Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
 
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Mac support 
 » Linux support 
 » Windows PC support 

Windows filesharing

Windows allows one to share folders on a PC over the network. Unfortunately, the default permissions for shared folders usually allow anyone with access to write to a folder and modify files on it. As a result, such "open shares" are one of the main ways that PCs get broken into, and there are numerous viruses that can infect hosts through open shares. In order to prevent such break-ins and virus infections from happening, people should restrict access to shares on their PCs. It is also recommended that the guest account be disabled on all PCs. You will need administrator rights on your PC to make these changes.

What not to share

You should not share the C:\ or any other system drive. In particular, you should never ever share C:\ or a system drive such that everyone has write access to it. Doing so ensures that your PC will eventually get broken into and/or infected with a virus. Even providing read-only access for everybody to your C:\ drive means that files that may contain sensitive configuration information, e-mail, and other data can be read by anyone on the internet.

Whenever possible only provide read access to a share. Use specific access lists containing the names of the people you want to access your files, instead of providing access to Everyone. Keep in mind that if you provide Change or Full Control access to Everyone, anyone on the internet can modify files on that share.

Administrative shares

Most PCs have Administrative shares, called C$, D$, etc (one for every drive). Most PCs will also have a share called ADMIN$, which is a pointer to the system root, and a share called IPC$. These shares are needed for domain administration of your PC, and should not be removed (and can only be accessed by someone with administrative access to your PC). If you do remove them, by default they will be re-created upon reboot.

How to verify file sharing permissions

On Windows NT

To get a list of shares on your PC:

  1. Select Start|Settings|Control Panel.
  2. Double click on the Server icon.
  3. Click on the Shares button to see a list of shares.

For each share in that list that is not an Administrative share:

  1. Go to the folder, right click on it, and choose Sharing from the menu.
  2. If you don't want to share that folder, click on the Not Shared button.
  3. If you do want to share that folder, click on Permissions to go to the Access Through Share Permissions dialogue.
  4. If Everyone is listed as having Full Control or Change rights, you can change those rights by clicking on the arrow and choosing the appropriate rights from the menu. To remove a user from the access list, highlight the entry and click Remove.
  5. To add a specific user, use the Add button. You can type a name or select one from the scrollbox.
  6. For each use you select, adjust permissions appropriately using the Access Through Share Permissions dialogue.

On Windows 2000 & XP

To get a list of shares on your PC:
  1. Right click on the My Computer icon on your desktop and select Manage from the menu.
  2. Click on Shared Folders and then Shares.

For each share that is not an Administrative share:

  1. If you don't want to share that folder, right click on it, and select Stop Sharing
  2. If you want to continue sharing that folder, right click on the name of the share and select Properties.
  3. Click on the Share Permissions tab.
  4. If Everyone is listed as having Full Control or Change rights, remove those rights by unchecking the appropriate boxes. To remove a user from the list, highlight the entry and click Remove.
  5. To add a specific user, use the Add button. You can type a name or select one from the scrollbox.
  6. For each use you select, adjust Permissions appropriately using the checkboxes on the Share Permissions dialogue.