Microsoft

Working with Windows 2000 permissions

There are some significant differences in the ways Windows NT Server and Windows 2000 Server share and secure files. Brien Posey explains the different types of permissions and gives you some best practices for structuring your permissions.


If you've ever installed Windows 2000 Server, you've noticed that it's quite different from Windows NT Server. On the surface, the methods used for sharing resources across the network appear similar. In fact, if you upgraded from Windows NT Server to Windows 2000 Server, the Setup program would automatically make the transition for you, and you might never even notice that there's a difference in the way files are shared and secured.

In this Daily Drill Down, I'll walk you through an explanation of some of the major differences in the ways Windows NT Server and Windows 2000 Server share and secure files. I'm assuming that you have a basic understanding of networking and security within Windows NT, but are somewhat new to Windows 2000.
This article assumes that Windows 2000 is running in mixed mode. Active Directory is beyond the scope of this article.
Getting started
If you've been working with Windows NT for a while, then you know that Windows NT uses two basic types of permissions: file permissions and share permissions. When it comes to sharing files and directories through Windows 2000, though, there are three basic types of permissions you need to be aware of:
  • File level permissions
  • Share level permissions
  • Web share level permissions

Each of these types of permissions has its own specific purpose and setup method. In this Drill Down, I'll explain each type of permission and guide you through the setup process.

File permissions
The most basic permissions you can assign to files and directories through Windows 2000 are file permissions. File permissions, unlike the other types, can actually protect the files on your system from being accessed locally. If someone were to sit down at your server and log on locally, file permissions are the only type of permissions that would prevent that user from accessing unauthorized files.

The only real downside to file permissions is that they only work on NTFS partitions. Therefore, partitions running FAT or FAT32 are left unguarded at the local level.

To implement file level permissions, select a folder from an NTFS partition and right-click on it to access the folder's Context menu. Next, select the Properties command from the Context menu. When you do, you'll see the folder's properties sheet. Select the Security tab, and you'll see a screen similar to the one shown in Figure A.

Figure A
The Security tab of the folder's properties sheet lets you implement file level permissions.


As shown in the figure, this screen is divided into two sections. The top section is a list of users and groups. The bottom section is a list of access rights. In the top section, you can use the Add and Remove buttons to build a list of users and groups that you want to assign rights for. Once you've created this list, you can assign independent rights for each user or group on the list. To do so, select a user or group from the list.

When you do, you'll use the check boxes in the permissions section to assign rights to that user or group. As shown in Figure A, most of the permissions are self-explanatory. However, you might have noticed that you can either allow or deny each individual permission. Keep in mind that a Deny permission overrides any other permission that might have been set up to allow access.

Share permissions
To share a directory in Windows 2000, begin by navigating to the directory and right-clicking on it. When you do, you'll see the directory's Context menu. Select the Sharing command from the menu, and you'll be taken to the Sharing tab of the directory's properties sheet. This tab works similarly to its Windows NT counterpart, but with some important differences.

As shown in Figure B, the first thing you'll see on this tab is a choice of whether or not to share the directory across the network. To make the directory available across the network, select the Share This Folder radio button.

When you do, the Share Name field automatically gets filled in with the name of the directory. The share name is the name that other computers will use to access the directory from across the network. Usually, you'll want to keep the share name the same as the folder name to avoid confusion, but you can set the share name to anything as long as it's unique. You can’t have other shares on the PC with the same name.

Figure B
The Sharing tab of a directory's properties sheet allows you to share the directory across the network.


Directly below the Share Name section is a Comment field. You can use this field to enter a comment that helps you or others remember the purpose of the share point. Below the Comment field is the User Limit section. The purpose of this section is to help you stay within the parameters of your software licenses. For example, suppose you're sharing an application for which you own 10 licenses. Now, suppose you have 50 client access licenses to your server. Obviously, it would be illegal for all 50 clients to access the application at the same time. Therefore, you could use this section to limit the share point to allow only 10 concurrent connections. Of course, if the share point contains no licensed software, you can just use the Maximum Allowed setting to allow as many people as have access to the server to simultaneously access the share point.

