For computers running Windows 8, two factors control file
security and sharing options: the disk format and computer settings.
The format of the disk determines the degree of file security options
available. Disks can be formatted for the FAT file system (FAT16,
FAT32, or exFAT) or the NTFS file system. The security options on FAT
and NTFS volumes differ greatly.
-
With FAT, you have very limited control over file access. Files can
be marked only as read-only, hidden, or system. Although these flags
can be set on files and folders, anyone with access to the FAT volume
can override or change these settings, which means that there are no
safeguards for file access or deletion. Any user can access or delete
any file without restriction.
-
With NTFS, you can control access to files and folders by assigning
permissions that specifically allow or deny access. Permissions can be
set for individual users and for groups of users. This gives you very
granular control over file and folder access. For example, you could
specify that users in the Sales Managers group have full control over a
folder and its files, but users in the Sales Reps group have no access
to the folder whatsoever.
The settings on a computer determine the way files can be shared. For server message block (SMB), Windows 8 supports two file-sharing models:
-
Standard folder sharing
Enables you to share the files in any folder on a computer, including
those on FAT and NTFS volumes. Two sets of permissions are used to
determine who has access to shared folders: access permissions . Access permissions and share
permissions together enable you to control who has access to shared
folders and the level of access assigned.
-
Public folder sharing
Enables you to share files that are in a computer’s
%SystemDrive%\Users\Public folder. Access permissions on the Public
folder determine which users and groups have access to publicly shared
files, as well as what level of access those users and groups have.
When you copy or move files to the Public folder, access permissions on
the files are changed to match those of the Public folder. Some
additional permissions are added as well.
Note
With standard folder sharing, local users don’t have automatic
access to any data stored on a computer. Local access to files and
folders is fully controlled by the security settings on the local disk.
If a local disk is formatted with FAT, you can use the read-only,
system, or hidden flags to help protect files and folders, but you
cannot restrict access. If a local disk is formatted with NTFS, you can
control access by allowing or denying access to individual users and
groups of users.
With public folder sharing, files copied or moved to the Public
folder are available to anyone who logs on locally regardless of
whether he or she has a standard user account or an administrator user
account on the computer. Network access can be granted to the Public
folder. Doing so, however, makes the Public folder and its contents
open to everyone who can access the computer over the network.
Windows Server 2012 adds new layers of security through compound
identities, claims-based access controls, and central access policies.
With both Windows 8 and Windows Server 2012, you can assign
claims-based access controls to file
and folder resources on NTFS volumes. With Windows Server 2012, users
are granted access to files and folder resources, either directly with
access permissions and share permissions or indirectly with
claims-based access controls and central access policies.
Unlike early releases of Windows, where only one sharing model could
be used at a time, computers running Windows 8 can use both sharing
models at the same time. The key advantage to standard sharing is that
users can share any folder on a computer and don’t have to move files
or folders from their current location. Public folders, on the other
hand, are open drop boxes. When users copy files and folders to public
folders (and public folder sharing is enabled), the files and folders
are available to other users on the computer and on the network.
File Explorer has several options when you select folders:
-
Include In Library Creates a link between the folder and its contents in the user’s Documents, Music, Pictures, Videos,
or another library folder. This lets the user browse and work with the
folder’s contents as if it were part of the specified library. However,
anytime the user works with a file in a library folder, he is actually
working with the file in its original location.
-
Share With Shares
the folder using standard folder sharing. In a homegroup, users have
the option to share the folder with anyone in the homegroup as
read-only or read/write. In a workgroup or domain, users have the
option of sharing with specific people. In any configuration, users can
also select the sharing option Nobody, which effectively removes
sharing.
The default sharing configuration for computers depends on whether
they are members of homegroups, workgroups, or domains. When you set up
a homegroup, you specify the types of files
to share, as well as whether to share printers. Computers that are
members of the same homegroup can then automatically share files such
as pictures, music, videos, documents, and printers.
Sharing folders within a homegroup as read-only or read-write is
fairly straightforward. To enable sharing in a homegroup, you complete
the following steps:
-
In File Explorer, press and hold or right-click the folder.
-
Select Share With, and then select Homegroup (Read) or Homegroup (Read/Write).
This simple approach to sharing might make homegroups seem appealing
to users in your office. However, it also grants very wide access to
users’ data and is generally inadvisable for the workplace. This is why
you should encourage users in a homegroup to share with specific people
rather than with everyone. Sharing with specific people is the only
technique you can use in workgroups and domains.
To enable sharing with specific people, you complete the following steps:
-
In File Explorer, press and hold or right-click the folder.
-
Select Share With, and then select Specific People. This displays the File
Sharing Wizard. By default, the local Administrators group is specified
as the owner of the share, and the currently logged-on user is granted
read/write access.
-
In the File Sharing Wizard, use the options provided to choose the
people to share with. For example, if you want to include all users
with local accounts on the computer, enter Users, and then tap or click
Add. This is different from sharing with everyone because the Everyone
group includes anyone with access permission to the computer, not just
those who are domain or local users.
-
The default sharing permission is read-only. To set a permission
level for a user or group, tap or click the user or group name, and
then select Read or Read/Write.
-
Tap or click Share to share the folder, and then tap or click Done.
To remove sharing, you complete the following steps:
-
In File Explorer, press and hold or right-click the folder.
-
Select Share With and then select Stop Sharing.
-
In the File Sharing Wizard, select Stop Sharing.
