SUMMARY
Windows XP enables you to share files and documents with other users on your computer and other users on a network. Windows XP introduces a new user interface (UI) in the Windows XP Home Editions and Windows XP Professional that is known as Simple File Sharing, and includes a new Shared Documents feature.
This article describes the new interfaces that are introduced in Windows XP and how to enable, disable, configure, and troubleshoot file sharing in Windows XP.
MORE INFORMATION
Files may be shared to different users on a Windows XP-based computer among local users of the computer and remote users with various levels of access. The Simple File Sharing UI is available in a folder's properties and configures both share and NTFS file system permissions. Local users are users who log on to your computer using their own account or a Guest account. Remote users are users that connect to your computer over the network and access files shared on your computer.
Access permissions are configured in Simple File Sharing at the folder level and apply to the folder, all the files in that folder, child folders, all the files in child folders, and so on. Files and folders that are created in or copied to a folder inherit the permissions that are defined on their parent folder.
This article describes the different ways to configure access to your files into distinct levels. The levels defined in this article are not documented in the operating system or Help files. The levels are described in this article for purposes of reference and understanding.
Windows XP allows for five different levels of permissions. Level 1 is the most private and secure setting and Level 5 is the most public and changeable (non-secure) setting. You can configure Levels 1, 2, 4, and 5 by using the Simple File Sharing UI. To do so, right-click the folder, and then click Sharing and Security to open the Simple File Sharing UI. To configure Level 3, copy a file or folder into the Shared Documents folder under My Computer. This configuration is not affected when you enable or disable Simple File Sharing.
Enabling and Disabling Simple File Sharing
Windows XP Home Edition-based computers always have Simple File Sharing enabled. Windows XP Professional-based computers that are joined to a workgroup have the Simple File Sharing UI enabled by default. Windows XP Professional-based computers that are joined to a domain use only the classic file sharing and security interface. When you use the Simple File Sharing UI (located in the folder's properties), both share and file permissions are configured.
If you disable Simple File Sharing, you have more control over the permissions to individual users; however, you must have advanced knowledge of NTFS and share permissions to keep your folders and files secure. If you disable Simple File Sharing, the Shared Documents feature is not turned off.
To turn Simple File Sharing on or off in Windows XP Professional: - Double-click My Computer on the desktop.
- On the Tools menu, click Folder Options.
- Click the View tab, and then click to select the Use Simple File Sharing (Recommended) check box to enable Simple File Sharing (click to clear this check box to disable this feature).
Levels of Access
- Level 1: My Documents (Private)
- Level 2: My Documents (Default)
- Level 3: Files in shared documents available to local users
- Level 4: Shared Files on the Network (Readable by Everyone)
- Level 5: Shared Files on the Network (Readable and Writable by Everyone)
NOTES: - Files stored in My Documents are at Level 2 by default.
- Levels 1, 2, and 3 folders are available only to a user who is logging on locally.
NOTE: Users who log on locally include a user who logs on to a Windows XP Professional-based computer from a Remote Desktop (RDP) session. - Levels 4 and 5 folders are available to users who log on locally and remote users from the network.
The following table describes the permissions: | Access Level | Everyone (NTFS/File) | Owner | System | Administrators | Everyone (Share) |
|---|
| Level 1 | n/a | Full Control | Full Control | n/a | n/a |
| Level 2 | n/a | Full Control | Full Control | Full Control | n/a |
| Level 3 | Read | Full Control | Full Control | Full Control | n/a |
| Level 4 | Read | Full Control | Full Control | Full Control | Read |
| Level 5 | Change | Full Control | Full Control | Full Control | Full Control |
Level 1: My Documents (Private)
The owner of the file or folder has read and write permission to the file or folder. Nobody else may read or write to the folder or the files in it. All subfolders that are contained within a folder that is marked as private remain private unless you change the parent folder permissions.
If you are a Computer Administrator and you create a user password for your account by using the User Accounts Control Panel tool, you are prompted to make your files and folder private.
NOTE: The option to make a folder private (Level 1) is only available to a user account in its own My Documents folder.
To configure a folder and all of the files in it to Level 1: - Right-click the folder, and then click Sharing and Security.
- Click to select the Make this Folder Private check box, and then click OK.
