Simple File Sharing vs. Advanced Permissions
In a clean installation or an upgrade over Windows 98/Me, Windows XP assigns default security settings that work like on/off switches. This Simple File Sharing interface initially makes all the files in your user profile (including your My Documents folder, desktop, Start menu, and Favorites) visible to anyone who has an administrator's account on your computer (users with limited accounts are restricted from viewing files in other profiles). Opening the My Computer window displays a separate icon for the folder that holds each user's personal documents, along with an icon for a Shared Documents folder. (See the following section for a full discussion of how the Shared Documents folder works.)
This low-security configuration is similar to the standard setup on a machine running Windows 95/98/Me. In an environment where all users trust each other completely, it makes collaborating easy. If you and a coworker share a computer, you can each keep your personal files organized in your My Documents folder for convenience; if you need to look at a file that your coworker created, you open his or her My Documents folder. Likewise, at home, you and your spouse can browse each other's files.
But some environments demand less trust and more protection. On a home computer, for example, parents might want to keep financial data and other private files out of the reach of children-not just to ensure privacy, but also to protect the files from accidental changes or deletion. By selecting a check box on the Sharing tab of a folder's Properties dialog box, you can designate as private all or part of your user profile. After you've selected that option, your files are visible only when you log on using your account.
It's certainly easy to make a folder private-all you do is right-click a folder, choose Sharing And Security, and select the Make This Folder Private check box-but this Simple File Sharing option suffers from some significant limitations:
- The Make This Folder Private option is available only within your user profile. If you use a program that stores its user data in any other location, you cannot protect that folder from unauthorized access. Likewise, if you've created a second partition on which you store digital images, media files, or other space-gobbling data, you have no way to protect those files from unauthorized access or accidental deletion.
- Protection applies to all files and subfolders within a folder for which you select this option. You cannot protect an individual file, nor can you single out files or subfolders within a protected folder and make them available to others.
- The private setting is an all-or-nothing proposition. When you select the Make This Folder Private check box, Windows sets permissions on that folder so that you and only you can access files stored in that location. Clear the check box, and any user who logs on to the computer can view the files stored in the folder.
- When Simple File Sharing is enabled and you move or copy files or folders between a private folder and a shared location, the moved or copied objects always take on the security attributes of the destination folder. This behavior changes if you disable Simple File Sharing.
Caution The Make This Folder Private option is ineffective unless you've configured your account with a password. If you neglect this step, any other user can go to the Welcome screen, click your logon name, and gain complete access to your files. If you try to make a folder private on an account that has no password, a dialog box reminds you of this basic fact and offers to help you set a password.
If you want to break through any of these limitations, you can disable the Simple File Sharing interface and use the full complement of Windows 2000-style file permissions. As noted previously, these options are available only if you're running Windows XP Professional, and only on NTFS-formatted drives. To make the switch, open any Windows Explorer window (the My Documents or My Computer window will do) and choose Tools, Folder Options. Click the View tab, scroll to the bottom of the list, and then clear the Use Simple File Sharing (Recommended) check box.
Note You must be a member of the Administrators group to change file sharing options. After you make this change, you'll notice a new Security tab in the properties dialog box for any folder stored on an NTFS drive. For example, the Security settings for a subfolder in the user Nd's My Documents folder. The Allow check boxes are unavailable because these settings are inherited from a higher-level folder.
When you turn off Simple File Sharing, you plunge into a confusing and potentially dangerous set of options. Even expert Windows users struggle with the proper use of NTFS permissions, and if you make a mistake you can make folders and files inaccessible to yourself and other authorized users. Before you decide to forego the Simple File Sharing interface, make sure that you completely understand the consequences.
In this tutorial:
- Securing Files and Folders
- How Setup Decisions Dictate Your Security Options
- Simple File Sharing vs. Advanced Permissions
- How Simple File Sharing Works
- Default Locations for Shared Files
- Keeping Your Own Files Private
- Controlling Access with NTFS Permissions
- Applying Advanced Security Settings
- Entering Group and User Names
- Working with Built-in Users and Groups
- Applying Permissions to Subfolders Through Inheritance
- Testing the Effect of Permissions
- Using Special Permissions
- Setting Permissions from a Command Prompt
- Taking Ownership of Files and Folders
- Troubleshooting Permissions Problems