IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.94 Sharing of directories under Windows NT
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Under Windows NT there is a distinction between various levels of access
control to resources. There are access rights at the share level and at the
directory and file level (known as NTFS permissions). The access rights at the
directory and file level are only available on data media with an NTFS file
system, and are dealt with in detail in S 4.53 Restrictive allocation of access
rights to files and directories under Windows NT.
Sharing directories on servers is necessary in order to enable users to obtain
access to the resources via the network. Network access to a directory is not
possible unless a share is created in the appropriate way. This is the case even
if corresponding NTFS permissions have been granted.
It is possible to share directories on all computers running under the Windows
NT operating system, i.e. both on domain controllers and on servers and
workstations (clients). Usually, however, directories should only be shared on
domain controllers and servers. The sharing of directories or sharing of
individual drives on workstations (clients) is implemented as part of peer-topeer
functionality (see S 5.37 Restricting peer-to-peer functions when using
WfW, Windows 95 or Windows NT in a server-supported network) and should
remain very much the exception, because it is liable to lead to the creation of
unclear rights structures and even in some cases to undermining of the general
security specifications.
A directory can be shared in different ways under the Windows NT operating
system, including with Windows NT Explorer, via the "My Computer"
desktop icon or with the "NET SHARE" command. The process of sharing a
directory is also referred to as creating a share. In Windows NT Explorer or
when using the "My Computer" desktop icon, sharing a directory is carried out
on the "Share" tab. This is accessible via the "Properties" menu option on the
pop-up menu. The share is created by clicking on the "Shared as" option. A
share name with a maximum length of 12 characters can then be entered. By
default, Windows NT assigns the name of the directory as the share name. To
help with administration, a short, succinct description of the share can be
entered in the "Comment" box. The number of users who are allowed to
access the share at the same time can be specified under the "User Limit"
option. The default setting is "Maximum Allowed", i.e. the number is not
limited, and this should be retained. This feature is only partially suitable for
licence control, because only the number of clients who have connected to the
share are counted. Users who are supposed to be able to access the share via
the network must be granted an appropriate share permission. This is done
using the access control list, which the system opens after the "Permissions"
box is selected. The icon for the shared directory is shown with a hand
beneath it in Windows NT Explorer and in the "My Computer" desktop icon
to indicate that it is shared.
Only members of the "Administrators" and "Server Operators" groups on
domain controllers or members of the "Administrators" and "Power Users"
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000