Windows Password Protected File Sharing

By GeneralX on Sunday 25 October 2015 16:28 - Comments (4)
Category: Solutions, Views: 2.897

The Goal was to share folders with other machines on the same LAN, but restricting the access permissions. As it turned out, this process is not at all obvious. The intention of this post is to store the proper method for later reference, not just by me, but also by the people that I will refer to this post and by other people that read Tweakblogs.

There are multiple ways to approach the sharing process. One of those methods involves the despicable HomeGroup. This method I will ignore, as it is incompatible with some versions of Windows (looking at you, XP).
My preferred choice is to create a new password-protected user account on the machine with the shared folder. The account credentials can be shared with those people that need access without creating scary HomeGroups. On W8 and later, user accounts are (often) linked to online IDs (ex. hotmail accounts) during installation. It is possible to log in with these online IDs as well as user account names. On earlier Windows versions, linking an online ID is optional (and I could not confirm that it works for Windows XP).
To use this method of sharing, it is important that both the host and the guest have set their preferences properly. This is done in the Network and Sharing Center (or Centre, depending on your localisation localization). Technically, it is not necessary for all the options to be turned on, although it is easier to just enable all the options under Advanced Sharing settings. Public folders and media streaming are not necessary. For the host, Network discovery is not technically necessary, but it does not hurt to enable it. 'File and printer sharing' and 'Password protected sharing' should obviously be enabled if you want to do password protected file sharing. 128-bit Encryption is recommended. The last option is very important: Windows cannot be allowed to manage the HomeGroup connections! User accounts and passwords must be used to connect to other computers using user accounts. These settings should be used on all computers that want to share a certain file or folder.

Now it is time to select the files and/or folders that should be shared. This too can be done in multiple ways. One of those can be disabled in settings, so it is a good idea to check that: go to Folder Options, View tab and make sure that Use Sharing Wizard is unchecked. If it is not checked, excellent! If it is, uncheck it. This Wizard is limited in its functions and we are Power Users after all. The proper method to share a file or folder is by right-clicking it, choose Share with..., Advanced Sharing. In this menu, check the box Share this folder. You can choose a name for the shared folder, which is the name that will be displayed when people browse the Network through the explorer. Adding a $ behind the name will hide it from the explorer. The value of this tool is purely esthetic, the folder will still be accessible to everyone with the proper credentials by browsing to the path directly (either by folder name or local IP).

Of course, we do have to set Permissions. Add the local user account of which you shared the credentials and set its Permissions. If you are lazy, you can click Advanced and let Windows Find all the accounts that exist on your location. Since it is possible for the local administrator to access all folders locally, it might not be necessary to add the group Administrators to the list. I find it convenient to be able to access my shared folders from my admin account by browsing through Network.
For every object that is added to the list, you can change the Permissions. To make sure that people do not use my hard drive to store their pr0n important data, I set the permissions to Read only.

The shared folder can now be accessed from anywhere in the Network, provided that they have the credentials. Should you have issues with network discovery remember that shard folders can always be accessed by directly giving the proper path (ex. \\ComputerName\Shared Folder or 192.168.1.x).

Volgende: Disabling the Change Color Scheme Warning 06-'16 Disabling the Change Color Scheme Warning
Volgende: Written proof of my update settings 10-'15 Written proof of my update settings

Comments


By Tweakers user Tokkes, Sunday 25 October 2015 17:53

On W8 and later, user accounts are always linked to online IDs (hotmail accounts)
This is quite wrong. You can have a 'local' user account, which is not linked to a Microsoft account (does not have to be a hotmail or outlook or live-account, any emailaddress that is linked to a Live/Microsoft/Windows ID will do)
Otherwise I do agree that sharing folders over the network in Win8 and later can be confusing due to the presence of Online-IDs.

By Tweakers user GeneralX, Sunday 25 October 2015 18:20

Tokkes is right, I did not express myself correctly. Naturally, it is possible to avoid having an online ID linked to your local account. Given the setup of most preinstalled machines, it is highly likely that users did link it to a microsoft account though. I will adjust the text accordingly when I get back to a desktop. Thanks.

[Comment edited on Sunday 25 October 2015 18:20]


By Tweakers user Hennie-M, Monday 26 October 2015 09:40

This is a good guide but it misses a microsoft best practise that has been in use since Windows 2000 and maybe even NT4.

When you create a share, allways give the all users 'Full Control' rights. There is no real use to limit rights on the share, you do that with NTFS permissions. (the security tab)

It is best to do it this way to avoid unnecessary troubleshooting. If you block at share level you can give all the users as many rights as you'd like but they won't work. Also, try to avoid using the Deny right as much as possible because that right 'wins'.

example: you give the administrator full control on a folder and deny right on the users group. If your user is a member of both groups, you can not access the share.

By Tweakers user GeneralX, Monday 26 October 2015 15:12

Thanks to Hennie-M, I found this useful guide to Windows file sharing. It speaks of folder structures where it is indeed very useful to set Permissions using the Security tab, provided one is using Active Directory groups.
In our modest student residence there is no such server. Hence, all groups are local. Clearly, I can manage the accounts and groups on my own PC just fine. Users are never Administrators, except for the one administrator account. Naturally, I log in as a normal user on my own PC and I have local access to the files because I put them there. The administrator has access as I said in my post. All that is left to do is add another User of which I can share the credentials. I think I can troubleshoot this just fine. Of course, I could share the folder with Everyone and restrict access in Security, but the key point here is that I do not want to share with everyone and it seems convoluted to me.
Nevertheless, I thank you kindly for your advice and if I ever have to manage Active Directory groups I will do it the proper way.

In order to comment on this post you need to be logged in. Use this link to log in when you are already a registered user. If you don't have an account you can create one here.