Local NTFS Permissions: - Owner: Full Control
- System: Full Control
Network Share Permissions: Level 2 (Default): My Documents (Default)
The owner of the file or folder and local Computer Administrators have read and write permission to the file or folder. Nobody else may read or write to the folder or the files in it. This is the default setting for all of the folders and files in each user's My Documents folder.
To configure a folder and all of the files in it to Level 2: - Right-click the folder, and then click Sharing and Security.
- Ensure that both the Make this Folder Private and the Share this folder on the network check boxes are cleared, and then click OK.
Local NTFS Permissions: - Owner: Full Control
- Administrators: Full Control
- System: Full Control
Network Share Permissions: Level 3: Files in Shared Documents Available to Local Users
Files are shared with users who log on to the computer locally. Local Computer Administrators can read, write, and delete the files in the Shared Documents folder. Restricted Users can only read the files in the Shared Documents folder. In Windows XP Professional, Power Users may also read, write, or delete any files in the Shared Documents Folder. The Power Users group is only available in Windows XP Professional. Remote users cannot access folders or files at Level 3. To allow remote users to access files, you must share them out on the network (Level 4 or 5).
To configure a file or a folder and all of the files in it to Level 3, start Microsoft Windows Explorer, and then copy or move the file or folder to the Shared Documents folder under My Computer.
Local NTFS Permissions: - Owner: Full Control
- Administrators: Full Control
- Power Users: Change
- Restricted Users: Read
- System: Full Control
Network Share Permissions: Level 4: Shared on the Network (Read Only)
Files are shared for everyone to read on the network. All local users, including the Guest account, can read the files, but they cannot modify the contents. Any user that can connect to your computer on the network is able to read and change your files.
To configure a folder and all of the files in it to Level 4:
- Right-click the folder, and then click Sharing and Security.
- Click to select the Share this folder on the network check box
- Click to clear the Allow network users to change my files check box, and then click OK.
Local NTFS Permissions:
- Owner: Full Control
- Administrators: Full Control
- System: Full Control
- Everyone: Read
Network Share Permissions: Level 5: Shared on the Network (Read and Write)
This level is the most available and least secure of all access levels. Any user (local or remote) can read, write, change, or delete a file in a folder shared at this access level. This level is recommended only for a closed protected network that has a firewall configured. All local users, including the Guest account, can read and modify the files as well.
To configure a folder and all of the files in it to Level 5:- Right-click the folder, and then click Sharing and Security
- Click to select the Share this folder on the network check box, and then click OK.
Local NTFS Permissions: - Owner: Full Control
- Administrators: Full Control
- System: Full Control
- Everyone: Change
Network Share Permissions: NOTE: All NTFS permissions that refer to Everyone include the Guest account.
All of the levels that are described in this article are mutually exclusive. Private folders (Level 1) cannot be shared unless they are no longer private. Shared folders (Level 4 and 5) cannot be made private until they are unshared.
If you create a folder in the Shared Documents folder (Level 3), share it on the network, and then allow network users to change your files (Level 5), the permissions for Level 5 are effective for the folder, the files in that folder, child folders, and so on. The other files and folders in the Shared Documents folder remain configured at Level 3.
NOTE: The only exception is if you have a folder (SampleSubFolder) shared at Level 4 inside of a folder (SampleFolder) shared at Level 5. Remote users have the correct access level to each of the shared folders. Locally logged on users have writable (Level 5) permissions to the both the parent (SampleFolder) and child (SampleSubFolder) folders. Guidelines
It is recommended that you share folders only on the network within your user profile that remote users on other computers need to access. It is not recommended to share the root of your system drive. When you do so, your computer is more vulnerable to malicious remote users. You are presented with a warning dialog box before you are allowed to proceed. Only Computer Administrators are to share the root of the drive.
Files on a read-only device such as a CD-ROM shared at Level 4 or 5 are only available if the CD-ROM is in the CD-ROM drive. Any CD-ROM that is in the CD-ROM drive is available to all users on the network.
A file's permission may differ from the containing folder if one of the following conditions exist: - You use the move command from a command prompt to move a file into the folder from a folder on the same drive with different permissions.
- You use a script to move the file into the folder from a folder on the same drive that has different permissions.
- You run Cacls.exe from a command prompt or a script to change file permissions.
