Controlling Access with NTFS Permissions
If you're frustrated by the limitations of Simple File Sharing, you do have an alternative-that is, if you're running Windows XP Professional and if the drive that contains the files you want to protect is formatted with the NTFS file system. (On a machine running Windows XP Home Edition, the only way to adjust permissions on individual files or folders is by restarting in Safe Mode or using the Cacls utility from a command prompt, an option we describe in "Setting Permissions from a Command Prompt," page 276.) By disabling Simple File Sharing and using the full range of NTFS access controls, you can accomplish any or all of the following goals:
- Control access to any file or folder on any NTFS-formatted drive. This is a dramatic improvement over Simple File Sharing, which allows you to protect files in your user profile only.
- Allow different types of access for different users or groups of users. For instance, you might allow your teenagers read-only access to your collection of digital music files, so that they can play them but not erase them to make room for their own downloaded tunes. You and your spouse, on the other hand, get full rights to add or delete any files. This is a significant change from the all-or-nothing access controls available via Simple File Sharing.
- Fine-tune permissions on specific files or folders. In a folder that contains the templates you use to create new documents or Web pages, you might want to restrict users to read-only access, while blocking their ability to overwrite or delete files. Anyone can open a new file based on an existing template, but you can be certain that the revised file won't inadvertently replace one of your carefully crafted templates.
Caution Setting NTFS permissions without understanding the full consequences can lead to unexpected and unwelcome results, including a complete loss of access to files and folders. Working with the built-in permission sets-Full Control, Modify, and so on-is the safest strategy. If you plan to tinker with special permissions, set up a folder and fill it with test files so that you can experiment safely. When you're certain you've worked out the correct mix of permissions, apply them to the folders containing your real working files and delete the test folder.
The best way to begin working with permissions is to start by using the Make This Folder Private option on any folders you want to protect in your user profile. This sets a baseline of default permissions that guarantee you'll have exclusive access to those files. After completing that process, you're ready to turn off the Simple File Sharing interface and reveal the more complex Security tab, with its full array of NTFS permissions. To do so, from any Windows Explorer window, click Tools, Folder Options. On the View tab, clear the Use Simple File Sharing (Recommended) check box.
As a general practice, you should be consistent in your use of either the Simple File Sharing interface or full NTFS permissions. Switching back and forth indiscriminately can wreak havoc with network shares. If you normally use Simple File Sharing, but occasionally need to work with the full set of permissions, you can bypass the dialog boxes with this simple script, which toggles between the two modes. Open Notepad or any plain text editor and enter the following text:
' ToggleSharingOptions.vbs ' Toggles between Simple Sharing and full NTFS permissions Option Explicit Dim strOldForceGuestValue, WshShell On Error Resume Next Set WshShell = WScript.CreateObject("WScript.Shell") strOldForceGuestValue = _ WshShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Control\Lsa\forceguest") If strOldForceGuestValue = "1" Then WshShell.RegWrite _ "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\forceguest", 0, "REG_DWORD" WScript.Echo "Full permissions are now available" Else WshShell.RegWrite _ "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\forceguest", 1, "REG_DWORD" WScript.Echo "Simple sharing is now on" End If
Save the file in the Windows folder or in the All Users\Desktop folder as ToggleSharing Options.vbs. Create a shortcut to the script and add it to the All Programs menu; for even faster access, assign a keyboard shortcut to the script.
In this tutorial:
- Securing Files and Folders
- How Setup Decisions Dictate Your Security Options
- Simple File Sharing vs. Advanced Permissions
- How Simple File Sharing Works
- Default Locations for Shared Files
- Keeping Your Own Files Private
- Controlling Access with NTFS Permissions
- Applying Advanced Security Settings
- Entering Group and User Names
- Working with Built-in Users and Groups
- Applying Permissions to Subfolders Through Inheritance
- Testing the Effect of Permissions
- Using Special Permissions
- Setting Permissions from a Command Prompt
- Taking Ownership of Files and Folders
- Troubleshooting Permissions Problems