Last updated on July 7th, 2024 at 10:51 am
Locking down your shared folders is important.
This post may contain affiliate links. We may earn a commission if you purchase an item through our links. It costs you nothing and helps us to fund this blog. Please see our Affiliate Disclosure & Notification for details.
Windows file sharing is the quickest way to make data available to many users at once. Setting it up is also extremely easy. Unfortunately, Microsoft’s instructions for setting it up don’t provide much in the way of security. In this article, we’ll show you how to share a folder on a server and then configure security settings based best practices. This article assumes that you are familiar with creating Active Directory groups and modifying permissions.
In the sample task, we’ll be sharing a folder located on the C drive called “CGS Data” and setting security permissions based on best practices. The following method is industry-standard for controlling access to shared files.
File Sharing: Creating the Share
Most instructions on the web tell you to navigate to the folder you wish to share and then right-click and choose the share option. Those instructions aren’t really that great, nor do they provide a wizard that’s gives you good security control from the start. To do it right, you’ll want to start off by opening a computer management console. Click the start button (or windows logo) and type “compmgmt.msc” to bring up the console. Once the console is up, expand System Tools and then expand Shared Folders. Right-Click Shares and choose New Share:
Follow the wizard and browse to the folder you wish to share. Accept all the defaults until you reach the Shared Folder Permissions settings. By default, these settings are set to “All users have read-only access”. Instead of leaving this, select the radio button to “Administrators have full access; other users have no access” and click Finish.
Upon completion of the wizard, you’ll be directed back to the Computer Management Console. The shared folder creation is complete, and we can move onto the next step.
Create the Groups That Will Be Granted Access to the Share
Never add individual user accounts to the access control list on a folder. Always provide permissions through group memberships.
You can’t query a group to find out what resources it has access to. You must have perfect documentation if you’re going to add the same group to multiple folders. To make thing simpler, the best practice is to provide 2 unique groups for each resource that requires special security. One group will have read only permissions and the other will have the ability to make changes.
In our sample task, we’ll create a group called CGS Data Viewers and a group called CGS Data Admins. The name of the group matches the name of the share (CGS Data) and indicates what the permissions will be (Viewers vs. Admins). In the group description note at least 2 individuals that the IT department can go to for approval when an end-user requests access to the folder.
You accomplish 2 things by following these steps. First, you have a naming structure in your groups that removes the need for documentation of the group’s purpose. Secondly, by adding individuals for authorization requests, you’ve ensured that the IT department has the information needed to get approvals for access requests from end-users. The IT department makes the changes to permissions but should never be making the decision to give or take permissions away from an end user.
Types of Permissions
When it comes to file sharing in Windows, there are 2 different sets of permissions. The basic set of Share Permissions only have 3 available settings for each user or group in the access control list. The NTFS Permissions, on the other hand, are very customizable. It’s important to understand how Windows handles the combination of these permissions to determine what access, if any, a user has to a particular resource.
When a user attempts to access a shared folder, Windows first checks the Share Permission settings. If the user has access to the folder, that level of Share Permission access is then checked against the NTFS Permissions. In most (not all) cases, the most restrictive of the two becomes the effective permissions for that user. Here are a few examples of how this adds up:
Share Permissions | NTFS Permissions | Effective Permissions |
---|---|---|
Full Control | Modify | Modify |
Read | Modify | Read |
Full Control | Full Control | Full Control |
Use NTFS Permissions as the Limiting Factor
Share Permissions can be confusing to end-users when dealing with shared folders that are nested within other shared folders. Shared Permissions are ‘picked up’ and carried as a user moves through the file structure. A user may have to navigate to a resource via a specific path to ensure the right permissions have been carried through.
NTFS permissions, on the other hand, are absolute. They’re applied to the resource regardless of what the user has passed through to get to it. They also have controllable inheritance. Because of this difference, the granular ability to fine tune permissions using NTFS, and the Windows standard of using the most restrictive of the 2 security settings, the best practice is to leave the Share Permissions fully open. Provide full control to the local server Administrators group and then provide everyone else with Change and Read permissions.
File Sharing: Adjusting Share Permissions
Share permission settings are basic. Picking up from where we left off from within the Computer Management console, right-click the share and choose properties. Select the Share Permissions tab and what you’ll see is that the server’s local administrator group will have full control to the share and nothing else. In an enterprise environment, you should already have the Domain Admins and any other users/groups added to the local administrator group on the server that need to administer the system via the share.
