Configuring File Sharing
A share point represents a network path to a local file system. Windows never provides default share points that ordinary users can access. You must create shares at a server before users can map to the server.
There are several ways to create a share. You can use the Explorer shell, the Computer Management console, the command line via the NET command, or Resource Kit tools. This section covers all these methods:
File Sharing and XP
The primary focus of this book is on Windows Server 2003 products, but you should be aware that file sharing for standalone XP Professional desktops (not domain members) and XP Home Edition desktops works significantly differently than Windows Server 2003 or previous versions of Windows 2000 or NT.
First off, standalone XP desktops do not have network sharing enabled by default and NTFS permissions are not exposed to the Explorer shell. A feature called simple file sharing controls access to folders. This feature is enabled by default on all standalone XP Professional machines and is the only available option on XP Home machines.
You can view the settings for simple file sharing by opening any folder then selecting TOOLS | FOLDER OPTIONS from the folder menu. Select the View tab and scroll all the way to the end of the list to see the Use Simple File Sharing checkbox. Figure 16.3 shows an example.
Figure 16.3. Folder Options window showing Use Simple File Sharing selection.
Shares are stored in the Registry under the following key: HKLM | System | CurrentControlSet | Services | LanManServer | Shares. Each share is represented by a value with several data properties in a Reg_Multi_SZ entry:
Client-side caching flags: 0 by default for manual caching, 16 for automatic document caching, 32 for automatic program caching, 48 for caching disabled.
4294967295 by default (all Fs for a long integer).
Local path to share point. If you change the path so that it does not match this Registry entry, the share no longer functions.
This entry supports downlevel clients who expect to see share-level security flags in the SMB representing a share point.
Contains the comments for the share.
Always set to 0 in Windows Server 2003, XP, and 2000.
This option controls the following Registry entry:
Key: HKLM | System | CurrentControlSet | Control | LSA
Data: 1 (blocks access), 0 (permits access)
If ForceGuest is enabled (set to 1), the following simple file sharing restrictions apply:
Files in the user's My Documents folder can be configured to be completely private (NTFS permissions set to <User>:Full and System:Full) or private with access by the local Administrators group (NTFS permissions include Administrators:Full.)
The All Users\Documents folder is exposed to the shell as a Shared Documents folder. Users who want other users to see their documents can drag them to the Shared Documents folder. The NTFS permissions on this folder are set for Users:Read,Write,Append, CreatorOwner:Full, Administrators:Full, System:Full, and Power Users:Change.
Folders can be shared on the network using the Sharing tab in the folder properties in Explorer. If the Share This Folder On The Network option is checked and the Allow Network Users To Change My Files option is cleared, an SMB share is created for the folder and the NTFS permissions are set to add Everyone:Read to the access list.
If the Allow Network Users To Change My Files option is checked, NTFS permissions are set to add Everyone:Change to the access list.
These restrictions only apply to SMB connections. A standalone XP Professional desktop running IIS can respond to HTTP and FTP connection requests even if simple file sharing is enabled but nothing is shared. The desktop can also respond to WebDAV connection requests. FTP and WebDAV requests may fail, however, if appropriate NTFS permissions are not set.
Simple file sharing is turned off when an XP Professional desktop joins a domain. (XP Home cannot join a domain.)
In all previous versions of Windows, when a new share point was created, the Everyone group was placed on the permissions list for the share and granted Full Control access. Controlling access to the files and folders behind the share was given over to NTFS permissions.
In the new spirit of security that imbues Windows Server 2003, Microsoft changed the default permissions for a share point. The Everyone group is still the only entry on the access control list, but the default permissions are now Read rather than Full Control. This ensures that shares created on FAT and FAT32 volumes will not expose the file system to exploits.
You should always build servers with NTFS volumes so you can change the default share permissions back to Everyone: Full Control. This can be done from the Explorer interface or from the command line using new switches on the NET SHARE command as follows:
Net share <share_name>=<folder_path> /grant:everyone,full
By putting Everyone:Full on share permissions, you don't need to worry about someone in the future trying to resolve an access problem and forgetting about the share permissions.
