S 2.94 Sharing of directories under Windows NT

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

Under Windows NT there is a distinction between various levels of access control to resources. There are access rights at the share level and at the directory and file level (known as NTFS permissions). The access rights at the directory and file level are only available on data media with an NTFS file system, and are dealt with in detail in S 4.53 Restrictive allocation of access rights to files and directories under Windows NT.

Sharing directories on servers is necessary in order to enable users to obtain access to the resources via the network. Network access to a directory is not possible unless a share is created in the appropriate way. This is the case even if corresponding NTFS permissions have been granted.

It is possible to share directories on all computers running under the Windows NT operating system, i.e. both on domain controllers and on servers and workstations (clients). Usually, however, directories should only be shared on domain controllers and servers. The sharing of directories or sharing of individual drives on workstations (clients) is implemented as part of peer-to-peer functionality (see S 5.37 Restricting peer-to-peer functions when using WfW, Windows 95 or Windows NT in a server-supported network) and should remain very much the exception, because it is liable to lead to the creation of unclear rights structures and even in some cases to undermining of the general security specifications.

A directory can be shared in different ways under the Windows NT operating system, including with Windows NT Explorer, via the "My Computer" desktop icon or with the "NET SHARE" command. The process of sharing a directory is also referred to as creating a share. In Windows NT Explorer or when using the "My Computer" desktop icon, sharing a directory is carried out on the "Share" tab. This is accessible via the "Properties" menu option on the pop-up menu. The share is created by clicking on the "Shared as" option. A share name with a maximum length of 12 characters can then be entered. By default, Windows NT assigns the name of the directory as the share name. To help with administration, a short, succinct description of the share can be entered in the "Comment" box. The number of users who are allowed to access the share at the same time can be specified under the "User Limit" option. The default setting is "Maximum Allowed", i.e. the number is not limited, and this should be retained. This feature is only partially suitable for licence control, because only the number of clients who have connected to the share are counted. Users who are supposed to be able to access the share via the network must be granted an appropriate share permission. This is done using the access control list, which the system opens after the "Permissions" box is selected. The icon for the shared directory is shown with a hand beneath it in Windows NT Explorer and in the "My Computer" desktop icon to indicate that it is shared.

Only members of the "Administrators" and "Server Operators" groups on domain controllers or members of the "Administrators" and "Power Users" groups on Windows NT workstations and member servers have the right to share directories and to manage share permissions.

The following share permissions are available under Windows NT: "No Access", "Read", "Change" and "Full Access". The actions which the various share permissions allow are shown in the table below:

Shares can only be defined for directories, however, not for files. Share permissions apply only to accesses made via the network, i.e. they are of no significance to users who are allowed to work locally on the computer on which a directory has been shared. Also, share permissions apply only in a standardised form for all files and subdirectories in a shared directory. Although it is also possible to share a subdirectory within a shared directory and in so doing also to set different share permissions, this is a new share and brings with it the following consequences: when a user is linked to the shared directory, the share permissions specified for that directory apply to that user with respect to all files and subdirectories. This is not changed in any way even if a subdirectory is shared separately. If the user is linked directly to the subdirectory, however, the share permissions set for the subdirectory apply.

Example: Let us assume the following directory structure: D:\DEPARTMENT\SECTION. One share is set up with the DEPARTMENT directory with "Full Access" authorisation and another share with the SECTION subdirectory with "Read" authorisation. If the user is now connected to the D:\DEPARTMENT directory, he can read, write to and delete (among other things) files in that directory but also files in the D:\DEPARTMENT\SECTION subdirectory. However, if the user sets up a direct link to the D:\DEPARTMENT\SECTION directory, he can only read the directories contained in that directory. If restrictions on a subdirectory are required, as in the above example, this cannot be achieved by means of share permissions but only with the aid of the NTFS permissions (see S 4.53 Restrictive allocation of access rights to files and directories under Windows NT).

When a directory located on an NTFS data medium is shared, in addition to the share permission the NTFS permissions also apply to that directory and to the files and subdirectories that it contains. In each case, the most restrictive permission is the one that applies. If, for example, a user possesses the "Read" share permission for the shared directory, but on the other hand only the "Display" NTFS permission for the same directory, his access right is restricted to "Display". Using the NTFS permission it is therefore also possible to assign access rights individually to files and subdirectories (for more details see also S 4.53 ).

Share permissions obtained by belonging to groups are cumulative; this means that if a user is a member of various groups to which different share permissions have been granted in relation to a particular directory, the furthest-ranging permission applies for that user. There is an exception to this rule, however: the "No Access" share permission is dominant over all other share permissions.

Example: Let us assume that D:\RESULTS is shared. User Smith is a member of group A and of group B. Group A is assigned "Read" permission and group B "Full Access" permission to the above shared directory. In this case the "Full Access" permission is the decisive permission for user Smith. If user Smith is now also made a member of group C, for which the "No Access" share permission has been assigned for the shared directory D:\RESULTS, user Smith is denied access to this directory via the network. If this is not the desired effect, all the administrator can do is check which groups have been assigned the "No Access" share permission to the resource and find out to which of these groups the user concerned belongs. The user must then be removed from the relevant group.

Furthermore, it should be noted that Windows NT always shares the root directories of all disks together with the Windows directory %SystemRoot% (generally C:\WINNT) for administrative accesses. The access rights to these special releases cannot be changed and are restricted to the user group "Administrators". These releases are not directly visible, as they have release names along the lines of "Disk name$", thus for example "C$" or the name "ADMIN$".

As a result there is a danger that

• someone can try out the administrator user name and password, or

• an administrator can secretly access users' computers at any time.

If this feature for facilitating workstation management is required, a decision must be made as to whether administrators should use the same password for all workstations under their jurisdiction. A single password is easier to remember but, if detected, would allow intruders to access all workstations.

If this access capability is not required, e.g. because the administrator is not supposed to be able to access local user data, the right "Access to this computer from the network " should be blocked for administrators via User Manager, under Guidelines - User Rights.

By default, Windows NT assigns the "Full Access" share permission for the "Everyone" group every time a share is created. In particular for directories located on data media without the NTFS file system, this is unacceptable, because in this case apart from the share permissions there are no other means of assigning rights and hence of access control. The "Everyone" group therefore has to be removed from the access control list and replaced by the groups and if appropriate individual users who are intended to have access to the shared directory. Corresponding share permissions should then also be assigned.

Even where directories are in fact located on NTFS data media, the "Everyone" group should be removed from the access control list in the event of a share being created. It would be conceivable in this case, however, to include the "User" group with assignment of the "Full Access" access right. The individual assignment of access rights to the directory or the files and subdirectories that it contains is then carried out at the level of NTFS permissions (see S 4.53 ).

Additional controls:

• Is there any documentation indicating which directories on which computers have been shared for network access?

• Has the "Everyone" group in the shared directories located on data media without an NTFS file system been removed and replaced by the groups and, if appropriate, individual users who are allowed to access the relevant shared directory via the network?

• Is the existing share profile adapted to changes in operational conditions?