Last updated on May 12th, 2021 at 09:18 am

Locking down your shared folders is important.

Technology Word Cloud on Dark Background

Windows file sharing is the quickest way to make data available to many users at once. Setting it up is also extremely easy. Unfortunately, Microsoft’s instructions for setting it up don’t provide much in the way of security. In this article, we’ll show you how to share a folder on a server and then configure security settings based best practices. This article assumes that you are familiar with creating Active Directory groups and modifying permissions.

In the sample task, we’ll be sharing a folder located on the C drive called “CGS Data” and setting security permissions based on best practices. The following method is industry-standard for controlling access to shared files.

File Sharing: Creating the Share

Most instructions on the web tell you to navigate to the folder you wish to share and then right-click and choose the share option. Those instructions aren’t really that great, nor do they provide a wizard that’s gives you good security control from the start. To do it right, you’ll want to start off by opening a computer management console. Click the start button (or windows logo) and type “compmgmt.msc” to bring up the console. Once the console is up, expand System Tools and then expand Shared Folders. Right-Click Shares and choose New Share:

Creating a new share from the Computer Management Console

Follow the wizard and browse to the folder you wish to share. Accept all the defaults until you reach the Shared Folder Permissions settings. By default, these settings are set to “All users have read-only access”. Instead of leaving this, select the radio button to “Administrators have full access; other users have no access” and click Finish.

Upon completion of the wizard, you’ll be directed back to the Computer Management Console. The shared folder creation is complete, and we can move onto the next step.

Create the Groups That Will Be Granted Access to the Share

Never add individual user accounts to the access control list on a folder. Always provide permissions through group memberships.

You can’t query a group to find out what resources it has access to. You must have perfect documentation if you’re going to add the same group to multiple folders. To make thing simpler, the best practice is to provide 2 unique groups for each resource that requires special security. One group will have read only permissions and the other will have the ability to make changes.

In our sample task, we’ll create a group called CGS Data Viewers and a group called CGS Data Admins. The name of the group matches the name of the share (CGS Data) and indicates what the permissions will be (Viewers vs. Admins). In the group description note at least 2 individuals that the IT department can go to for approval when an end-user requests access to the folder.

You accomplish 2 things by following these steps. First, you have a naming structure in your groups that removes the need for documentation of the group’s purpose. Secondly, by adding individuals for authorization requests, you’ve ensured that the IT department has the information needed to get approvals for access requests from end-users. The IT department makes the changes to permissions but should never be making the decision to give or take permissions away from an end user.

Types of Permissions

When it comes to file sharing in Windows, there are 2 different sets of permissions. The basic set of Share Permissions only have 3 available settings for each user or group in the access control list. The NTFS Permissions, on the other hand, are very customizable. It’s important to understand how Windows handles the combination of these permissions to determine what access, if any, a user has to a particular resource.

When a user attempts to access a shared folder, Windows first checks the Share Permission settings. If the user has access to the folder, that level of Share Permission access is then checked against the NTFS Permissions. In most (not all) cases, the most restrictive of the two becomes the effective permissions for that user. Here are a few examples of how this adds up:

Share PermissionsNTFS PermissionsEffective Permissions
Full ControlModifyModify
Full ControlFull ControlFull Control

Use NTFS Permissions as the Limiting Factor

Share Permissions can be confusing to end-users when dealing with shared folders that are nested within other shared folders. Shared Permissions are ‘picked up’ and carried as a user moves through the file structure. A user may have to navigate to a resource via a specific path to ensure the right permissions have been carried through.

NTFS permissions, on the other hand, are absolute. They’re applied to the resource regardless of what the user has passed through to get to it. They also have controllable inheritance. Because of this difference, the granular ability to fine tune permissions using NTFS, and the Windows standard of using the most restrictive of the 2 security settings, the best practice is to leave the Share Permissions fully open. Provide full control to the local server Administrators group and then provide everyone else with Change and Read permissions.

File Sharing: Adjusting Share Permissions

Share permission settings are basic. Picking up from where we left off from within the Computer Management console, right-click the share and choose properties. Select the Share Permissions tab and what you’ll see is that the server’s local administrator group will have full control to the share and nothing else. In an enterprise environment, you should already have the Domain Admins and any other users/groups added to the local administrator group on the server that need to administer the system via the share.

You’ll want to add the local server Everyone group to the access control list, and allow both Change and Read access. The local server Everyone group includes exactly what it says – Everyone.

File Sharing: Setting NTFS Permissions

From the same properties window, set the NTFS Permissions in the Security tab. The local server Administrators group will already have Full Control. Other permissions may be inherited down from the folder’s parent. Use the Advanced menu to break the inheritance. Add both of the groups that were created earlier in the task. Give the CGS Data Viewers group Read & execute, list folder contents, and Read. Give the CGS Data Admins group everything that the Viewers group has plus Modify.

File Sharing: Wrapping it Up

We now have a folder fully configured according to security best practices. You’ll need to populate the groups with the individual user accounts who require access to the folder. Setting up proper security in Windows file sharing is one of the simpler tasks in keeping data safe. It’s also one of the most neglected areas in many environments.

Sharif Jameel is a business owner, IT professional, runner, & musician. His professional certifications include CASP, Sec+, Net+, MCSA, & ITIL and others. He’s also the guitar player for the Baltimore-based cover bands, Liquifaction and Minority Report.

4 thoughts on “File Sharing on Windows: Best Practices for the Enterprise – Security”

  1. Pingback: Privilege Creep: Prevention & Correction - Website Design Baltimore | SEO Baltimore | CGS Computers

  2. Alessandro Ferri

    Windows is prime when sharing files however for secure file sharing over a regular web browser you will require a personal web server like File Sharing Pro from PCWinSoft. You import the documents, images, videos, and music to share, set up authentication credentials, start the server and invite your users. The program secures your files under Windows native security. If you want to securely share files over the Internet File Sharing Pro is your ticket.

  3. I would like to try to understand something about file shares if you can elaborate, as it is something I struggling with in managing a file share.

    We are trying to do it using the share wizard, and even done it the way you suggest, but the problem I am running into is that whenever I create the share using the wizard, it wants to put the share in the root of the server, such as this.


    Except that I want the remote path to be \\server\folder\share. The wizard won’t let me do it either way. Is there a way to do that properly without compromising security?

    1. Thanks for taking the time to read through the article. In reference to your question, \\server\share is how shared folders work across the board. I don’t believe there’s a way to change that. One of the points of creating a share is that users don’t have to navigate multiple folders to get to their destination and you can make the folders upstream almost invisible to them. It also allows them to map network drives (or create shortcuts) in a way that allows you, as an administrator, to move shares around within the file structure without breaking those mappings. If your ultimate goal is to have the user go to \\server\folder\share then you’d actually have to make ‘folder’ the share and then control permissions on the subfolder independently if your security posture required it.

      As an example, let’s say you have a folder on the C drive of a Windows Server located at C:\OneTwo\ThreeFour\FiveSix and you want to share it out so that users need to go to \\server\ThreeFour\FiveSix then you’d use the Share Wizard to create a share called ThreeFour and it would be mapped to C:\OneTwo\ThreeFour. If you have multiple folders under ThreeFour, you could break security inheritance and then set them all with their own permissions. Shares created for large groups are frequently managed this way.

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe to Our Mailing List

If you found the information in this post helpful, we'd love to have you join our mailing list. We promise we won't spam you, we only send out emails once a month or less.

You May Also Like:

This site requires the use of cookies to ensure you get the best experience.

Scroll to Top
Available for Amazon Prime