By default, when you create the first standard folder share on a computer, Windows creates the File
And Printer Sharing exception in Windows Firewall. This inbound
exception allows other computers on the network to send inbound Server
Message Block (SMB) traffic through Windows Firewall to access the
share. To accommodate this, Windows opens the following ports:
-
UDP port 137, which is used for NetBIOS name resolution
-
UDP port 138, which is used for NetBIOS datagram transmission and reception
-
TCP port 139, which is used by the NetBIOS Session service
-
Dynamic ports for ICMPv4 and ICMPv6 (which is used for echo requests, if applicable)
In a nutshell, that is how standard folder sharing works.
Network sharing settings are meant to provide the appropriate level
of security for each of the various categories of networks to which a
computer can connect. For this reason, Windows maintains a separate
network profile for each type of network a computer uses. Generally,
most network
discovery and sharing settings are disabled by default. You can
configure network discovery and sharing settings by following these
steps:
-
In Control Panel, under Network And Internet, tap or click Choose
Homegroup And Sharing Options, and then tap or click the Change
Advanced Sharing Settings link.
-
Each available network profile has a separate management panel with
configuration settings. Use the expand button to display the profile
you want to work with.
-
Network Discovery, an option for the Private, Public, and Domain
profiles, affects whether a computer can find other computers and
devices on the network and whether other computers on the network can
find this computer. Turn Network Discovery on or off by selecting the
related option.
-
File And Printer
Sharing, an option for the Private, Public, and Domain profiles,
controls whether a computer can share files and printers. Turn File And Printer Sharing on or off by selecting the related option.
-
In the All Networks profile, Public Folder Sharing controls whether a computer can share files in the Public folders. Turn Public Folder Sharing on or off by selecting an appropriate option.
-
In the All Networks profile, Media Streaming allows users to share music, videos, and pictures
and to access music, videos, and pictures on other computers. Turn
Media Streaming on by tapping or clicking the related button, and then
configure the Media Streaming options as appropriate. Allowing other
users to listen to music, play videos, and view pictures from another
computer can adversely affect performance, so you might not want to
enable this feature.
-
Windows uses encryption to securely transfer your shared data. By
default, the encryption level is set to 128-bit encryption (in most
configurations). However, you should be sure that the computers and
devices you are sharing with support this level of encryption.
Otherwise, select the lower encryption level or upgrade the encryption
support on the other devices and computers.
-
In workgroups and homegroups, Password Protected Sharing allows only
people with a user account and password on the local computer to access
shared resources. Turn Password Protected Sharing on or off by
selecting the related option.
-
Tap or click Save Changes to save your settings.
In Group Policy, you can prevent computers from joining homegroups
by enabling the Prevent The Computer From Joining A Homegroup policy.
This policy is found in the Administrative Templates policies for
Computer Configuration under Windows Components\Homegroup.
In Group Policy, you also can restrict the way sharing works. The
key restrictions on how sharing can be used come from the Prevent Users
From Sharing Files
Within Their Profile policy. This policy, found in Administrative
Templates policies for User Configuration under Windows
Components\Network Sharing, controls whether sharing is allowed within folders
associated with user profiles, primarily the %SystemDrive%\Users
folder. Keep the following in mind when working with the Prevent Users
From Sharing Files Within Their Profile setting:
-
When this setting is Not Configured, the default state, users are
allowed to share files within their profile with other users on their
network, provided that a user with administrator privileges on the
computer opts in for file sharing. To opt in for file sharing, an administrator has only to share a file within his or her profile.
-
When this setting is Enabled, users cannot share files within their profile by using the File Sharing Wizard, and the File Sharing Wizard will not create shares within the %SystemDrive%\Users folder.
-
When this setting is Disabled, as might be necessary to override an
inherited Enabled setting, users are allowed to share files within
their profile with other users on their network, provided that a user
with administrator privileges on the computer opts in for file sharing.
-
To configure the Prevent Users From Sharing Files Within Their Profile policy in Group Policy, follow these steps:
-
Open a Group Policy Object for editing in the appropriate Group
Policy editor. Next, expand Administrative Templates policies for User
Configuration under Windows Components\Network Sharing.
-
Double-tap or double-click Prevent Users From Sharing Files Within Their Profile.
-
Select Not Configured, Enabled, or Disabled, and then tap or click OK.
Although it is tempting to use public
folder sharing, most organizations—even small businesses—should
encourage the use of standard folder sharing for all company files
and data. Simply put, standard folder sharing offers more security and
better protection, and, rather than opening the floodgates to data, it
closes them and blocks access appropriately. Increasing security is
essential to protecting one of the most valuable assets of any
organization—its data.
Share permissions are used only when a user attempts to access a file
or folder from a different computer on the network, whereas access
permissions are always used whether the user is logged on locally or
using a remote system to access the file or folder over the network.
When data is accessed remotely, first the share permissions are
applied, and then the access permissions are applied.
In many ways, this means that file access permissions and
standard folder sharing permissions are like wrappers around your data.
File access permissions, the first wrapper, protect your data with
regard to local access. If a user logs on to a system locally, file
access permissions can allow or deny access to files and folders. File sharing permissions, the second wrapper, are used when you want to allow remote access. If a user accesses data remotely, file sharing permissions allow or deny initial access, but because your data is also wrapped in a file security blanket, the user must successfully pass file access permissions before working with files and folders.
