Securing Windows 10 hosts

Share Permissions in Windows 10

April 29, 2020 by Greg Belding

Introduction

Sharing files and folders is both a basic and essential task performed by nearly all organizations on a daily basis. It allows organization employees to share organization resources based on their need to use them while simultaneously not sharing resources with outsiders and those who do not have a business need to use the resources. Windows 10 makes sharing files and folders easy by using share permissions to control who can use resources on organization networks. 

This article will detail share permissions in Windows 10. We’ll examine what share permissions are, who share permissions apply to, the different share permissions and the rights they confer, how to use share permissions to share a folder and how to use share permissions to share files with specific people, a new Windows 10 option. 

What are share permissions?

Share permissions manage folder and drive access over an organization network. These share permissions apply to the contents of a shared folder, meaning that you cannot granularly control file access in a share. 

Windows 10 users now can granularly share files on their system (in part due to network discovery) with specified users. Share permissions allow you to specify how many users can access the share and can be used with FAT, FAT32 and NTFS file systems. Each share permission can be configured to control access to shared resources by setting them to either “allow” or “deny” access. 

Please note that by default, all organization active directory users are in the user group “Everybody.”

Who do share permissions apply to?

Simply put, share permissions apply to potentially all users in an organization. Share permissions also apply to security groups alike. Security groups are created in Active Directory and make management of large groups of users easy.

What are the different share permission levels?

Windows 10 uses three different share permission levels — Read, Change and Full Control. Below is a summary of what these share permission levels convey to bother users and security groups.

Read

This is the most basic share permission level and grants users the ability to view folder/subfolder names, read file data and run programs contained in the folder. By default, all organization users in the “Everybody” group are given Read permissions.

Change

This share permission level conveys the second highest permission level to organization users. This includes permission to add (folders, subfolders and files), delete (folders, subfolders and files) and change data contained in files, as well as all permissions granted by the Read permission level. This share permission level must be assigned and is not default for users.

Full Control

This is the highest share permission level that conveys the most permissions to users. Users in this group are given the permission to change NTFS folders and files, as well as all permissions that are conveyed by the both share permission levels explored above. The “Administrator” security group is assigned Full Control share permissions by default. 

How to use share permissions to share a folder

The best way to understand how share permissions work is to perform an all-too-common task for organizations that share network resources — that is, to share a network folder using Advanced Settings. 

  1. Use File Explorer to locate the folder you want to share, right-click on it and select Properties
  2. Click the Sharing tab
  3. Click on Advanced Sharing
  4. Check the Share this folder checkbox
  5. At this point, your folder is shared and users in the Everyone group will have read-only access. To assign any further permissions, click Permissions
  6. You are now looking at the Share Permissions window. Here, you can change the share permissions assigned to users and groups by first clicking on the item you want to modify and then using checkboxes to check which share permissions you want to assign. The first group you will see is Everyone, which is assigned the lowest-level share permissions
  7. Click Apply
  8. Click OK 

How to use share permissions to share a file 

A related change new in Windows 10 is how to share with specific people. This change applies to both files and folders. To share a file with a specific person:

  1. Use File Explorer to locate the file you want to share
  2. Hover over “Give access to”
  3. Select “Specific people”
  4. You will me prompted with the Network Access Wizard
  5. Select which user you want to share the file with
  6. Or click “Add” to add other users
  7. Click share

Permission levels can be set with a drop-down menu in the network access window. Specific users will then be prompted with their Windows credentials to access the shared file. 

Conclusion

Windows has brought share permissions over to Windows 10 for the convenience and organization it offers. It allows you to specify which users or security groups can use shared folders and files, and this can add some extra security dimensions to an organization network because of the inherent protection that tiered privileging can offer to file sharing. After all, you wouldn’t want an attacker who gains access to low-level privileges have full control over your shared folders and files.

 

Sources

  1. File sharing over a network in Windows 10, Windows Support
  2. How to set up network file sharing on Windows 10, Pureinfotech
  3. NTFS Permissions vs. Share: Everything You Need to Know, Varonis
Posted: April 29, 2020
Articles Author
Greg Belding
View Profile

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.