Sharing files means that you allow users to access those files from across the network. The most basic way to share files is to create a shared folder and make it accessible to users through a mapped network drive. In most cases, you don't want everyone with access to the network to be able to read, modify, or delete the shared files. So, when you share files, the access permissions on the shared folder and the local NTFS permissions are very important in helping to grant access as appropriate and to restrict access to files when necessary. File sharing and file security go hand in hand. You don't want to share files indiscriminately, and to help safeguard important data you can configure auditing. Auditing allows you to track who accessed files and what they did.
File sharing is one of the most fundamental features of a server, and servers running Microsoft Windows Server 2003 have many file sharing features. The basic component that makes file sharing possible is the Server service, which is responsible for sharing file and printer resources over the network.
You share file resources over the network by creating a shared folder that users can map to as a network drive. For example, if the D:Data directory on a computer is used to store user data, you might want to share this drive as UserData. This would allow users to map to it using a driver letter on their machines, such as X. Once the drive is mapped, users can access it in Windows Explorer or by using other tools just like they would a local drive on their computer.
All shared folders have a share name and a folder path. The share name is the name of the shared folder. The folder path is the complete path to the folder on the server. In the previous example, the share name is UserData and the associated folder path is D:Data. Once you share a folder, it is available to users automatically. All they have to know to map to the shared folder is the name of the server on which the folder is located and the share name.
In Windows Explorer, you map network drives by selecting Map Network Drive from the Tools menu. This displays the Map Network Drive dialog box shown in Figure 21-1. You use the Drive field to select a free drive letter to use and the Folder field to enter the path to the network share. You use the Universal Naming Convention (UNC) path to the share. For example, to access a server called CORPSVR02 and a shared folder called CorpData, you would type \CorpSvr02CorpData. If you don't know the name of the share, you could click Browse to search for available shares.
Users can browse My Network Places in Windows Explorer to find shares that have been made available, as shown in Figure 21-2. Here, you expand My Network Places, Entire Network, and Microsoft Windows Network to display the available domains, and then expand the domain node to display servers on the network. When you expand a server node, any publicly shared resources on that server are listed and can be connected to simply by clicking the associated folder.
To make it easier for users to find shared folders, you can also publish information about shares in the Active Directory directory service. When you publish shared resources, Microsoft Windows XP users can use My Network Places to find them, and administrators can use Active Directory Users and Computers. The procedures are similar regardless of which tool you are using. An example of how you can find shared folders follows:
In My Network Places, click Search Active Directory under Network Tasks. Or in Active Directory Users and Computers, right-click the domain name in the left pane, and click Find.
As shown in Figure 21-3, in the Find List, choose Shared Folders.
In the Named field, type the name of the folder you want to find, and then click Find Now.
In the Search Results, right-click any of the shared folders to display a shortcut menu, as shown in Figure 21-4. You will then be able to open the shared folder, map a network drive to the folder, and perform other tasks.
Because there are times when you don't want everyone to see or know about a share, Windows Server 2003 also allows you to create hidden shares. Hidden shares are shares that are made available to users but that are not listed in the normal file share lists or published in Active Directory. You can create hidden shares by adding the dollar sign ($) to the end of the share name. For example, if you want to share E:DataDumps but don't want it to be displayed in the normal file share lists, you could name it Backup$ rather than Backup.
Hiding a share doesn't control access to the share, however. Access to shares is controlled using permissions. Two permissions sets apply to shared folders: share permissions and local file and folder permissions. Share permissions set the maximum allowable actions available within a shared folder. File and folder permissions assigned to the share's contents further constrain the actions users can perform. For example, share permissions can allow a user to access a folder, but file and folder permissions might not allow a user to view or modify files.
By default, when you create a share, everyone with access to the network has Read access to the share's contents. This is an important security change from previous versions of Windows in which the default permission was to give everyone Full Control over a share's contents.
In Windows Server 2003, you'll find that several shares are created automatically. These shares are referred to as special or default shares. Most special shares are hidden because they are created for administrative purposes. Thus, they are also referred to as administrative shares.
The special shares that are available on a system depend on its configuration. This means a domain controller might have more special shares than a member server. Or that a server that handles network faxing might have shares that other systems don't.
All drives, including CD/DVD-ROM drives, have a special share to the root of the drive. These shares are known as C$, D$, E$, and so on and are created to allow administrators to connect to a drive's root folder and perform administrative tasks. For example, if you map to C$, you are connecting to C: and have full access to this drive.
On workstations and servers, members of the Administrators or Backup Operators groups can access drive shares. On domain controllers, members of the Server Operators group can also access drive shares.
The ADMIN$ share is an administrative share for accessing the %SystemRoot% folder in which the operating system files reside. It is meant to be used for remote administration. For administrators working remotely with systems, it is a handy shortcut for directly accessing the operating system folder. Thus, rather than having to connect to C$ or D$ and then look for the operating system folder, which could be named WINDOWS, WINNT, or just about anything else, you can connect directly to the right folder every time.
On workstations and servers, members of the Administrators or Backup Operators groups can access the ADMIN$ share. On domain controllers, members of the Server Operators group can also access the ADMIN$ share.
The FAXCLIENT and FXSSRVCP$ shares are used to support network faxes. Fax clients use the FAXCLIENT share when sending faxes. FXSSRVCP$ is an administrative share used to store common cover pages. By default, the special group Everyone has Read permissions on these shared folders. This means that anyone with access to the network can access these folders.
The IPC$ share is an administrative share used to support named pipes. Named pipes are used for interprocess (or process-to-process) communications. Because named pipes can be redirected over the network to connect local and remote systems, they also enable remote administration and are what allow you to manage resources remotely.
The NETLOGON share is used by domain controllers. It supports the Netlogon service and is used by this service during processing of logon requests. Once users log on, Windows accesses their user profile and, if applicable, any related logon scripts. Logon scripts contain actions that should be run automatically when users log on to help set up the work environment, perform housekeeping tasks, or complete any other task that must be routinely performed every time users log on.
The Microsoft UAM Volume supports Macintosh file and printer services. It is used by the File Server For Macintosh and Print Server For Macintosh services.
The PRINT$ share supports printer sharing by providing access to printer drivers. Any time you share a printer, the system puts the printer drivers in this share so that other computers can access them as needed.
As Figure 21-5 shows, administrators can view information about existing shares on a computer including the special shares by using Computer Management. In Computer Management, expand System Tools and Shared Folders, and then select Shares.
If you want to work with shares on a remote computer, right-click the Computer Management node in the left pane and select Connect To Another Computer. This displays the Select Computer dialog box. Select Another Computer, and then type the computer name or Internet Protocol (IP) address of the computer you want to use. If you don't know the computer name or IP address, click Browse to search for the computer you want to work with.