Wednesday, May 24, 2006

Windows XP Professional File Sharing

Windows XP Professional File Sharing
By Ron Lowe and Steve Winograd

One of the handy features of Windows XP (and Windows 2000, for that matter) compared to earlier Windows versions like 95/98/Me is it's support for user-level security, which gives you fine control over who can access what information on a system. In this article, we'll show you how to set up your Windows XP Professional computer so you can share files and folders with other Windows computers on a network, while making sure that only desired users have access.

In Windows 95/98/Me, you share data by assigning a password to a shared folder, and anyone that knows the password can gain access to the data. That may be adequate in a small home network where, for example, Mom and Dad know the password to the family's financial data, but Junior doesn't. But it isn't practical in a networks with lots of potential users, since it's hard to keep a password secret amongst a large group of people.

Windows XP Professional replaces password-based security with two alternatives:

  • Simple File Sharing is enabled by default on Windows XP Professional systems that are members of a workgroup (typically used in small networks) rather than a domain (typically used in large corporate networks). For full details, see our article on Simple File Sharing. There are no passwords or access restrictions and, with one exception described in the article, everything that's shared is accessible by everyone on the network. Simple File Sharing is the only type of sharing available in Windows XP Home Edition.
  • By disabling Simple File Sharing, you can specify an Access Control List (ACL) for each shared disk or folder. Using an ACL gives you much greater control over shared data, since it lets you determine the specific users that will have access as well as the level of access they will receive.

We'll show you how to configure Windows XP Professional to:

To illustrate the concepts, we'll:

  • Create user accounts for four people: Alasdair, Fraser, Iona, and Catriona;
  • Create shared folders called Girlstuff, Boystuff, and Kidstuff, which will allow different levels of access to different people. Boystuff will be accessible to Alasdair and Fraser, Girlstuff will be accessible to Iona and Catriona, and Kidstuff will accessible to them all;
  • See how the users access the shared folders.

Finally, we'll show you how to access Windows XP Professional's shared disks and folders from another client computer on the network, adding some information about file permissions in the NTFS file system, and giving solutions for some common network access problems.

WinXP Pro File Sharing

Disable Simple File Sharing

Disabling Simple File Sharing is necessary in order to enable the creation of Access Control Lists for shared disks and folders:

  1. Click Start | My Computer | Tools | Folder Options | View.
  2. Scroll to the bottom of the list of advanced settings and un-check Use Simple File Sharing (Recommended).
  3. Click OK.

Create User Accounts

There are a couple of ways to create user accounts, but let's start simply by clicking Start | Control Panel | User Accounts. We'll describe a more comprehensive method later.

_x0000_i1029

You'll see all of the existing accounts on the computer. You probably created these when you installed Windows XP. You'll also see the Guest account. It may or may not be enabled, depending on whether you have previously enabled Simple File Sharing.



_x0000_i1030Click Create a new account, and enter the new user's name. Here, we're creating an account for Alasdair:



_x0000_i1031Click Next, and choose the account type. This determines (rather simplistically) which group the user will be placed in. There's generally no good reason to grant remote users Computer administrator privileges, so select Limited, and then click Create Account. The new account appears in the User Accounts window.



_x0000_i1032Repeat as required until all of the desired user accounts are created.













User Accounts: Password or No Password?

By default, a user account is created with no password. This means the user may sit down locally at the XP machine and log on without entering a password.

However, by default, Windows XP will not permit a network user to access the XP machine using an account set up without a password!

You have two options on how to proceed from here:

  • If you want any degree of security, assign user passwords. This will, however, require the users to log on to their client machines using a password.
  • Many people prefer to set up their Windows 95/98/Me machines using Windows Logon and no password, so the machine boots directly to the Windows desktop without a logon prompt. In this case, you need to make a Security Policy modification on the XP Professional machine to permit users without passwords to connect from the network.

Taking each option in turn:

Adding a Password to a User Account

In Control Panel | User Accounts, click the desired account, and then click Create a password. Enter the password, and then enter it again to confirm it. Enter a password hint if you'd like – a user who forgets the password can look at the hint at the logon screen as a memory aid. Then click Create Password to make it take effect.