- Files existed on the hard disk previous to installing Windows XP.
- You changed a file's permissions while Simple File Sharing was disabled on Windows XP Professional.
Advanced users note that NTFS permissions are not maintained on file move operations when you use Windows Explorer with Simple File Sharing enabled.
If you enable and disable Simple File Sharing, the permissions on files are not changed. The NTFS and share permissions do not change until you change the permissions in the interface. If you set the permissions with Simple File Sharing enabled, only Access Control Entries (ACEs) on files that are used for Simple File Sharing are affected. The following ACEs in the Access Control List (ACL) of the files or folders are affected by the Simple File Sharing interface: - Owner
- Administrators
- Everyone
- System
Troubleshooting File Sharing in Windows XP
Expected Upgrade Behavior
A Windows 2000 Professional-based computer that is joined to a domain or workgroup that is upgraded to Windows XP Professional maintains its domain or workgroup membership respectively and has the classic file sharing and security UI enabled. NTFS and share permissions are not changed with the upgrade.
A Windows NT Workstation-based computer that is joined to a domain or workgroup that is upgraded to Windows XP Professional maintains its domain or workgroup membership respectively and has the classic file sharing and security UI enabled. NTFS and share permissions do not change with the upgrade.
A Windows 98, Windows 98 Second Edition, or Windows Millennium Edition (Me)-based computer that has "per share" sharing permissions that is upgraded to Windows XP always has Simple File Sharing enabled by default. Shares that have passwords assigned to them are removed, and shares that have blank passwords remain shared after the upgrade.
A Windows 98, Windows 98 Second Edition, or Windows Me-based computer that is logged on to a domain that has share level access enabled that is upgraded to Windows XP Professional and joins the domain during Setup starts with Simple File Sharing disabled. A Windows 98, Windows 98 Second Edition, or Windows Me-based computer that is upgraded to Windows XP Home has Simple File Sharing enabled by default. Known Issues
For remote users to be able to access files from the network (Levels 4 and 5), the Internet Connection Firewall (ICF) must be disabled on the network interface through which the remote users connect.
When Simple File Sharing is enabled, remote administration and remote registry editing does not work as expected from a remote computer because all remote users authenticate as Guest, which has no administrative privileges.
When Simple File Sharing is enabled, if you configure specific user ACEs, remote users are not affected when Simple File Sharing is enabled because all remote users authenticate as Guest when Simple File Sharing is enabled.
Remote users may receive an "Access Denied" message on a share to which they have previously connected to successfully after the hard disk is converted to NTFS. This behavior occurs on Windows XP-based computers that have Simple File Sharing enabled that were upgraded from Windows 98, Windows 98 Second Edition, or Windows Me, and occurs because the default permissions of a hard disk that is converted to NTFS does not contain the Everyone group, which is required for remote users that are using the Guest account to access the files. To correct this behavior, unshare and reshare the affected folders. The permissions are reset and users can connect again. Behavior That Is Affected When Simple File Sharing Is Enabled
- The Simple File Sharing UI in the properties of a folder configures both share and file permissions.
- Remote users always authenticate as the Guest account.
- Windows Explorer does not retain permissions on files moved within the same NTFS drive. The permissions are always inherited from the parent folder.
- On Windows XP Professional-based computers that have Simple File Sharing enabled and Windows XP Home Edition-based computers, the Shared Folders (Fsmgmt.msc) and Computer Management (Compmgmt.msc) tools reflect a simpler sharing and security UI.
- In the Computer Management and Shared Folders consoles, the New File Share command is unavailable when you right-click the Shares icon. Also, if you right-click any listed share, the Properties and Stop Share commands are unavailable.
Behavior That Is Not a Result of Enabling Simple File Sharing
- In Windows XP Home Edition, the Computer Management snap-in does not display the Local Users and Groups node. The Local Users and Groups snap-in cannot be added to a custom snap-in. This behavior is a limitation of Windows XP Home Edition, and not a result of Simple File Sharing.
- If you turn off the Guest account in the User Accounts control panel tool, only the guest's ability to log on locally is affected. The account itself is not disabled.
- Remote users cannot authenticate using an account with a blank password. This authentication is configured separately.
- Windows XP Home Edition cannot join a domain, it can only be configured as a member of a workgroup.
