4.25. Restricting Access to a Share


You want to restrict access to a share.


There are two ways to restrict access to a share; you can set share permissions or NTFS permissions. I'm going to describe how to set share permissions, but see the Discussion section for more on NTFS permissions, the preferred method.

Using a graphical user interface

  1. Open Windows Explorer.

  2. In the left pane, browse to the shared folder.

  3. Right-click the folder and select Sharing and Security (or Sharing on Windows 2000).

  4. Select the Sharing tab.

  5. Click the Permissions button.

  6. From here, you can grant users or groups Full Control, Read, or Change access to the share.

Using a command-line interface

This command grants the AMER\rallen user with Full Control over the Perl Libs share:

> subinacl /share "Perl Libs" /grant=amer\rallen=F

This command revokes the permission:

> subinacl /share "Perl Libs" /revoke=amer\rallen


The generally accepted way to manage share permissions is to not actually manage permissions on the shares themselves, but on the underlying files and folders using NTFS permissions. With Windows 2000, this is pretty straightforward. By default, share and NTFS permissions are both set to allow Everyone Full Control. So you create a share and just modify the NTFS permissions to include the user or groups that should have access and remove the Everyone entry.

With Windows Server 2003, it isn't as straightforward. In an effort to make things more secure, Microsoft changed the default share permissions when creating a new share to allow Everyone only Read access. That means that, regardless of whether the underlying NTFS permissions grant Write access to a group, members of that group won't be able to write to the share until you also grant Change (or more appropriately, remove the Read restriction) on the share permissions. I said that this is the generally accepted way to manage permissions because you may find some people prefer to rely on share permissions. In my mind, using share permissions makes things a little more complicated, but to each his own.

See Also

MS KB 301195 (HOW TO: Configure Security for Files and Folders on a Network (Domain) in Windows 2000), and MS KB 324267 (HOW TO: Share Files and Folders over the Network in a Windows Server 2003 Domain Environment)

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.