Managing Permissions for Shared Folders
Applies To: Windows Server 2008 R2
Permissions on a shared resource, such as a folder or volume, are determined by the local NTFS permissions for that resource and by the protocol used to access the shared resource:
Server Message Block (SMB) protocol
SMB–based access control (for Windows-based file systems) is implemented by granting permissions to the individual users and groups.
Network File System (NFS) protocol
NFS–based access control (for UNIX-based file systems) is implemented by granting permissions to specific client computers and groups, using network names.
The final access permissions for a shared resource are determined by considering both the NTFS permissions and the sharing protocol permissions, and then applying the more restrictive permissions. If you enable access-based enumeration on an SMB-based shared folder, Windows hides files and folders for which users do not have Read permissions.
You can configure permissions and enable access-based enumeration for a shared resource when you create a new shared folder or volume using the Provisioning a Shared Folder Wizard, or by selecting an existing shared resource and clicking Properties in the Actions pane.
This topic discusses the following subjects:
For information about using the Provisioning a Shared Folder Wizard, see Share a Resource. For information about configuring properties for an existing shared resource, see View and Modify Shared Folder Properties.
You can configure the local NTFS permissions for a shared folder or volume using Share and Storage Management in the following ways:
New shared resources. In the Provision a Shared Folder Wizard, before you select a network sharing protocol, you can change the NTFS permissions for the folder or volume you will be sharing. These NTFS permissions will apply both locally and when accessing the resource over the network. To change the NTFS permissions, on the NTFS Permissions page, select Yes, change NTFS permissions, and then click Edit Permissions.
Existing shared resources. You can change the NTFS permissions of a shared folder or volume listed on the Shares tab. To change the NTFS permissions, select the folder or volume, in the Actions pane click Properties, and on the Permissions tab, click NTFS Permissions.
For more information about NTFS permissions, click Learn about access control and permissions on the property page that opens when you click NTFS Permissions.
SMB–based access control for a shared resource is determined through two sets of permissions: NTFS permissions and share permissions. Share permissions are often only used for access control on computers that do not use the NTFS file system.
NTFS permissions and share permissions are independent in the sense that neither changes the other, and the most restrictive of the two will be applied to the shared resource.
Using Share and Storage Management, you can specify share permissions for SMB-based shared resources in the following ways:
New shared resources. In the Provision a Shared Folder Wizard, if you select SMB as a share protocol, you can specify the following SMB-based access permissions on the SMB Permissions page:
All users and groups have only Read access. The resulting permission will be Read for the Everyone group.
Administrators have Full Control; all other users and groups have only Read access. The Administrators group will have Full Control permission, while the Everyone group will be granted Read permission.
Administrators have Full Control; all other users and groups have only Read access and Write access. The Administrators group will have Full Control permission, while the Everyone group will be granted both Read and Write permissions.
Users and groups have custom share permissions. To use this option, you must specify each group and user that is to have share access, as well as the specific share permissions (Full Control, Change, Read) to be granted or denied to each.
Existing shared resources. You can change the share permissions of a shared folder or volume listed under Protocol: SMB on the Shares tab. To change the share permissions, select the folder or volume, in the Actions pane click Properties, and on the Permissions tab, click Share Permissions.
For more information about share access permissions, click Learn about access control and permissions on the property page that opens when you click Share Permissions.
NFS-based access control for a shared resource is determined based on network names and groups. To use NFS permissions, you must first install the Services for Network File System (NFS) role service using Server Manager. After installing Services for NFS, use NFSAdmin.exe to create client groups and to add client computers to those groups before configuring NFS share permissions.
For information about Kerberos authentication options, see http://go.microsoft.com/fwlink/?LinkId=143906. For more information about Services for NFS and NFSAdmin.exe, view the local Help content for this role service by typing the following command at a command prompt: hh nfs__lh.chm (with two underscores).
Using Share and Storage Management, you can then specify share permissions for NFS-based shared resources in the following ways:
New shared resources. In the Provision a Shared Folder Wizard, if you select NFS as a share protocol, the NFS Permissions page is available in the wizard. You specify whether access is to be controlled by a specific client computer (host), or by a client group. To set up NFS permissions on a shared resource, you can do the following:
Add, edit, or remove permissions for client groups and hosts. The default is read-only access for the ALL MACHINES group. You can add any client group or host that has been previously created (using NFSAdmin.exe) and grant appropriate permissions to each (no access, read-only, read-write).
Also, you can select the Allow root access option for each client group and host—however, we do not recommend this because it poses a security risk.
Specify whether to allow anonymous access for the shared resource. For security reasons, this is not enabled by default. Although anonymous access can be useful for troubleshooting or in test environments, we do not recommend it for general use.
To allow anonymous access, the Provision a Shared Folder Wizard modifies NTFS permissions on the folder or volume to grant access to the Everyone security group.
Enabling anonymous access also enables the Let Everyone permissions apply to anonymous users security policy, which effectively adds the Anonymous Logon principle to the Everyone security group. This allows anonymous users to pass through folders to which they otherwise have no access while navigating an object path in the shared folder—although it does not allow the user to list the contents of any folder to which access has not been granted.
Disabling anonymous access does not disable the Let Everyone permissions apply to anonymous users security policy.
- Existing shared resources. You can change the NFS permissions of a shared folder or volume listed under Protocol: NFS on the Shares tab. To change the share permissions, click the folder or volume, in the Actions pane click Properties, and on the Permissions tab, click NFS Permissions. To configure permissions, you add, edit, or remove permissions for each individual client group or host for which you want to configure access.
Access-based enumeration allows users to see only the files and folders in an SMB-based shared folder to which they have permission to access. If a user does not have Read permissions for a folder, Windows hides the folder from the user’s view. This is useful for shared folders that contain many users’ home directories, for example.
To enable access-based enumeration on a shared folder
In Share and Storage Management, right-click the appropriate shared folder and then click Properties.
On the Sharing tab, click Advanced.
Select the Enable access-based enumeration checkbox and then click OK.
Granting a user Full Control NTFS permission on a shared resource enables that user to take ownership of the folder or volume, unless the user is restricted in some other way. Be cautious in granting Full Control.
If you want to manage folder and volume access by using NTFS permissions exclusively, set share permissions to Full Control for Everyone. This simplifies management of share permissions, but NTFS permissions are more complex than share permissions.
NTFS permissions affect both local and remote access. NTFS permissions apply regardless of protocol. Share permissions, by contrast, apply only to shared network resources. Share permissions do not restrict access of any local user or terminal server user. Thus, share permissions do not provide privacy between users on a computer that is used by several users.
By default, the Everyone group does not include the Anonymous group, so permissions applied to the Everyone group do not affect the Anonymous group.
You cannot modify the access permissions of folders or volumes that are shared for administrative purposes, such as C$ and ADMIN$.
To open Share and Storage Management, click Start, point to Administrative Tools, and then click Share and Storage Management.