Question

  • Creator
    Topic
  • #2150289

    Managing local share access

    Locked

    by 10925805 ·

    I am running Windows XP Pro SP2. I need to prevent an administrative or power user from adding, modifying any local shares

All Answers

  • Author
    Replies
    • #2908016

      Clarifications

      by 10925805 ·

      In reply to Managing local share access

      Clarifications

    • #2908011

      Re: Managing local share access

      by Anonymous ·

      In reply to Managing local share access

      If you’re working on a Windows XP Professional system that is connected to a network, you can share one or more of that system’s folders with other computers and users on that network. Drive volumes and folders are not automatically shared for all users in Windows XP Professional. Members of the Administrators group and the Power Users group, discussed later in this chapter, are the only users who retain the rights to create shared network folders.
      Managing Access to Shared Folders

      Windows XP Professional implements a new feature called Simple File Sharing, which is enabled by default when the computer is stand-alone or a member of a network workgroup. Simple File Sharing is disabled when the computer is a member of a Windows domain. Simple File Sharing creates a Shared Documents folder, inside of which it creates two subfolders, Shared Pictures and Shared Music. Remote users who access a shared folder over the network always authenticate as the Guest user account when Simple File Sharing is enabled. The Properties sheet for a shared folder under Simple File Sharing configures both share permissions and NTFS permissions (if the shared folder is stored on an NTFS volume) simultaneously?you are not allowed to configure the two permissions separately. For example, you cannot make a shared folder private, under Simple File Sharing, unless the folder resides on an NTFS volume.

      To turn off Simple File Sharing for a stand-alone system, or for a computer that is a member of a workgroup, perform the following steps:

      1.

      Open a window in either My Computer or Windows Explorer.
      2.

      Click Tools|Folder Options from the menu.
      3.

      Click the View tab.
      4.

      Clear the Use Simple File Sharing (Recommended) checkbox under the Advanced Settings section.
      5.

      Click OK.

      NOTE

      The Shared Documents, Shared Pictures, and Shared Music folders are not available if the Windows XP Professional computer is a member of a Windows domain.
      Creating Shared Folders from My Computer or Windows Explorer

      To share a folder with the network with Simple File Sharing disabled, you can use My Computer or Windows Explorer and follow these steps:

      1.

      Open a window in either My Computer or Windows Explorer.
      2.

      Right-click the folder that you want to share and then select Sharing And Security from the pop-up menu.
      3.

      Click the Share This Folder button.
      4.

      Type in a Share Name or accept the default name. Windows XP uses the actual folder name as the default Share Name.
      5.

      Type in a Comment, if you desire. Comments appear in the Browse list when users search for network resources. Comments can help users to locate the proper network shares.
      6.

      Specify the User Limit: Maximum Allowed or Allow This Number Of Users. Windows XP Professional permits a maximum of 10 concurrent network connections per share. Specify the Allow This Number Of Users option only if you need to limit the number of concurrent users for this share to fewer than 10.
      7.

      Click OK to create the shared folder. The folder now becomes available to others on your network.

      NOTE

      To remove a network share, right-click the shared folder and choose the Sharing And Securiy option. Click the Do Not Share This Folder option button and click OK. The folder will no longer be shared with the network.

      CAUTION

      The Security tab of an NTFS folder’s properties dialog box is not displayed when Simple File Sharing is enabled and the computer is not a member of a Windows domain. To display the Security tab so that you can view and work with NTFS permissions for folders and files, open a window in My Computer or Windows Explorer and select Tools|Folder Options. Click the View tab and clear the checkbox entitled Use Simple File Sharing (Recommended).

      Please post back if you have any more problems or questions.

      • #2913132

        I know how to share a folder

        by 10925805 ·

        In reply to Re: Managing local share access

        Thanks for the trouble answering the question I asked. I think you missed the question. Let me clarify.

        I have a Windows XP workstation on the network. I need to prevent specific local users from adding new shares, editing exiting shares. The user must have no rights to Sharing and Security

        This user must have administrative privileges on the workstation, to run specific application that needs administrative privileges.

        • #2913074

          local administrator group

          by rahouseholder ·

          In reply to I know how to share a folder

          Remove the local administrator group form the shares permissions. Make sure at least one user or group has full rights to the share first. Only give access to the groups or users that need access to the share and limit their access to what they need, ie, read only… This wont stop someone who is determined to get into the share, but it will keep the average user out. If you’re logged in as the local admin, you can always take ownership of the folder to reset the permissions…

        • #2912965

          What application requires

          by ic-it ·

          In reply to I know how to share a folder

          administrative privileges to run? The best solution would be to determine the method to allow this application to be run as a limited or power user. Often times if you do a compare between the system prior to installation and then to the post installation state, you can then set permissions on required registry keys, dlls, folders, etc

        • #2912955

          If I understand correctly,

          by kenone ·

          In reply to I know how to share a folder

          and I may well not.
          You have a user, we’ll call him/her User1
          You don’t want User1 to be able to access certain shares – Go into the share(s) and check Deny Access that trumps all.
          You don’t want User1 to create new shares – use group policy to block “Sharing and Security”.
          But if you give User1 Domain Admin or Enterprise Admin privileges it still won’t work.
          Did I understand? Am I barking at the wrong cat?

        • #2912426

          where in group policy

          by 10925805 ·

          In reply to If I understand correctly,

          Kenone

          You are on the right path to my solution. The PC is part of a workgroup, not domain. Can I set Local Policy to prevent user 1 from setting up and managing local shares?
          Where do I set this up?
          Thanks

        • #2912262

          So, your using “Simple File Sharing”?

          by kenone ·

          In reply to where in group policy

          I’m not real familiar with that as I do just about everything in a domain.
          Depending on the OS your using it’s usually in User Configuration\ Administrative Templates\Network\*, MS keeps moving it around after that point. I’m not sure how it works anyway in a workgroup.
          Here’s an article with some good info;
          http://support.microsoft.com/kb/304040
          It might be easier to use a firewall to prevent file sharing.

        • #2911939

          I am using “Simple File Sharing”

          by 10925805 ·

          In reply to So, your using “Simple File Sharing”?

          I am using Simple File Sharing in a workgroup non-domain environment in Windows XP SP2. I need to prevent user X with local administrative privileges from accessing shared folders in computer management, or right clicking on a file or folder and accessing sharing and security.

    • #2912414

      Now here is a thought

      by rob miners ·

      In reply to Managing local share access

      option 1.

      http://techrepublic.com.com/5208-6230-0.html?forumID=101&threadID=268193&messageID=2540220

      < to add that you can only hope that the user doesn't get clever >

    • #2912345

      Only one application?

      by 1bn0 ·

      In reply to Managing local share access

      Can you determine exactly what files it is , that they need admin access to?

      We have several programs where i work that require full access to at least some files.

      Some of the programs we simply grant Full Access to Everyone.

      Some of the programs we grant read and modify to specific dll’s in the windows folder.

      NOBODY gets Local Admin access.

      We have a second site under a different domain (hope to integrate soon) where the users have always had Local Admin. We are currently in the process of reconfiguring a systemwide application with the express goal of being able to run the application without local admin so we can remove that access for regular users.

      Do some research.

      Find out what they need access to and grant it for those files folders specifically.

Viewing 3 reply threads