions—unless you’re working with a non-NTFS partition in which file permissions won’t work. Instead, leave the share permissions wide open and set all permissions at the file level.

File permissions are also cumulative. For example, if a group has permission to access a folder and a user who’s a member of the group also has permission to access the same folder, the group permissions and the user permissions will combine to determine the user’s access level to the folder. Therefore, I recommend that you never give access to individual users. Instead, grant (or deny) file-level permissions to groups and make the user a member of the desired group. If you do so, you’ll avoid a lot of confusion.

Brien M. Posey is an MCSE who works as a freelance technical writer and as a network engineer for the Department of Defense. If you’d like to contact Brien, send him an e-mail. (Because of the large volume of e-mail he receives, it's impossible for him to respond to every message. However, he does read them all.)

The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks

Free Newsletters, In your Inbox