Windows file sharing is the quickest way to make data available to many users at once. Setting it up is also extremely easy. Unfortunately, Microsoft’s instructions for setting it up don’t provide much in the way of security. In this article, we’ll show you how to share a folder on a server and then configure security settings based best practices. This article assumes that you are familiar with creating Active Directory groups and modifying permissions.
In the sample task, we’ll be sharing a folder located on the C drive called “CGS Data” and setting security permissions based on best practices. The following method is used extensively by the DoD and other government organizations for controlling access to shared files.
File Sharing: Creating the Share
Most instructions on the web tell you to navigate to the folder you wish to share and then right-click and choose the share option. Those instructions aren’t really that great, nor do they provide a wizard that’s gives you good security control from the start. To do it right, you’ll want to start off by opening a computer management console. Click the start button (or windows logo) and type “compmgmt.msc” to bring up the console. Once the console is up, expand System Tools and then expand Shared Folders. Right-Click Shares and choose New Share:
Follow the wizard and browse to the folder you wish to share. Accept all the defaults until you reach the Shared Folder Permissions settings. By default, these settings are set to “All users have read-only access”. Instead of leaving this, select the radio button to “Administrators have full access; other users have no access” and click Finish.
Upon completion of the wizard, you’ll be directed back to the Computer Management Console. The shared folder creation is complete, and we can move onto the next step.
Create the Groups That Will Be Granted Access to the Share
Never add individual user accounts to the access control list on a folder. Always provide permissions through group memberships.
You can’t query a group to find out what resources it has access to. You must have perfect documentation if you’re going to add the same group to multiple folders. To make thing simpler, the best practice is to provide 2 unique groups for each resource that requires special security. One group will have read only permissions and the other will have the ability to make changes.
In our sample task, we’ll create a group called CGS Data Viewers and a group called CGS Data Admins. The name of the group matches the name of the share (CGS Data) and indicates what the permissions will be (Viewers vs. Admins). In the group description note at least 2 individuals that the IT department can go to for approval when an end-user requests access to the folder.
You accomplish 2 things by following these steps. First, you have a naming structure in your groups that removes the need for documentation of the group’s purpose. Secondly, by adding individuals for authorization requests, you’ve ensured that the IT department has the information needed to get approvals for access requests from end-users. The IT department makes the changes to permissions but should never be making the decision to give or take permissions away from an end user.
Types of Permissions
When it comes to file sharing in Windows, there are 2 different sets of permissions. The basic set of Share Permissions only have 3 available settings for each user or group in the access control list. The NTFS Permissions, on the other hand, are very customizable. It’s important to understand how Windows handles the combination of these permissions to determine what access, if any, a user has to a particular resource.
When a user attempts to access a shared folder, Windows first checks the Share Permission settings. If the user has access to the folder, that level of Share Permission access is then checked against the NTFS Permissions. In most (not all) cases, the most restrictive of the two becomes the effective permissions for that user. Here are a few examples of how this adds up:
|Share Permissions||NTFS Permissions||Effective Permissions|
|Full Control||Full Control||Full Control|
Use NTFS Permissions as the Limiting Factor
Share Permissions can be confusing to end-users when dealing with shared folders that are nested within other shared folders. Shared Permissions are ‘picked up’ and carried as a user moves through the file structure. A user may have to navigate to a resource via a specific path to ensure the right permissions have been carried through.
NTFS permissions, on the other hand, are absolute. They’re applied to the resource regardless of what the user has passed through to get to it. They also have controllable inheritance. Because of this difference, the granular ability to fine tune permissions using NTFS, and the Windows standard of using the most restrictive of the 2 security settings, the best practice is to leave the Share Permissions fully open. Provide full control to the local server Administrators group and then provide everyone else with Change and Read permissions.
File Sharing: Adjusting Share Permissions
Share permission settings are basic. Picking up from where we left off from within the Computer Management console, right-click the share and choose properties. Select the Share Permissions tab and what you’ll see is that the server’s local administrator group will have full control to the share and nothing else. In an enterprise environment, you should already have the Domain Admins and any other users/groups added to the local administrator group on the server that need to administer the system via the share.
You’ll want to add the local server Everyone group to the access control list, and allow both Change and Read access. The local server Everyone group includes exactly what it says – Everyone.
File Sharing: Setting NTFS Permissions
From the same properties window, set the NTFS Permissions in the Security tab. The local server Administrators group will already have Full Control. Other permissions may be inherited down from the folder’s parent. Use the Advanced menu to break the inheritance. Add both of the groups that were created earlier in the task. Give the CGS Data Viewers group Read & execute, list folder contents, and Read. Give the CGS Data Admins group everything that the Viewers group has plus Modify.
File Sharing: Wrapping it Up
We now have a folder fully configured according to security best practices. You’ll need to populate the groups with the individual user accounts who require access to the folder. Setting up proper security in Windows file sharing is one of the simpler tasks in keeping data safe. It’s also one of the most neglected areas in many environments.