In the User Accounts menu in Control Panel, the user account now shows as being Password protected:

The user must now log on to his or her local computer using that password.

Permitting Network Access Without a Password

To allow users to log onto their computers without a password and then access the XP Professional machine without a password, you must make a security policy change:

_x0000_i1035
  1. Go to Control Panel | Performance and Maintenance | Administrative Tools | Local Security Policy.
  2. Expand Local Policies | Security Options.
  3. Double-click Accounts: Limit local account use of blank passwords to console login only, which is enabled by default. Disable this option and click OK.

This will permit network access without a password. The user's computer can boot directly to the Windows desktop, and be validated against the corresponding XP Professional user account, without a password.

Note that the term “blank passwords” isn't technically accurate. There's a difference between having a password which consists of one or more blank characters, and having no password at all. This setting actually permits access by users who have no password at all.


Power User Tip: If you want to explore user accounts in the raw:

  1. Click Start | Control Panel | Performance and Maintenance | Administrative Tools | Computer Management.
  2. Open the Local Users and Groups folder, and open the Users folder.

_x0000_i1037Here are your user accounts! You can fine-tune their settings from here or create new users using the Action | New User menu option!





Create User Groups

You may wish to group users together for administrative convenience. For example, a university might define groups of users called Staff and Students. Settings that you make for a group automatically apply to all of the users in the group, so you don't have to make the same settings individually for each user.

You can create as many groups as you like, include any number of users in each group, and include each user in any number of groups. Here's an example of creating a new group:

  1. From the Computer Management window, open System Tools | Local Users and Groups | Groups;
  2. Select Action | New Group;
  3. Give the new group a name and description;
  4. Click Add to add users to the new group.
  5. In the Select Users window, set the Object Type to Users and click OK. The Location should show the name of your computer.
  6. Click Advanced, and then click Find Now to see a list of user accounts.
  7. Select users who you wish to be members of the new group. You can make multiple selections by holding down - whilst clicking.
  8. Click OK twice.

Click Create to create the new group. It can now be added to shares, the same way as individual users


Create Shares

_x0000_i1040In this example, we've used Windows Explorer to browse to the root directory of the C: drive. In the right-hand pane, we right-click, select New | Folder, and enter the name Boystuff. Similarly, we create folders called Girlstuff and Kidstuff.



To specify sharing options for the Boystuff folder:

  1. Right-click the folder and select Sharing and Security.
  2. On the Sharing tab, select Share this folder and enter a share name.
  3. Add a comment if desired. This comment describes the share and appears in My Network Places on other computers.
  4. Leave the User limit alone. On XP professional, the maximum limit is 10.










Set Up Access Control Lists on the Shares

Click Permissions. Notice how, by default, the Everyone group has Full Control. This means that all users can read, write, and even delete files. That's not what we want at all!



To change the share permissions:

  1. Click Add, and then choose Object Types.
  2. Un-check Built-in security principles and Groups, because we only want to see Users.
  3. Click OK. From this location should show the name of your computer.
  4. Choose Advanced, and click Find Now.
  5. Click on the users who should have access this share.

Power User Tip: Ctrl-Click allows you to make multiple selections!

_x0000_i1045Click OK, and the users are added:

You may repeat this to add additional users. When done, click OK.



_x0000_i1046You're now back at the ACL editor. By default, the newly-added users have read-only access. If you want them to have read/write access, then tick the Change box. You need to do this for each user! Select each user in the list in turn, and specify Change permission. Don't give limited users Full Control.

To prevent Guest access to this share, we must remove the Everyone group! Select it, and click Remove.



_x0000_i1047The ACL is now as we want it: Boystuff is only accessible by Alasdair and Fraser. Click OK to close the ACL permissions window.

Then click OK to close the share properties. Now, only the specified users can access the shared folder!



_x0000_i1049Right-click the Girlstuff folder, then repeat the procedure above to give Iona and Catriona Change permission for the share. Remember to remove the Everyone group!



_x0000_i1050Finally, right-click the Kidstuff folder, and repeat the procedure to give all the kids Change permission for the share. Again, remember to remove the Everyone group.



The share permissions are now set up on the XP Professional machine.


