Last updated:
22 October 2006;
Supplements this
Knowledgebase Article.
File & Folder Sharing with the NT Family
(2000, XP, 2003)
Setting up file sharing between systems
running Windows 9x (i.e. Windows 95/98/98SE/ME) is a pretty straightforward
affair. Win9x/ME systems in a peer-to-peer network
have no trouble connecting to each other and sharing files because
they contain no real security. To access the shares and folders of a Windows NT, 2000,
XP or 2003 system which
resides on your network, however, you need to do a bit of more work, in
addition to enabling "File and Printer Sharing for Microsoft
Networks". This is because the Windows NT family is very security
conscious, and generally require that resources are accessed by valid user
accounts and groups. Windows XP
comes with a Network Wizard, but
you don't need to use it
to successfully
connect your machines together. In fact, avoiding it will give you
more control over your connectivity options, as the Wizard will make a
number of changes to your networking configuration, including the Internet
Connection Firewall (ICF).
And while you might be tempted to install
NetBEUI to make it easier to talk to Windows 9x/ME systems, this is
totally unnecessary.
File Sharing Overview
Here's the basic overview of file/printer
sharing when Windows NT,
2000, XP or 2003 systems (the NT Family) are involved.
Setup Domain or Workgroup
Assign IP
Addresses
Configure
Name Resolution
Enable File/Printer Sharing
Create User Accounts
Assign Privileges to Files and Folders
There are a number of ways that this can be
accomplished, but some methods are more desirable than others. For
convenience, the term
NT will be used to refer to Windows NT4, 2000, XP and 2003 for the
remainder of this document. Likewise,
Win9x will be used to refer to Windows 95, 98, ME.
OPTION #1 -- Undesirable Option
OPTION #2 -- Highly Preferred Option
Create a user account with password
on the Windows
NT system which matches the user/password
combination that is being used on the
Win9x machine.
Use the same workgroup or domain name
for the
Win9x and
NT systems
(this
is only necessary for easy browsing via Network Neighborhood)
From a security standpoint, enabling the
GUEST account (as in option #1) is a VeryBadThing® and is likely to
lead to your machines being exploited in short order.
Despite the apparent convenience of this option, you are advised to leave it
disabled. By default, NT4 (all editions), 2000 (all editions), XP Pro and
Windows Server 2003 are all configured with the GUEST account disabled out
of the box.Under Windows XP
Home, the GUEST account is used for accessing remote shares and folders
by default. Because overall security has been changed in XP, this is not as
bad as it would be under any earlier version of Windows. For example, in XP Home,
the built-in Administrator account is only valid for access at the console,
but not across the network.When
"Use
Simple File Sharing" is enabled in XP Pro, it will be
configured identically to XP Home as far as the GUEST account is concerned. When this setting
is disabled, the OS behaves like Windows 2000, and provides far greater
flexibility in the setting and maintaining of permissions. Disabling
this setting is highly recommended.
It is for
this and other reasons that XP Pro is preferred over XP Home on networks
where granular security is important.
Examples of Sharing Files and
Folders
Let's say that there are three (3)
machines on little network peer-to-peer network:
Machine-A ..... Windows 2000 Pro ..... logon=Tarzan
Machine-B ..... Windows XP Pro ........
logon=Jane
Machine-C ..... Windows 98SE .......... logon=Cheetah
In order to allow any user to connect to
resources on any of the systems, the Windows 2000 and Windows XP machines
would need to have all three accounts (Tarzan, Jane,
Cheetah) and their respective passwords created locally.
Because the Windows 98 machine is unconcerned about the accounts, and
manages its shares with local passwords, it would only need to have the
Cheetah account so that it could
successfully access resources on the other two systems.
Summary:
Machines-A and Machine-B, with at least
USER level permissions, in order for users of the other machines to
successfully connect to those systems across the network.
Machine-C wouldn't need any accounts created on it in order to allow
Machine-A or Machine-B to
connect successfully, because by default, Win9x/ME has no user security.
Final Steps for Successful File
Sharing
If File Sharing is not
enabled on a machine, then that particular box will not be visible on the network.
By default, XP systems have file sharing enabled, but you'll want to
verify that no firewalls, such as XP's Internet Connection Firewall (ICF),
are interfering with the
connectivity between the systems on your LAN.
Once you have setup the user accounts, make sure that
Name Resolution
is properly configured. On a small peer-to-peer network, this will
probably involve creating an entry for each system in the HOSTS file of
every machine on the network. On a larger network, DNS will be the
preferred Name Resolution mechanism.
127.0.0.1
localhost
172.30.50.11 Tarzan
172.30.50.12 Jane
172.30.50.13
Cheetah
If you'd like to restrict one or more users from
connecting to a networked resource, then ensure that the username/password
combination
for those users do not have access to the resource in question. You
don't have to explicitly deny them access -- just ensure that they are not
part of any group which is given explicit access.
Here's how you can
set permissions on your files and folders.
The instructions in this document will work with any combination of
32-bit Windows clients.
Other Information
Related Knowledgebase Articles
|