You’ll want to add the local server Everyone group to the access control list, and allow both Change and Read access. The local server Everyone group includes exactly what it says – Everyone.
File Sharing: Setting NTFS Permissions
From the same properties window, set the NTFS Permissions in the Security tab. The local server Administrators group will already have Full Control. Other permissions may be inherited down from the folder’s parent. Use the Advanced menu to break the inheritance. Add both of the groups that were created earlier in the task. Give the CGS Data Viewers group Read & execute, list folder contents, and Read. Give the CGS Data Admins group everything that the Viewers group has plus Modify.
File Sharing: Wrapping it Up
We now have a folder fully configured according to security best practices. You’ll need to populate the groups with the individual user accounts who require access to the folder. Setting up proper security in Windows file sharing is one of the simpler tasks in keeping data safe. It’s also one of the most neglected areas in many environments.
Sharif Jameel is a business owner, IT professional, runner, & musician. His professional certifications include CASP, Sec+, Net+, MCSA, & ITIL and others. He’s also the guitar player for the Baltimore-based cover bands, Liquifaction and Minority Report.
Pingback: How to Create an NFS Share in Linux Mint - Website Design Baltimore | SEO Baltimore | CGS Computers
Pingback: Ransomware Hackers Made out Big in 2019 - Website Design Baltimore | SEO Baltimore | CGS Computers
For windows server 2008 up, what do you think about the practice of always creating the share with only the Everyone group as Full Control. Then handling all the granular level stuff on the folder security? This most likely will reduce the complexity you have added to the share and instead only have it at the folder security level. Achieves the same thing you layout but much easier in my opinion and maybe more reliable because of less chance of stepping on share vs security settings conflict.
When I went to IT school many years ago, your method was how they actually taught us to do it. And in most cases, it would be fine to do it your way. The only real difference between Full Control and Modify is that Full Control provides ability to change the permissions of other users – there’s zero chance you’d want the Everyone group to have that level of permission. By limiting Full Control at the share level, you really ensure that even if you accidentally give a group or user Full Control at the NTFS level, they won’t have it if they’re passing through the share. If you’re adhering to the principle of least privilege, then the way I’ve enumerated it in the article is the ‘more correct’ method and the only method acceptable in highly secure environments such as the DoD.
You can see the actual DoD rule at https://stigviewer.com/stig/microsoft_windows_server_2019/2022-09-06/finding/V-205721
Pingback: Privilege Creep: Prevention & Correction - Website Design Baltimore | SEO Baltimore | CGS Computers
Windows is prime when sharing files however for secure file sharing over a regular web browser you will require a personal web server like File Sharing Pro from PCWinSoft. You import the documents, images, videos, and music to share, set up authentication credentials, start the server and invite your users. The program secures your files under Windows native security. If you want to securely share files over the Internet File Sharing Pro is your ticket.
I would like to try to understand something about file shares if you can elaborate, as it is something I struggling with in managing a file share.
We are trying to do it using the share wizard, and even done it the way you suggest, but the problem I am running into is that whenever I create the share using the wizard, it wants to put the share in the root of the server, such as this.
\\server\share
Except that I want the remote path to be \\server\folder\share. The wizard won’t let me do it either way. Is there a way to do that properly without compromising security?
Thanks for taking the time to read through the article. In reference to your question, \\server\share is how shared folders work across the board. I don’t believe there’s a way to change that. One of the points of creating a share is that users don’t have to navigate multiple folders to get to their destination and you can make the folders upstream almost invisible to them. It also allows them to map network drives (or create shortcuts) in a way that allows you, as an administrator, to move shares around within the file structure without breaking those mappings. If your ultimate goal is to have the user go to \\server\folder\share then you’d actually have to make ‘folder’ the share and then control permissions on the subfolder independently if your security posture required it.
As an example, let’s say you have a folder on the C drive of a Windows Server located at C:\OneTwo\ThreeFour\FiveSix and you want to share it out so that users need to go to \\server\ThreeFour\FiveSix then you’d use the Share Wizard to create a share called ThreeFour and it would be mapped to C:\OneTwo\ThreeFour. If you have multiple folders under ThreeFour, you could break security inheritance and then set them all with their own permissions. Shares created for large groups are frequently managed this way.