Shares can be created via the Explorer or the Computer Management console. In a Windows 2000 domain Administrators and Server operators can create shares on every machine. On stand-alone servers and Windows Professional/XP machines also Power Users can create shares. The Computer Management console give the ability to track connected users to shares and the files they use.
Shared folder permissions can be used to secure files on FAT, FAT32 and NTFS file systems that are accessed via the network. They do not restrict access for users locally accessing a computer.
The default share permissions when folder is shared are Everyone Full Control.
Three types of permissions can be set :
| Read. Display folder- and file names, file data and attributes. Run programs and change folders within the shared folder. |
| Change. Create folder and files. Change folders and files incl. file attributes. Delete files and folders and all read-permissions. |
| Full control. All change permissions and change file permissions and take ownership |
The user limit sets the maximum number of users that can connect to a share. On a Windows 2000 Professional client this is 10. The maximum on a server depends on the number of CALs.
You can prevent users from creating shares by giving user only read access on
the following registry key : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Shares
A share name on a Windows 2000 can be up to 80 characters. This length is supported by Windows 2000/NT/98 and 95 but but keep in mind that MS-Dos or Windows 3.x clients only can connect to a share name with 8.3 characters. This short-share-name is automatically created when adding a share.
Share information is stored in : Hkey_local_machine\System\CurrentControlSet\Services\LanmanServer\Shares
When you copy or move a shared folder, the new folder is not shared.
If a folder is stored on NTFS, the potential creator of a share at least needs Read-permissions to create the share.
Administrative shares :
| C$, D$, etc. The root of each volume is shared with full control permissions for administrators. |
| Admin$. The system folder, by default c:\winnt. Only administrators have full control permissions. |
| IPC$. A resource sharing the named pipes that are essential for interprocess communication between programs using named pipes. Used during remote administration of a computer and when viewing a computer's shared resources. |
| NETLOGON. A resource used by the Net Logon service on domain controllers for processing domain logon requests. This resource is provided only for Windows NT Server, not for Windows NT Workstation. |
| REPL$. A resource created by the system when a Windows NT Server computer is configured as a replication export server. Required for export replication. |
| Print$. This share shares the systemroot\System32\Spool\Drivers-folder for Administrators, Server Operators and Printer operators. (full control). The Everyone-group has read permissions. This share is activated the first time a printer is installed. |
| FAX$. This share is used to store cover sheets and documents that needs to be faxed by a server with a fax installed. |
You can remove administrative shares via the following registry key :
Hkey_Local_Machine\System\CurrentControlSet\Services\LanmanServer\Paramaters.
On a server, set the value of AutoShareServer to 0, on a Professional
installation, set the value of AutoShareWks to 0. If the value does not exist,
select Edit - New and add the
>value as DWORD. After the next reboot, the administrative shares will not be
created.
Users using the NT server 4.0 resource kit utility Netwatch.exe are able to see
hidden shares without administrative privileges.
You can publish and access a share via Active directory by following these steps (by default shares are not published in Active Directory) :
The created share will be visible in Windows Explorer under My Network Places, Entire Network, Directory, Domain. To remove the new share, simply right-click the shared folder in the Active Directory Users and Computers snap-in, and select Delete.
Windows 2000 requires that NetBIOS over TCP/IP is enabled to view a file share on a computer that is running Windows 95/Windows 98. Otherwise the following error will occur when connecting to a Windows 95/98 machine : System error 51 has occurred. The remote computer is not available. If the Windows 2000 machine does not have NetBios over TCP/IP, Windows 95/98 clients will receive an error 53.
The 'Net' command can be used to view and connect to remote shares.
The resource kit utility Netcons gives a graphic overview of the connected shares.
The resource kit utility rmtshare can be used to remotely created and modify shares on remote systems.
Srvcheck can be used to view the shares and their permissions on a (remote) system. The NT 4.0 resource kit utility ShareUI.inf can also be used. After installation it displays a folder 'shared directories' under each computer in the Explorer.
| Technet: Administering shared folders |
| About.com: Disable administrative shares |
| Disable administrative shares (TechTarget.com) |
| About.com: Hidden shares |
| About.com: The Net Share command |
| Search for 'share' in knowledge base |
Last update : 5 January 2003