NTFS Permissions

The Access Control List is a tool for protecting network shares, but it doesn't stop someone from walking up to the computer, logging in, and looking at the files on the computer. Share permission and ACLs don't apply to a user who logs in locally. To keep files private from other local users, Windows XP provides a different mechanism. You can assign permissions to individual files and folders at file system level. This is called File Permissions, and it's only available on NTFS volumes. You can't set File Permissions on FAT volumes.

By default, Windows XP uses File Permissions only in the Documents and Settings folder, to keep each user's documents private from other users. When a user logs on locally for the first time, his 'Home Directory' is created within the Documents and Settings folder. The default settings for all of the folders and files in each user's My Documents folder are:

  • The owner of the file or folder has read and write permission;
  • Local Computer Administrators have read and write permission;
  • Nobody else may read or write to the folder or the files in it.

Notice that Administrators can look into the user's My Documents folder. Be aware that any user accounts that you created when you installed XP are Administrator accounts, and that they can all look into each other's My Documents folders! Individual users may step up the security a notch to remove Administrators from the list. Then, only that individual user can access his or her own files. When a user with an Administrator account sets a password on the account, Windows XP automatically prompts the user to step up the security on My Documents. It's then called Private.

In order access shared data, a user connecting from the network needs to get past both gatekeepers:

  • The ACL must allow access to the share;
  • The NTFS File Permissions must allow access to the file.

Having set up the share permissions, do we now need to do anything with NTFS permissions?

The short answer is 'It Depends'.

If the shared folder is contained within Documents and Settings (e.g. the My Documents folder), then you might. This is because Windows XP sets NTFS permissions within this folder structure to prevent users from accessing each other's data. It depends on whether the user accounts are Limited or Administrators, and it also depends on whether the shared folder has been previously marked as Private.

If you created a folder structure elsewhere, then you most likely do not need to do anything more. The necessary permissions will be 'inherited', ultimately from the root folder, e.g. C:\

In the example we've used so far, we don't need to do any further configuration for everything to work.


Power User Information: To see why, look at the NTFS permissions. Run Windows Explorer, and browse to c:\Boystuff. Right-click the folder and select Sharing and Security. Go to the Security tab and look at the list. Note that the permissions are additive. Apart from yourself and Administrators, how can the users Alasdair and Fraser access the data in this share? It looks like they are not included on the NTFS permissions!

_x0000_i1053The answer is due to their membership in the Users group.

Click the Users group to see what permissions it has.



_x0000_i1054They seem to have Read-only access. Yet, if you try it, they have Write access, too! How can this be?

Scroll down, and see they have 'Special' permissions. This is gray, indicating they've inherited this permission from a parent folder.

What, pray tell, is Special Permission? Click Advanced to see. In the Permission entries window, double-click Allow Users(RONS-PC\Users) Special Inherited From C:\. You'll see that it has inherited Write permission from the Root folder:









Connecting to a Share from a Client Computer

When a user on another computer on the network attempts to access a shared disk or folder, Windows XP Professional checks to see whether that user has permission to access it. The client computer sends the user name and password of the user who is currently logged in, and the XP Professional computer checks them. If those ‘credentials' match an account on XP Professional, then it checks the ACL for the shared disk or folder. If the ACL permits access by that user, access is granted; if not, access is denied.

On a client running Windows 95, 98, or Me, that's the whole story. The user must be logged in with a user name and password that XP Professional recognizes.

On a client running Windows 2000 or XP, there's more to the story. If XP Professional doesn't recognize the logged-in user name and password, it causes the client computer to prompt the user to enter a different user name and password.

Connecting to a Share from Windows 95, 98, or Me

The following shows how to connect to a shared disk or folder from a computer running Windows 95, 98, or Me, and also shows some of the more common error conditions which can occur. In this example, the client computer is running Windows 98 Second Edition.

Under Windows 95/98/Me, you can set the Primary Network Logon to Windows Logon, and all of the networking features described here will function correctly. The only situation in which the Primary Network Logon must be set to Client for Microsoft Networks is to log on to a Windows NT server or a Windows 2000 server.

The most important thing is to understand that everything is keyed to the user name. When you boot up the client machine, you need to get logged in with the correct user name.

