Understanding Share Permissions
Shared folders are used to provide other users, on your Windows network, access to the contents of those folders. You can only share folders, not individual files.
Share permissions are only applied when a shared folder is accessed over the network. It is a common misconception to think the process works in a different way. When you log into a Windows machine locally (even if a file or folder is shared to other users within the network), every time you access an object, NTFS permissions apply and not share permissions. It does not matter how restrictive share permissions have been set up, if you have access to the object and you are logged into the workstation or server that “owns” the file or folder, you will be granted access.
There are three types of share permissions:
- Full Control: Allows the user to read/execute/write/delete the contents of the folder and manage the folder permissions.
- Change: Allows the user to read/execute/write/delete the contents of the folder, but does not allow the user to modify its permissions.
- Read: Allows the user to read the contents of the folder and its files.
How to Share Folders
Although the concept behind sharing folders has not changed, there are now two ways to share folders after the release of Windows Server 2012. In previous versions of Windows, the process was isolated and you had to access the folder first or login to the server that owned the folder in order to share it. Windows Server 2012 provided a new interface and a more centralized way of achieving this goal by using the Server Manager. This section will cover both options.
Sharing Folders – The Traditional Way
Right click the folder. Then click on
Share with followed by
Next, you will be presented with the following form, in which you select which users will be granted permission to access the folder. Click on the arrow, followed by
Now you can select the users who will have access to the folder. Type their name and click on the
Check Names button. Once you are done adding users, press the
OK button. For this example, we will use the group “Everyone”.
Click on the
Your folder is now shared to the users/groups that you chose during the previous steps. You can email the link to this folder to the respective users or copy and paste the link as you please.
This is the link we obtained for our example folder after clicking
Sharing Folders – The Server Manager Way
The Server Manager, a graphical interface that integrated many tasks initially done in separate and unorganized ways, was first introduced as a concept in Windows Server 2008. However, it wasn’t until the release of Windows Server 2012 that this concept was fully implemented and improved. Now, the Server Manager is frequently the starting point for any task that needs to be performed on the server.
Sharing folders are now fully integrated into the Server Manager, which provides a more centralized means of sharing folders among different users and from different servers, although the concept remains the same.
First, open the Server Manager. On the lefthand side, you will see all the roles your server provides. Click on
File and Storage services. (Note: you need to have previously installed this role using the “Add roles or features” assistant.)
Then click on
Shares, followed by
Tasks, followed by
Now you will choose what you want to share. Each option has a description on the righthand side. For the purpose of this article, choose
SMB Share – Quick and click
Now select the volume and/or the path for the folder that you want to share and click the
Type a name for your shared folder. By default, the share name is the name of the actual folder, but you can choose any name that fits your purposes. Click the
You are now presented with the
Other settings form. Here you can choose some new features to use with your share that were not present in previous Windows Server versions (or that were only available by downloading separate Windows Server packages). The form contains a brief description of each setting, which will be summarized below to provide better understanding. Keep in mind that these options were made to improve security and reliability, thus it is best to choose all of them as we have done in our example.
- Enable Access-based Enumeration: Use this setting when you want to prevent users from seeing other folders besides those they have access to. For example, if you create a folder that contains all “Home” directories containing their personal files for several users, you might want to allow each user to only see the list of folders within their own folder.
- Allow Caching of Shares: Use this setting to provide users with an offline copy of their folder. This is particularly helpful if you run into network issues that prevent users from accessing the network path for their folder.
- Encrypt Data Access: This setting improves the security of your network shares by encrypting all data in transit. In the case that it is intercepted while being transferred to or from the user workstation to the shared folder, the content will be encrypted and become inaccessible to other sources.
Once you are done selecting these options, click the
The next step is to configure permissions. This step centralizes the setup for both NTFS and share permissions to a single screen.
Remember that, by default, your folder is shared to the group “Everyone” with “Full Control”. This is shown in the tab “
Share permissions: Everyone Full Control”.
Next, you can see a list of the current NTFS permissions for the folder. Remember that, by default, the folder will inherit permissions from its parent folder.
To change these settings, click the
Customize permissions button.
Notice this is the same
Advanced Security Settings properties page that we saw in previous chapters under the
Share tab, where you can set share permissions for users or groups, thus combining NTFS and share permissions in a single graphical user interface. Once you are ready to set up your permissions, click the
OK button followed by the
Finally, you are provided with a summary of the share you just set up. To finish the process, click the
How to List Shares
In previous editions of Windows (both for Servers and Workstations), once you shared a folder, a hand would be displayed next to that folder’s icon.
This changed in Windows Server 2012 for Windows 8 and Windows 10.
For workstations, there is now only one way to list your shared folders. For servers, there are two different options.
- For workstations/servers: Go to
Windows File Explorer. Click on
Networkfollowed by the name of your server/workstation to display all shared folders.
- For servers: Go to the Server Manager. Click
File and Storage Servicesfollowed by
Sharesto list all shared folders.
Prevent Unauthorized Access to Sensitive Windows Folders!
Get your free edition of the easiest and fastest NTFS Permission Reporter now!