If you don’t understand the difference between file permissions and sharing permissions, you can easily screw up security of the machines and of the company. Understanding file and sharing permissions are one of those things, that may look difficult and hard to at first, but once you get it, its like damn easy.
But why is this important? Needless to say if you make a mistake while giving permissions to a file, even normal employees can view and edit confidential and sensitive data. If you don’t set share permissions straight, users might not see your shared folder anywhere on network. Or even unauthorized users can view and edit those folders. To secure your server and company, you need to understand both, file as well as sharing permissions and set them properly. As mentioned above it will look difficult, you might need some extra time to understand it, but you can always read this and try it yourself. Permissions are those things, which you can’t just understand just by reading. You need to do it yourself, play with it and you’ll end up enjoying it.
To understand this better lets take a situation. We have two groups, ‘Current Employees’ and ‘Resigned Employees’.
Along with these we have two users, User 1 Current who is in ‘Current Employees‘ group and User 2 Resigned who belongs to ‘Resigned Employees‘ Group.
We have a folder named ‘Shared‘ on the Server which has two sub-folders named ‘Current‘ and ‘Resigned‘.
User 1 Current is still an employee so he has permission to read and write in both these sub-folders.
However User 2 Resigned has already put his resignation. Since he is not a current employee, he shouldn’t have any access to the ‘Current‘ folder. He should only view and edit the folder that concerns him, i.e. ‘Resigned‘ folder in Shared. So lets see how we will assign permissions and sharing options on this situation.
- Create two groups, ‘Current Employees‘ and ‘Resigned Employees‘.
Create two users ‘User 1 current‘ and ‘User 2 resigned’ and add them to ‘Current Employees‘ and ‘Resigned Employees’ group .
If you are having problems, refer: (Adding new users and Administering users and groups)
Create two groups, two employees and assign them to groups.
- Create a new folder named ‘Shared‘ on Server. Create two folders named ‘Current‘ and ‘Resigned‘ inside ‘Shared‘ folder.
Create folder shared and Current and Resigned subfolders
- We want to share this folder so that other users can reach it over the network. By default the folder is not shared. So we need to change some settings to share it. Right-click on ‘Shared‘ folder and click on properties.
Right-click–> Properties
- Under the ‘Sharing‘ tab you can see ‘not shared’ written there. Click on ‘Share‘ to edit this setting.
Go to sharing tab. Click on shared
- In the small text box, write ‘everyone‘ and click on add. We want everyone to access this folder. More on this at the end.
Enter everyone
- By default ‘everyone‘ will take only ‘Read’ permission. Click on the down arrow and select ‘Read/Write‘ and click on share.
Assign read-write permission to everyone
- Your folder is now shared and available for every user on the network. You can see the folder’s location below its name.
note down the shared path
- We now need to assign assign permissions on each sub-folder(Current and Resigned). Right-click on ‘Current‘ folder and click on properties.
Shared–>Current–>Properties
- Navigate to ‘Security’ tab and click on ‘Edit’.
Click on edit
- You can see the default permissions set for this folder. Click on Add.
Clcik on Add
- Since we need the all the current employees to access this folder, enter ‘current’ in the text box and click on ‘Check Names’.
Enter current & click on check names
It will load the ‘Current Employees’ group. Click on Ok.
Click on Ok
- You can now see ‘Current Employees‘ in group or usernames box. Check the ‘Full control’ check box under ‘Allow’ to give full access to the members of this group.
Give full control to current employees
- But this folder is on sharing so even employees who have resigned can read and write in this (Step 6).
We want to deny access of ‘Resigned Employees’ on this folder. So we need to add “Resigned Employees’ too. Click on Add.
Click on add
- Enter ‘resigned‘ and click on ‘Check Names’.
Enter resign and click on Check Names
It will take ‘Resigned Employees‘ group, click on Ok.
click on Add
- Select ‘Full control’ check box under ‘Deny’ to deny all access of this folder to this group.
Deny permission
It will give a warning, which says, if say User A is in 2 groups which has ‘allow’ and ‘deny’ access, it will deny access to User A.
Warning. Click on Ok
Now we are done with assigning NTFS permissions and Sharing permissions on the folder. Lets check if these permissions work or not.
- Sign in with ‘User 1 Current’.
Sign in with user 1 current
- Go to Start.
Start
- Enter ‘\YourServerName‘ (‘\VIshuServer’ in this case) or you can enter this in run also.
Search for \Servername
- Open ‘Shared‘ folder. You can now see both ‘Current‘ as well as ‘Resigned‘ folder.
We can see Resigned folder from User 1 Current because we didn’t assign it any permission. So it inherited the permission given to ‘Shared‘ folder, which was everyone can read and write.You can view both folder
- Try to write in ‘Current‘ Folder.
Try to write into Current folder
- Sign out and sing in with ‘User 2 Resigned‘.
Sign in from User 2 Resigned
- Go to Start.
Go to start
- Enter location of shared folder.
Search for Shared folder location
- Since ‘Resigned Employees’ don’t have permission for current folder and ‘User 2 Resigned’ is a part of that group, he cannot see the ‘Current‘ folder. But he can access the ‘Resigned‘ folder.
Current folder not visible to Resigned user
Note: In sharing options, always allow everyone to read/write on the folder, and then manipulate it using the file permissions to the group. This is because in Sharing we can directly make it sharable only for Current Employees but then Resigned Employees will not be able to view the folder hence they cannot even view Resigned Folder. So its better to assign sharing permissions to everyone and control the file permissions.