Many Windows 95/98/Me machines are configured to boot all the way through to the Windows desktop without the user actually performing a login. If this is the case, click the Start button, and look at the Log Off menu option. It will show you what user name is currently logged on. If it isn't correct, then click Log Off and log back on under the correct user name. If the XP Professional account was set up with a password, then you must enter that password at the Windows logon prompt. If you configured XP to permit ‘blank' password authentication, then you may click OK without entering a password.

Now, you ought to be able to browse the network by double-clicking Network Neighborhood (or My Network Places).



If you get an error at this stage, you're most likely not logged on. See the Troubleshooting section for how to proceed.



You can now browse the contents of the XP Professional machine by double-clicking it.



If the list of shares appears, then all is well. However, a common failure at this point is to be asked for the IPC$ password. This happens because the XP Professional machine is not satisfied with the credentials of the user attempting to browse it. See the Troubleshooting section for how to proceed.

_x0000_i1058You may now look in the individual shares. If all is well, you'll see the shares that the user has permissions for, yet you ought to get an Access Denied error (below) if you attempt to access other shares. In this example, we're logged in as Fraser and can access the Boys' stuff, but not the Girls' stuff (right).

Connecting to a Share from Windows 2000 or XP

If Windows XP Professional doesn't recognize the user name and password presented by a Windows 2000 or XP computer which wants to access a share, you can enter different credentials. Here, we're logged on to another Windows XP computer as a user which doesn't have an account on the computer named RONS-PC. Entering a valid user name and password grants access

















Sharing folders in My Documents

In this example, we cover the situation where you need to consider NTFS permissions as well as share permissions.

The situation described here will only occur if either of the following conditions is true:

  • You created the user accounts as Limited accounts;
  • You've previously used Simple File Sharing to mark My Documents as Private.

In either of these cases, you'll run into NTFS permission problems. However, if you created the user accounts as Administrator accounts, and the My Documents folder has not been marked as Private, then no further action is necessary, since Administrators have NTFS access to default (non-Private) My Documents folders.

We're logged on to the XP machine as Ron and wish to share the My Documents folder across the network to the girls, Iona and Catriona.

I use Windows Explorer, browse to My Documents, right-click, and look for Sharing and Security. It's missing! Presumably, you're only expected to share sub-folders of My Documents. The option is present on My Music, My Pictures etc.

If you really want to share the whole My Documents folder, you still can: right-click it and select Properties to see the Sharing and Security tabs.

We give it a share name (names containing blanks can cause problems, so we've made it My-Documents). In the Permissions button, we add Iona and Catriona with Read and Change permission, and remove everyone, as before.

Now to test it!

  • We log on to a client PC as Iona.
  • We can browse Network Neighbourhood.
  • We can browse the XP computer;
  • We have access to Girlstuff, as expected.
  • We have Access Denied to Boystuff, as expected.

But when we try to access My-Documents, we get an error message!

What happened? We gave Iona permissions to access the share, so why was she was not allowed?

Remember about network user having to get past both gatekeepers? Well, Iona got past the share permissions level, only to be blocked at the NTFS permissions level.

Remember also that XP Professional sets up NTFS permissions on the My Documents folder and that we created the users as Limited accounts, not Administrator accounts.

Let's go back and fix it. We use Windows Explorer, browse to My Documents, right-click it, and select Properties. This time, we choose the Security tab. Notice how ONLY Administrators and the Owner have any permissions!

To fix this issue, we need to either:

  • Change the user accounts to Administrator accounts. This will add the user to the Administrator group and resolve the issue. Notice that this will not work if we've previously used Simple File Sharing to mark My Documents as Private. If you refer to the matrix in the Microsoft Knowledge Base article Description of File Sharing and Permissions in Windows XP, you'll see that this removes Administrator' from the NTFS permissions.
  • Change the NTFS permissions to explicitly permit the desired users or groups.

_x0000_i1063Let's take the second approach. Use the Add button to add the users or groups that should have access to the shared folder. We could choose to add the group USERS, or we could add individual users. In this case, we'll add just the individual users Iona and Catriona, and we need to explicitly add Write permission.

Now, when Iona tries to gain access to the share across network, there's no problem:

That concludes our fairly exhaustive tour of XP Professional sharing and NTFS security.

