Permissions on a shared resource, such as a folder or volume, are determined by the local NTFS permissions for that resource and by the protocol used to access the shared resource:
- Server Message Block (SMB)
protocol
SMB–based access control (for Windows-based file systems) is implemented by granting permissions to the individual users and groups.
- Network File System (NFS) protocol
NFS–based access control (for UNIX-based file systems) is implemented by granting permissions to specific client computers and groups, using network names.
The final access permissions for a shared resource are determined by considering both the NTFS permissions and the sharing protocol permissions, and then applying the more restrictive permissions. If you enable access-based enumeration on an SMB-based shared folder, Windows hides files and folders for which users do not have Read permissions.
You can configure permissions and enable access-based enumeration for a shared resource when you create a new shared folder or volume using the Provisioning a Shared Folder Wizard, or by selecting an existing shared resource and clicking Properties in the Actions pane.
This topic discusses the following subjects:
For information about using the Provisioning a Shared Folder Wizard, see Share a Resource. For information about configuring properties for an existing shared resource, see View and Modify Shared Folder Properties.
NTFS permissions
You can configure the local NTFS permissions for a shared folder or volume using Share and Storage Management in the following ways:
- New shared resources. In the Provision
a Shared Folder Wizard, before you select a network sharing
protocol, you can change the NTFS permissions for the folder or
volume you will be sharing. These NTFS permissions will apply both
locally and when accessing the resource over the network. To change
the NTFS permissions, on the NTFS Permissions page, select
Yes, change NTFS permissions, and then click Edit
Permissions.
- Existing shared resources. You can
change the NTFS permissions of a shared folder or volume listed on
the Shares tab. To change the NTFS permissions, select the
folder or volume, in the Actions pane click
Properties, and on the Permissions tab, click NTFS
Permissions.
Note | |
For more information about NTFS permissions, click Learn about access control and permissions on the property page that opens when you click NTFS Permissions. |
SMB permissions
SMB–based access control for a shared resource is determined through two sets of permissions: NTFS permissions and share permissions. Share permissions are often only used for access control on computers that do not use the NTFS file system.
NTFS permissions and share permissions are independent in the sense that neither changes the other, and the most restrictive of the two will be applied to the shared resource.
Using Share and Storage Management, you can specify share permissions for SMB-based shared resources in the following ways:
- New shared resources. In the Provision
a Shared Folder Wizard, if you select SMB as a share protocol, you
can specify the following SMB-based access permissions on the
SMB Permissions page:
- All users and groups have only Read
access. The resulting permission will be Read for the Everyone
group.
- Administrators have Full Control; all
other users and groups have only Read access. The
Administrators group will have Full Control permission, while the
Everyone group will be granted Read permission.
- Administrators have Full Control; all
other users and groups have only Read access and Write access.
The Administrators group will have Full Control permission, while
the Everyone group will be granted both Read and Write
permissions.
- Users and groups have custom share
permissions. To use this option, you must specify each group
and user that is to have share access, as well as the specific
share permissions (Full Control, Change, Read) to be granted or
denied to each.
- All users and groups have only Read
access. The resulting permission will be Read for the Everyone
group.
- Existing shared resources. You can
change the share permissions of a shared folder or volume listed
under Protocol: SMB on the Shares tab. To change the
share permissions, select the folder or volume, in the
Actions pane click Properties, and on the
Permissions tab, click Share Permissions.
Note | |
For more information about share access permissions, click Learn about access control and permissions on the property page that opens when you click Share Permissions. |
NFS permissions
NFS-based access control for a shared resource is determined based on network names and groups. To use NFS permissions, you must first install the Services for Network File System (NFS) role service using Server Manager. After installing Services for NFS, use NFSAdmin.exe to create client groups and to add client computers to those groups before configuring NFS share permissions.
Note | |
For information about Kerberos authentication options, see http://go.microsoft.com/fwlink/?LinkId=143906. For more information about Services for NFS and NFSAdmin.exe, view the local Help content for this role service by typing the following command at a command prompt: hh nfs__lh.chm (with two underscores). |
Using Share and Storage Management, you can then specify share permissions for NFS-based shared resources in the following ways:
- New shared resources. In the Provision
a Shared Folder Wizard, if you select NFS as a share protocol, the
NFS Permissions page is available in the wizard. You specify
whether access is to be controlled by a specific client computer
(host), or by a client group. To set up NFS permissions on a shared
resource, you can do the following:
- Add, edit, or remove permissions for client
groups and hosts. The default is read-only access for the ALL
MACHINES group. You can add any client group or host that has been
previously created (using NFSAdmin.exe) and grant appropriate
permissions to each (no access, read-only, read-write).
Also, you can select the Allow root access option for each client group and host—however, we do not recommend this because it poses a security risk.
- Specify whether to allow anonymous access for
the shared resource. For security reasons, this is not enabled by
default. Although anonymous access can be useful for
troubleshooting or in test environments, we do not recommend it for
general use.
To allow anonymous access, the Provision a Shared Folder Wizard modifies NTFS permissions on the folder or volume to grant access to the Everyone security group.
Enabling anonymous access also enables the Let Everyone permissions apply to anonymous users security policy, which effectively adds the Anonymous Logon principle to the Everyone security group. This allows anonymous users to pass through folders to which they otherwise have no access while navigating an object path in the shared folder—although it does not allow the user to list the contents of any folder to which access has not been granted.
Note Disabling anonymous access does not disable the Let Everyone permissions apply to anonymous users security policy.
- Add, edit, or remove permissions for client
groups and hosts. The default is read-only access for the ALL
MACHINES group. You can add any client group or host that has been
previously created (using NFSAdmin.exe) and grant appropriate
permissions to each (no access, read-only, read-write).
- Existing shared resources. You can
change the NFS permissions of a shared folder or volume listed
under Protocol: NFS on the Shares tab. To change the
share permissions, click the folder or volume, in the
Actions pane click Properties, and on the
Permissions tab, click NFS Permissions. To configure
permissions, you add, edit, or remove permissions for each
individual client group or host for which you want to configure
access.
Access-based enumeration
Access-based enumeration allows users to see only the files and folders in an SMB-based shared folder to which they have permission to access. If a user does not have Read permissions for a folder, Windows hides the folder from the user’s view. This is useful for shared folders that contain many users’ home directories, for example.
To enable access-based enumeration on a shared folder |
-
In Share and Storage Management, right-click the appropriate shared folder and then click Properties.
-
On the Sharing tab, click Advanced.
-
Select the Enable access-based enumeration checkbox and then click OK.
Additional considerations
- Granting a user Full Control NTFS permission
on a shared resource enables that user to take ownership of the
folder or volume, unless the user is restricted in some other way.
Be cautious in granting Full Control.
- If you want to manage folder and volume
access by using NTFS permissions exclusively, set share permissions
to Full Control for Everyone. This simplifies management of share
permissions, but NTFS permissions are more complex than share
permissions.
- NTFS permissions affect both local and remote
access. NTFS permissions apply regardless of protocol. Share
permissions, by contrast, apply only to shared network resources.
Share permissions do not restrict access of any local user or
terminal server user. Thus, share permissions do not provide
privacy between users on a computer that is used by several
users.
- By default, the Everyone group does
not include the Anonymous group, so permissions applied to
the Everyone group do not affect the Anonymous
group.
- You cannot modify the access permissions of
folders or volumes that are shared for administrative purposes,
such as C$ and ADMIN$.
- To open Share and Storage Management, click
Start, point to Administrative Tools, and then click
Share and Storage Management.