If you do assign share permissions, keep in mind that they act as a filter that sits in front of the folder in the file system. If a user has Full Control access permissions in NTFS but Read permission at the share, the user can only read the files. By the same token, if a user has Read access permission in NTFS and Full Control in the share, the user can still only read the files.
Share points multiply like bad rock bands if you aren't careful. When a server sends its resource list to a client, it includes the name of every share, even the hidden shares. If you create thousands of shares, you'll slow performance at the client.
Windows Server 2003 and Windows 2000 permit mapping a network drive to a folder underneath a share point. Use this feature to avoid excessive shares.
Also, avoid overlapping shares. This confuses users and can cause tragic Help Desk calls like this: "I deleted some extra files from my K drive but they also disappeared from my L drive. What happened?"
Creating a Share Using Explorer
The simplest way to share a folder is to use Explorer. The steps in Procedure 16.3 create a new folder and share it.
Procedure 16.3 Creating and Sharing a Folder
Log on at the console using an account with administrative privileges.
Open Explorer or My Computer.
Create a folder or select an existing folder. The example in Figure 16.4 shows a folder called Sales.
Figure 16.4. Properties window for Sales folder with Sharing tab selected.
Right-click the folder icon and select SHARING AND SECURITY from the flyout menu. The Properties window for the folder opens with the Sharing tab selected.
Select the Share This Folder radio button. The system automatically inserts the folder name as the share name. If you already have a share by this name on the computer, the share name will be blank. You can select a different name.
Ordinarily you would leave the Maximum Allowed radio button selected. Set a value under User Limit only if you want to limit the maximum number of users who can access the share point. You can use this feature to meet licensing restrictions for executables inside the share.
Select a share name that meets the allowable name length for the Windows clients in your network:
Windows NT4 and later:
Windows 3.x and DOS:
If the share name exceeds the limit, the affected clients cannot see the share in a browse list or map a drive to it.
Click Permissions and set Everyone to Full Control, then click OK.
Click OK to create the share and close the Properties window. The Caching option is covered in Chapter 19, "Managing the User Operating Environment."
Note that the folder now has a little hand under it indicating that it is shared. If you issue the NET SHARE command from the command line, you see this folder listed as a share point.
Creating Shares on Remote Computers
The Explorer interface has no mechanism for creating shares on remote servers. You can create a share point on a remote computer using the Computer Management console as in Procedure 16.4.
Procedure 16.4 Creating Remote Shares Using the Computer Management Console
Open the Computer Management console using START | PROGRAMS | ADMINISTRATIVE TOOLS | COMPUTER MANAGEMENT.
Right-click the Computer Management (local) icon and select CONNECT TO ANOTHER COMPUTER from the flyout menu. The Select Computer window opens.
Click Browse. The standard object search window opens. Enter the first few letters of the server you're searching for then click Check Names. The search starts with an LDAP search of Active Directory then expands to search the browse list.
If more than one computer starts with the letters you entered, a Multiple Names Found window opens with a pick list. Double-click the name you want then click OK then OK again to select that machine.
Expand the tree under SYSTEM TOOLS | SHARED FOLDERS | SHARES. Figure 16.5 shows an example.
Figure 16.5. Computer Management console showing list of shares on a remote computer.
Right-click the Shares icon and select NEW FILE SHARE from the flyout menu. The Create Shared Folder window opens.
Click Browse to locate the folder you want to share. The Browse for Folder window appears (see Figure 16.6). The browse feature requires that you have functioning administrative shares (dollar sign shares) at the root of each volume on the remote computer. If you have deleted the administrative shares, you must enter the local path to the folder manually.
Figure 16.6. Browse For Folder window showing top-level folders represented by administrative shares at remote computer.
Select the folder you want to share or create a new folder.
Click OK to save the selection and return to the Create Shared Folder window.
Enter a Share Name and Share Description.
Click Next. Select a permissions option. The Custom button opens the Customize Permission window that contains a browse list to select users or groups to add to the list of authorized share users.
Click Finish to apply the changes and close the window.
The system responds with a notification that the share was successfully created. If it encounters a problem, you get an error message. The most common problem associated with creating remote shares is not having sufficient rights. The owner may have set restrictive NTFS permissions on the folder you're trying to share.