If you've just created a share, you probably don't want just anyone to have access to your precious files. Therefore, you need to establish a set of permissions over the files to prevent them from falling into the wrong hands. To do so, click the Permissions button. When you do, you'll see the Permissions For dialog box, shown in Figure C.

Figure C
The Permissions For dialog box allows you to regulate who has access to the share point.


As shown in the figure, there are three types of permissions you can apply to any share point: Full Control, Change, and Read. To apply these permissions, simply use the Add and Remove buttons at the top of the dialog box to compose a list of users or groups that you want to set up privileges for.

If you want to make absolutely certain that a particular user or group doesn't gain access to the share point, go ahead and add them to the list and then assign the Deny option for each permission instead of using the Allow option that's selected in Figure C. Any time you assign someone an explicit Deny, the Deny option automatically overrides any other permissions that they might have had assigned to them in other places, such as through group memberships.

The final option available on the properties sheet's Sharing tab is through a button marked Caching. If you click the Caching button, you'll see a dialog box that allows you to control the way remote users cache the share at the local level. This means that Windows 2000 has a way of letting users access files from the network even when they aren't actually connected. This is done through a process called caching. Basically, when a user accesses the share point, it's copied to a hidden folder on the user's hard disk. That way, if the user needs to access the files while offline, their machine will automatically work off the local copy.

The Caching Settings dialog box allows you to determine whether this process is automatic or manual. If you set the process to automatic, then the contents of the directory will be automatically copied to the user's hard disk each time they access the folder. Setting the process to manual means that the user has to specifically request that the folder be made available offline. If you decide to use automatic caching, you can automatically cache either programs or documents.

Web share permissions
There are times when simply sharing resources with others on your network just isn't enough. If you need to share your folder with the world, you can do so using Windows 2000's Web Sharing option. This feature is new to Windows 2000, and it allows you to share folders (or even printers) across the Internet.

To access the Web Sharing option, select the directory you want to share and right-click on it to access its Context menu. Next, select the Properties command from the Context menu. When you do, you'll see the directory's properties sheet. At this point, select the Web Sharing tab.

As shown in Figure D, by default the folder isn't shared on the Web.You can change that, however, by selecting the Share This Folder radio button. When you do, you'll see a dialog box similar to the one shown in Figure E. This dialog box allows you to control the type of access you want to allow over the Internet.

Figure D
The Web Share tab allows you to make the folder available through the Internet.


Figure E
The Edit Alias dialog box allows you to control what types of access you want to grant to the new Web share.


You might have noticed that some of the permissions are a bit different from the permissions you've seen so far. The Access Permissions section contains the standard read and write permissions, but it also contains permissions for Script Source Access and for Directory Browsing.

Likewise, this dialog box also contains an Application Permissions section. This section lets you allow no access to applications, allow the running of scripts only, or allow users to run all applications including scripts.

Best practices
With all the different types of permissions available through Windows 2000, it's sometimes difficult to decide which to use. Therefore, I've included this section to provide some general guidelines on the most effective way to structure your permissions.

First, I recommend always using the NTFS file system on your servers. Once NTFS has been installed, you're free to implement file level permissions. Next, I recommend assigning NTFS permissions only to groups, never to individual users. Doing so will make your system more secure and easier to manage.

Once you've set up your file permissions, you'll still have to share the folder to make it available from across the network. I recommend setting your share level permissions to allow Everyone to have Full Access. The reason is that the file level permissions will take care of security whether it's related to local or network users. Adding a second set of permissions at the share level won't increase your security any, but it does make things confusing. Having a double set of permissions also makes it tough to troubleshoot any security-related problems that you might have down the road.

Finally, when it comes to sharing across the Web, I recommend using the Web Sharing security settings I discussed earlier. One last rule of thumb related to Web sharing is to share as few folders as possible, and provide the lowest level of rights possible.

Conclusion
Windows 2000 handles resource sharing and security differently than Windows NT does. In this Daily Drill Down, I outlined the differences and discussed some best practices for Windows 2000 security.

Brien M. Posey is an MCSE who works as a freelance technical writer and as a network engineer for the Department of Defense. If you’d like to contact Brien, send him an e-mail. (Because of the large volume of e-mail he receives, it's impossible for him to respond to every message. However, he does read them all.)

The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks