With the NT file system (NTFS) in Windows XP, you can set file permissions at the local PC level in addition to the file-sharing permissions of the network environment. Along with this additional functionality comes complexity and the potential for all kinds of admin headaches. One harried manager wants to know why he can’t access the data on a colleague’s PC that he needs to assemble a presentation; another can’t figure out why the mailroom intern was able to browse the files he thought he had secured. More options mean more chances for confusion and user error, and if you don’t have a thorough understanding of the various permissions and their relationships, it can be nearly impossible to sort out a permission problem and find a solution.

We’ll review the file and folder permissions in Windows XP. Once you understand Windows XP permissions and how they interact, you’ll be able to troubleshoot permission issues that occur on your network more quickly.

Watch file-sharing and NTFS permission interactions
In any Windows network environment (peer-to-peer or server-based), you can set sharing permissions for drives and folders. By default, when you set up a PC on a network, no drives or folders on that PC are shared. The local user of that PC can then choose to share entire drives or individual folders on a drive. This type of security is not really that secure, however, because it affects only network access. Local access (that is, someone sitting down at the PC and logging on) is wide open.

For drives formatted with NTFS, you can set NTFS permissions. These can affect drives and folders and individual files too. NTFS permissions affect local users as well as network users and are based on the permission granted to individual user logons, regardless of where they’re connecting. You also have a much wider variety of permissions to choose from with NTFS permissions, so you can more precisely control the rights being granted.

When sharing permissions and NTFS permissions conflict, the most restrictive of the two wins. For example, if someone has full access to a certain file from NTFS permissions but has no sharing permissions to the folder in which it resides, he or she cannot access the file from the network. He or she can, however, physically sit down at the local PC containing the file, log in, and access it, because sharing permissions do not affect local access.

Working with shared folders
Shared folders provide remote access to the files on a PC. Folder sharing is available on drives using all types of partitions: FAT, FAT32, or NTFS. To share any folders (or any printers, for that matter) on a Windows XP PC, File And Printer Sharing For Microsoft Networks must be installed as a networking component. To check for it, right-click the Local Area Connection icon in the Windows XP taskbar and choose Status. From the Local Area Connection Status dialog box, select the Properties button to see the listing shown in Figure A. If File And Printer Sharing For Microsoft Networks doesn’t appear on the list, add it by clicking the Install button and choosing it from the Services category.

Figure A
File And Printer Sharing For Microsoft Networks must be installed to share folders over a network.

After File And Printer Sharing For Microsoft Networks is in place, you can share individual drives and folders by right-clicking a drive or folder and choosing Sharing And Security. When you do, the Sharing tab of the Properties dialog box will open.

Sharing is slightly different for drives than for files. With a drive, you might see a default share already set up. These have a dollar sign ($) following the share name, as shown in Figure B. Such shares are for administrative use only; ordinary users won’t be able to see or browse a drive shared in this way on the network. Consequently, if you want to share an entire drive like this on your network, you must create an additional share for it.

Figure B
C$ is the default administrative share for this drive; it doesn’t count as a user-to-user share.

To create a new share for a drive, click the New Share button and then fill in the Share Name, any comment you want to make, and a user limit for concurrent usage (if desired). While you’re in the New Share dialog box (see Figure C), you can click the Permissions button to specify who will have access to the shared drive or you can save that for later.

Figure C
Create a new share to allow other users to access the drive.

For a folder, the process is more straightforward because there are no default administrative shares. By default, a folder is set to Do Not Share This Folder. To share it, right-click the folder and select Sharing And Security from the resulting pop-up box. Choose the Share This Folder button and then enter a share name, comment, and user limit.

Regardless of whether you’re sharing a folder or a drive, you can configure permissions the same way: Display the Sharing tab and click the Permissions button. A Permissions dialog box will appear, as shown in Figure D. By default, all permissions are granted to everyone.

Figure D
Limit permission to the folder or drive, if desired.

If you plan to use NTFS permissions in conjunction with sharing permissions, you might want to leave the sharing permissions set at the default “free-for-all” settings and rely on the NTFS permissions to lock down certain sensitive items. However, if you aren’t going to use NTFS permissions, or if you can’t because the drive is FAT or FAT32, you might want to restrict access at the sharing level.

Note in Figure D the three types of sharing permissions:

  • Read: Users can display the contents of the folder, open files, display attributes, and run programs.
  • Change: Users have all the rights of Read, plus the ability to create new folders and files within the shared folder or drive, open and change files, change file attributes, and delete folders and files.
  • Full Control: Users have all of the rights of Change, plus the ability to take ownership of files and change file permissions.

Everything within a shared drive or folder inherits its sharing permissions. For example, if a shared drive has 10 folders, all of those folders have the same sharing permissions as the drive, unless they are set otherwise. Permissions are cumulative, which means that, in the event of a conflict between a specific folder’s permissions and those it has inherited from the drive (or parent folder), the most lenient wins. For example, if you allow Read access on a folder and don’t allow Change or Full Control on that folder, but the drive itself allows Full Control, that folder will also have Full Control access permitted.

For each setting (Read, Change, and Full Control), you can choose the option to Allow or Deny. The default is set to Allow. If you don’t want to allow a particular permission, you simply deselect the Allow check box. “Disallowing” something (that is, turning off Allow permissions for it) takes away that right but enables the folder to inherit permissions from the parent folder or drive.

Tip: Don’t Deny

The Deny option should be used sparingly because it overrides any more lenient permissions. For example, if you set Read access for a folder to Deny and the drive on which the folder resides allows Full Control, everything on that drive will have Full Control access except for that folder, which will have no access at all.

When you share a folder or drive, only one group has permissions assigned by default: the Everyone group. That means all users will have the same permission rights to the object, regardless of any group affiliation. You can delete the Everyone group from the list and/or add other groups or individuals to the permissions list. You might, for example, delete the Everyone group from the list entirely or leave it there and set it to allow Read permission only and then add the Administrators group to the list and grant that group Full Control.

To add a group or user to the permissions list for an object, start from the Permissions dialog box (Figure D), click the Add button, type the user or group you want in the Select Users Or Groups object name box (Figure E), and click the OK button. If you don’t know the exact name of the group or user, click on the Advanced button and select Find Now to perform a search on the available choices. When you’re finished, click OK to return to the Permissions dialog box. The users and groups you chose will appear on the Permissions list, ready to have their permission levels set.

Figure E
Specify other users or groups to receive permissions.

Tips for using sharing permissions effectively

Grant only the permissions that a group or user needs; disallow all others. In most cases, Change permission is all a user needs for a drive or folder. Change enables users to run programs, edit files, and so on.

Don’t allow Full Control for a drive to the Everyone group. If certain users must have complete control of a drive, assign Full Control to a particular group or create a group for that purpose.

Don’t use the Deny option unless you have a specific reason to do so. It’s easy to forget that you’ve used the Deny option and spend fruitless hours troubleshooting a file access issue because of it.

Assign sharing permissions to groups, rather than individuals, to minimize administrative work.

Use descriptive share names to help users locate the shared drives or folders they want.

Group the folders that need to have the same sharing permissions assigned together in a single folder and then assign the permissions to the parent folder.

Get file permissions right the first time
The proper sharing of files on a network is of extreme importance to you, the network administrator. Without a thorough understanding of how Microsoft configures file sharing, you’ll find your users making daily demands of your time to fix file access problems. Upcoming articles will specifically address NTFS permissions in Windows XP and using the two types of permissions effectively.