Securing Shared Files and Printers with Security Permissions

The primary purpose for implementing a network is to allow users to share resources. For example, users on one PC might want to access the contents of a folder or use a printer on another system. Although sharing a folder or printer on a system running any Windows version from 95 forward is a relatively simple proposition, ensuring that the resource is properly secured in a more critical consideration. In a nutshell, the default permissions assigned to shared resources on a Windows system are inherently insecure, and should almost always be changed.

Futhermore, it’s important to keep in mind that shared folder permissions only apply to users connecting to that resource over the network – these permissions do not apply to local users.
Sharing a folder on a Windows system provides a great example of what we mean here. If you were to share a folder named Files on a Windows 98 system, the default permission that is applied to the folder is “Read-Only” to a group known as “The World”. As this group name suggests, this permission will allow any and all users to access the shared folder will Read-Only access. This may not seem like a terrible situation, since Read-Only access would not allow connecting users to make changes to your files. However, it will allow them to open and read files, as well as copy those files to different locations, where they can ultimately do with them what they please. Because the possible shared folder permissions that can be configured on a Windows 98 are limited, storing resources in a shared folder on a Windows 2000 or XP system is generally your best option, as you’ll learn shortly. Barring that, however, be sure to configure passwords for shared folders on Windows 9X/ME systems if the folder contains any data that you consider to be critical or private in nature.

If you’re sharing a folder from a Windows 2000 or Windows XP Professional system (with Simple File Sharing disabled), then you’ll also need to carefully consider the permissions you assign. When a folder is shared from a Windows 2000 system, the default permission grant a group known as “Everyone” full control over the contents of the folder. This permission would ultimately allow any user to do as they pleased with the contents of the folder. The default permission for a new shared folder in Windows XP Professional is a little more secure, granting the Everyone group Read access only, though this makes the folder subject to the same issues looked at in the Windows 98 section. For a higher degree of security, consider removing the Everyone group when configuring shared folder permissions on these operating systems, and grant permissions to an authenticated group (like Users) instead.

It may not seem necessary, but another area that you should also consider is the security of your printers. On a Windows XP or Windows 2000 Professional system, the properties of a printer includes a Security tab, which by default allows the Everyone group the ability to Print documents. Unfortunately, this setting allows anyone to print to the printer. For a higher degree of security, you can use the Security tab to control which printers a user is allowed to print to, or whether they have the ability to change printer settings. This can be useful when you want to avoid having certain users misuse an expensive colour printer, for example.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.