WindowsDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


AddThis Social Bookmark Button

Windows XP File Sharing Mysteries: Part 1

by Mitch Tulloch
08/08/2006

How simple is file sharing in Windows XP? The rationale behind the Simple File Sharing user interface first introduced in XP was apparently to make the task of sharing files easier for users. But I frequently find home users who complain they don't really understand file sharing in XP and that the file sharing user interface (the Sharing tab) of Windows 2000 was easier to use and understand. Let's delve into this matter a bit by examining what happens under the hood when you use one form of sharing available in XP, namely same computer sharing.

Same Computer Sharing

Part of the confusion is that there are several different ways to share files in XP. For example, two users who share use of the same computer can share files with each other. This is called same computer sharing, and the standard way of doing this is to use the Shared Documents folder.

Let's say Bob and Alice share use of the same machine. Bob uses Wordpad to create a file named Movies.rtf that contains a list of his favorite movies, and he saves it in the default location (his My Documents folder). He then wants to share this document with Sue, so he opens My Computer to display the Shared Documents folder (see Figure 1):

Figure 1: The Shared Documents folder
Figure 1: The Shared Documents folder

Bob then drags the file from his My Documents folder into the Shared Documents folder and leaves a sticky note on the monitor telling Sue what he's done. When Sue later logs on to the computer, she opens My Computer, double-clicks on Shared Documents, and can view and modify the list Bob shared with her.

How does this work? First, you'll notice that in Figure 1 there are three Documents folders displayed in My Computer:

  • Bob Smith's Documents
  • Alice Jones's Documents
  • Shared Documents

What's interesting is that these aren't physical folders on your hard drive. Instead, they are virtual folders that map to subfolders of user profiles on your machine. Specifically:

  • Bob Smith's Documents maps to C:\Documents and Settings\Bob Smith\My Documents
  • Alice Jones's Documents maps to C:\Documents and Settings\Alice Jones\My Documents
  • Shared Documents maps to C:\Documents and Settings\All Users\Shared Documents

You can verify the first point (if you're Bob) by double-clicking on Bob Smith's Documents and looking at the path in the address bar. And if you browse to the folder C:\Documents and Settings\All Users\Shared Documents, you'll see the Movies.rtf file that was dragged there.

Keeping Your Documents Private

However, there's a small problem with using the Shared Documents folder to share files with other users of your machine. If Bob and Alice accepted all the prompts when they created their user accounts using the User Accounts tool in Control Panel, then by default both of their user accounts will be of the Computer Administrator category. In other words, Bob and Alice will both be members of the Administrator's group on the local machine. So if Bob wants to share Movies.rtf with Alice, he could also simply do it by dragging it directly into Alice Jones's Documents instead of using Shared Documents. Furthermore, this means Alice can snoop anytime she wants to inside Bob's My Documents folder and modify any files she finds there without Bob knowing it.

That's not nice. How does Bob keep his documents private from Alice? Before we look at this, let's first examine the default NTFS permissions on Bob's My Documents folder. We can do this using the cacls.exe command. The results of running the following command:

cacls "C:\Documents and Settings\Bob Smith\My Documents"

look like this:

XP-1\Bob Smith:F
XP-1\Bob Smith:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F

What this says is that Bob has full control (F) permission on his My Documents folder and also on all subfolders and files within it. The built-in Administrators group on the computer also has the same permissions, as does the System special identity. And any file or folder that Bob creates in or saves to his My Documents folder will inherit the following permissions:

XP-1\Bob Smith:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F

Clearly the permissions on Alice's My Documents folder are going to look like this:

XP-1\Alice Jones:F
XP-1\Alice Jones:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F

And since both Bob and Alice are members of the Administrator's group, they have full access to each other's My Documents folder.

But let's say Bob wants to keep his folder private. To do this, he tries right-clicking the folder named Bob Smith's Documents and selects Sharing And Security. This brings up a properties sheet with the Sharing tab selected (see Figure 2):

Figure 2: Sharing tab for Bob's My Documents folder
Figure 2: Sharing tab for Bob's My Documents folder.

Bob now selects the checkbox labeled Make This Folder Private. When he clicks OK, the warning message in Figure 3 appears:

Figure 3: Bob needs a password to keep his folders private
Figure 3: Bob needs a password to keep his folders private

Remember, we said Bob and Alice followed all the prompts when they created their user accounts using the User Accounts tool in Control Panel. By default, all new accounts created using this tool have null passwords, so Alice could have been logging on as Bob anytime she wanted.

Bob clicks Yes and creates a password to protect his account. What's changed? Running cacls.exe again on Bob's My Documents folder displays the following:

NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
XP-1\Bob Smith:F
XP-1\Bob Smith:(OI)(CI)(IO)F

Look what's happened: the Access Control Entry (ACE) for the local Administrators group has been removed. Also, this change in permissions has been recursively applied to all folders and files within Bob's My Documents folder so that now only Bob himself and the operating system can access these folders and files. In other words, any file or folder that Bob has in or copies to his My Documents folder will now have the following permissions:

XP-1\Bob Smith:F
NT AUTHORITY\SYSTEM:F

And Alice, even though she is an administrator on the computer, can no longer look inside Bob's My Documents folder.

Poor Alice. She gets her revenge though and decides to buy a computer of her own so she won't have to share the computer with Bob anymore. But after a time they make up and they network their computers together and share files again. We'll continue the saga of Bob and Alice in a future article where we'll delve deeper into the mysteries of how file sharing works in XP.

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.


Return to the Windows DevCenter.