Password Protection and Simple File Sharing
On small Windows networks (that is,
networks that aren’t managed by a Windows Server computer using the
Domain security model), each computer is separately responsible for
managing usernames and passwords. Before Windows XP, this made it
difficult to securely share files across the network—you had to create
accounts for each of your users on every one of your computers, using
the same password for each user on each computer.
Windows XP introduced a concept called Simple
File Sharing that, when enabled, entirely eliminated security for file
sharing. All network access was done in the context of the Guest user
account, regardless of the remote user’s actual account name.
Essentially, anyone with physical access to your network could access
any shared file. This made it much easier for other people in your home
and office to get to each other’s files. (And, horrifyingly, everyone
on the Internet could also get at your files, until XP Service Pack 2
came out.)
Windows 8, 7, and Vista also include Simple
File Sharing, although it’s now called Password Protected Sharing. And,
the effect of disabling and enabling the feature is reversed on the two
newer operating systems. Table 1 shows the settings and the results.
Table 1. File Sharing Settings
This setting is not always changeable. In
Windows XP Home Edition, Simple File Sharing is always checked and
cannot be turned off. In all other versions of Windows, it can be
turned on or off, except if the computer is a member of a domain
network. In this case, passwords are always required.
Finally, Windows 8 and 7 have a new twist in
the way that security works when Password Protected Sharing is turned
off. On Vista and XP, when passwords are not required, all
incoming network access uses the Guest account. Thus, anyone on the
network can access any file in a shared folder if the file can be
accessed by the user account Guest or by the user group Everyone.
But on Windows 8 and 7, the following happens
when a remote user attempts to use a folder or file shared by a Windows
8 or 7 computer with Password Protected Sharing turned off:
• If the remote user’s account matches an account in the Windows 8 or 7 sharing computer and that account has a password set, that account is used for file access.
• If the remote user’s account matches
an account in the sharing computer but that account has no password
set, then the Guest account is used.
• If the remote user’s account matches no account in the sharing computer, the Guest account is used.
This might seem convoluted, but it is
actually a very useful change. First of all, this change was necessary
to support the new HomeGroup feature. All homegroup member computers
use a special, password-protected account named HomeGroupUser$ to
access other member computers, and this change lets it work whether Password Protected Sharing is turned on or off. Second, it gives you the option of giving designated users additional access privileges, without requiring you to set up a full-blown security scheme.
We know this has probably given you a
headache by now. You probably just want to know how to get at the
library of pictures stored on your old computer. In the end, however,
it can be pretty easy to decide how to set things up, based on how
concerned you need to be about security.
To see how to set up your network, decide which of the following three categories best describes your environment:
• My computer is part of a corporate domain network.
In this case, accounts and passwords
are always required. Your network administrator sets these up. Use the
Security tab on any folder that you share to select the users and
groups to which you want to grant access.
• Ease of use is my priority, and network security is not a great concern.
In this case, turn off Password
Protected Sharing on your Windows 8, 7, and Vista computers, and enable
Simple File Sharing on any Windows XP Professional computers. This lets
anyone on the network access any shared folder.
You must make sure that a firewall is
set up to block File and Printer Sharing access over your Internet
connection. Use a connection-sharing router, Windows Firewall, or a
third-party firewall program to do this. If you have a wireless
network, you must enable WPA or WEP security.
Tip
If you change your password on any computer,
it’s a good idea to make the same change on every computer where you
have an account. This way, you won’t be asked to supply your password
whenever you use network resources.
• Security is important to me; I want specific control over which individual users can use specific shared files and folders.
In this case, turn on Password
Protected Sharing on your Windows 8, 7, and Vista computers as well as
disable Simple File Sharing on any XP Professional computers. Do not
share sensitive resources from any computer that runs Windows XP Home
Edition (or do not use XP Home Edition at all). Do not create a
homegroup.
On every computer that does share
sensitive folders or printers with the network, you need to create an
account for every user who needs access to the shared folders or
printers. For each user, be sure to create an account with the same
name and the same password as on that user’s own computer.
Note
All these rules about whether a password is required are interpreted by the computer that is sharing a folder or printer. When any version of Windows uses a folder or printer shared by another computer, that
computer sets the rules for requiring a password. For example, XP Home
Edition never requires an account or password when someone wants to use
its shared folders, but it can still use password-protected shared
resources shared by, say, Windows 8 or even a Windows domain server.
To change the Simple File Sharing setting on Windows XP Professional, follow these steps:
1. Log on as a Computer Administrator.
2. Click Start, My Computer.
3. Press and release the Alt key to display the menu. Select Tools, Folder Options and then select the View tab.
4. Scroll to the
bottom of the Advanced Settings list. Simple File Sharing is the last
entry in the list. Check or uncheck the entry as desired.