Creating Shares Using the Command Line
You can create a share from the command line using the NET SHARE command with the following syntax:
net share share_name=drive:\directory /grant:Everyone,Full
If you want to stop sharing a directory, use the /delete switch as follows:
net share share_name /delete
The NET SHARE command only works at the console of the server containing the directory you want to share. If you want to create a share on a remote directory from the command line, use a Resource Kit utility called RMTSHARE. The syntax for this command is as follows:
rmtshare \\server_name\share_name=drive:path [/users:number | /unlimited]
If you want to stop sharing a directory on a remote computer, use the /delete switch as follows:
rmtshare \\server_name\share_name /delete
Recreating Admin Shares
Access to the C$ and ADMIN$ shares (and other shares representing volumes on a server) is restricted to members of the Administrators group. If the shares are accidentally deleted, you can create a new share called C$, but it will not have the same permissions. You can replace deleted admin shares with their special permissions using the Policy Editor (Poledit). Follow Procedure 16.5.
Procedure 16.5 Restoring Deleted Administrative Shares with Poledit
Launch Poledit from the Run window.
From the menu, select FILE | OPEN REGISTRY.
Double-click the Local Computer icon. This opens the Local Computer Properties window.
Expand the tree under Windows NT Network | Sharing.
Select Create Hidden Drive Shares (Server).
Click OK to save the change and return to the main Policy Editor window.
From the menu, select FILE | SAVE. This applies the change to the Registry.
This action places a value called AutoShareServer in the Registry key HKLM | System | CurrentControlSet | Services | LanManServer | Parameters.
Volume Shadow Copy
You've probably gotten this phone call: It starts off, "I was making changes to a macro in the spreadsheet that I use to calculate payroll and now my spreadsheet doesn't work. Can you restore it for me from last night's backup?" For some reason, the answer "I sure can and you'll have it next Wednesday" never seems to satisfy the user.
Tape backups are vitally important, but doing individual file restores imposes a signficant burden on IT staff and resources. Windows Server 2003 has a new feature, the Volume Shadow Copy service, that puts the user in charge of obtaining historical copies of data files. Volume Shadow Copy creates a database that holds changes to data files identified during periodic snapshots.
The operation of the Volume Shadow Copy database is controlled at the Properties window of a volume via the Shadow Copies tab. Figure 16.7 shows an example.
Figure 16.7. Properties window for an NTFS volume showing the Shadow Copies tab.
Using the Settings button, you can define the size of the database and the schedule for taking snapshots of the volume. The default schedule is two snapshots per day at 7:00 AM and 12:00 PM, Monday through Friday. The number of historical copies is controlled by the size of the database. The default database size is 10 percent of the volume size with a minimum of 100MB.
The Volume Shadow Copy database is stored in a hidden folder called System Volume Information, which is stored at the root of the volume. The database is encrypted to protect the file contents. The database cannot be defragged and there is no support for Volume Shadow Copy on the quorum drive of a cluster.
Volume Shadowing is enabled on a per-volume basis. It cannot be controlled by individual shares. For best results, Microsoft recommends putting the cache on a separate spindle or RAID array. You can choose whether or not to back up the historical files. The backup application must conform to the Windows Server 2003 backup API to avoid corrupting the database.
At clients, access to the Volume Shadow Copy database relies on an extension to the Explorer shell that must be installed separately. The client installation package is Twclient.msi and is stored in \Windows\System32\Clients\Twclient. You can deploy the package via group policies.
The Twclient extension only runs on Windows XP and Windows Server 2003. The extension exposes the content of the Volume Shadow Copy database via a Previous Versions tab to the Properties page for a file. Figure 16.8 shows an example.
Figure 16.8. Properties page for a network file showing the Previous Versions tab.
The user can elect to view the previous versions and then either copy them to a new location or restore a copy if the original were accidentally deleted. There is a variety of safeguards to prevent users from accidentally overwriting their files.
If you use a SAN or NAS, the Volume Shadow Copy feature also supports taking snapshots of dynamic files such as databases so that they can be safely transferred to another location. Windows Server 2003 includes a new service called the Virtual Disk Service, or VDS, that exposes an API for accessing RAID and SAN/NAS configurations from the operating system. This permits changing hardware storage parameters from the console.