Questions and Answers

Question: Should you now disable the Guest account? Having set up explicit share permissions, do you still need the Guest account enabled?

Answer: Most network administrators would not enable the Guest account.

If ALL users who you wish to permit to access to your machine have specific accounts, then you should disable the Guest account. They will still have access to shares that you created with Simple File Sharing, because this put the everyone group in the ACL, and that includes all the users you created, as well as guests.

If you need to allow 'other' unspecified users access to some of the shares, then you must leave the Guest account enabled.

The guest users will only be granted access to shares with Guest permissions. That includes any shares with the Everyone group. They will be unable to access shares without explicit guest permissions.

To disable the Guest account:

  1. Click Start | Control Panel | Performance and Maintenance | Administrative Tools | Computer Management;
  2. Open the Local Users and Groups | Users folder;
  3. Right-click on Guest and select Properties;
  4. Check Account is disabled.
  5. Click OK.

The Guest account is disabled, as shown by the red 'X'.

NOTE: In Control Panel | User Accounts, there is apparently the option to turn the Guest account off.

This does not disable the Guest account.

It only prevents Guest logins at the console of the local machine. The Guest account is still enabled for network access!

Use the method described above to disable the Guest account. Note also that turning the Guest account on from Control Panel | User Accounts will both enable the Guest account and permit local login.

Question: If you have more than one XP Professional machine, do you need to create user accounts on them all?

Answer: Say you have several XP Professional machines, each with disks and folders to be shared. When you go to add users to the ACL, the only users available to be added are from the local machine! Do you need to create identical user accounts on all the machines?

The basic answer is YES. You need to create identical user accounts on all machines which a user needs to access. It's best if the user name and password are the same on all of them. Then, the user name and password offered by that machine will be accepted by all of the other computers.

Does this seem messy? Wouldn't it be more sensible if the user accounts could be created on one central machine, and in the ACL editor you had the option to select remote users from the central user list as well as just locally-defined users?

Well, you can, and this is called a domain. A domain is a group of computers which share a common user account database. To create a domain, you need a Windows NT or Windows 2000 server set up as a ‘domain controller'. You then create all the user accounts on the domain controller. Individual servers (machines with stuff to share) 'join' the domain. You do not create user accounts on them. The act of 'Joining the Domain' adds a new option in the ACL editor. Now, you can add not just local users, but also users and groups from the domain. Now, we have a single centralised set of user accounts which can be used across multiple servers.

It is beyond the scope of this article to describe domains.


WinXP Pro File Sharing

Troubleshooting

The following errors are common when attempting to connect to a share:

Unable to Browse the Network

_x0000_i1071

On a Windows 95/98/Me machine, the most common cause of this is that the user isn't logged on. Look on the Start menu, under the Log Off option. If it shows Log Off , then you're logged on. If it shows just Log Off', then you're not logged on.

One reason for this is the user hitting ESC or clicking Cancel at the login dialog. They must not do that. Either enter the password, or leave the password empty and click OK. If the user is never presented with a login dialog and is still not getting logged in, then refer to Microsoft Knowledge Base article Q141858 for a likely fix.


User is prompted for IPC$ Password

This happens when you attempt to browse the XP machine, but the XP machine is not satisfied with the credentials of the user. In other words, it doesn't know who you are. Possible causes:

  • Your current user name doesn't exist on the XP machine. To fix this, either enable the Guest account, or log in with a user name which has a valid account on the XP machine.
  • The current user name is valid, but its password doesn't match the password for that account on the XP machine. To fix this, either:
    1. Change the password on one of the machines to match the other, or;
    2. Enter the XP machine's password for that user name at the IPC$ prompt.

Error 31 when attempting to browse the XP machine

This error occurs if you set up a user account without a password, and then attempt to log in across the network. By default, Windows XP doesn't permit remote users to connect from the network without a password. To allow access without a password:

  1. Go to Control Panel | Performance and Maintenance | Administrative Tools | Local Security Policy.
  2. Expand Local Policies | Security options.
  3. Double-click Accounts: Limit local account use of blank passwords to console login only, which is enabled by default. Disable this option
Reference: http://www.practicallynetworked.com/sharing/xp_filesharing/

0 Comments:

Post a Comment

<< Home