If you have more than one computer at home or in your business, chances are you may need to share data among them. We’ve already covered this briefly in our article on how to migrate your documents to a new PC. That article is a pretty good starting point if you want to start learning about network shares and I suggest you read it before proceeding with this one. Today we’re getting into the nitty-gritty basics of how to set up sharing on Windows machines.
Note: We will not be dealing on how to set up Samba shares or how to make Linux boxes or Macs play nice with Windows networks. That’s going to be a topic for another article. Maybe.
Network shares in a nutshell
If you want multiple computers to be able to access each other’s documents, you will need to set up a network share. In its most basic form, a network share is a folder on a machine’s hard drive to which is attached a list of allowed and forbidden users known as an Access Control List (ACL). The difference between a share and any other folder on a computer is that the share is exposed to a network, whereas a folder is not. As a result, network shares will appear in your computer’s Network menu, whereas regular folders will not.
Access Control Lists
ACLs were introduced back in 1993 in Windows NT 3.1, the very first Microsoft operating system to use the New Technology kernel, or NT for short. The NT development team was composed of many UNIX veterans who felt that the traditional UNIX access control model, based on the UGO (User, Group, Others) paradigm wasn’t suitable anymore. Compared to the UGO paradigm, ACLs provided much more granularity: not only could an administrator specify access control for each individual user or group, but could explicitly deny access, something that the UNIX model lacked at that time.
Creating a new share
The easy way: Creating a Homegroup
Homegroups were introduced with Windows Vista (no, don’t frown, this is one of the few things Vista did right!) in an effort to simplify sharing files, folders and devices among computers in a home environment. If you run a small business, a Homegroup can suffice for your needs, especially if you don’t want to remember more than one password. The downside to them is that they can only used randomly-generated passwords, which you’ll either have to remember by heart, save on all the PCs you run in your place of business, or write down somewhere. Although this is a reasonable security measure, I can see how people wouldn’t be so thrilled about it.
To create a Homegroup, open File Explorer and select Homegroup on the bottom left side of the screen, then click Create a homegroup.
You’ll be prompted with a wizard that lets you select which libraries you want to share. In this context, library refers to Documents, Pictures, Music, Videos, and Printers. Yes, they correspond to the elements that appear under Quick Access. However, you won’t be able to share custom libraries with this method, only default ones. Another downside is that the wizard only allows you to share with everyone or no one of the members of the homegroup. If you need that level of granularity, homegroups aren’t the way to go, unfortunately.
To allow other computers to join the Homegroup, note the password given to you and repeat the same steps described above. The wizard is almost identical, except that you’ll need to enter the password for the homegroup.
Note: By default, Homegroups share data as read-only. If you need to modify a file that belongs to someone else, you will first need to copy it to your local machine. Alternatively, you may right-click the desired library or libraries and select Share with -> Homegroup (view and edit).
How pros do it: Advanced sharing
Homegroups can be useful if your needs are simple, but they don’t offer much in terms of customization. Thankfully, setting up a “normal” share isn’t much more complicated and only requires a few steps.
The creation of a new share does not require an empty folder: any can be “promoted” to a share by simply right-clicking it and selecting Advanced Sharing under the Sharing tab. You may wonder why we’re picking Advanced Sharing instead of Share… This is actually a good question that warrants a clear answer: the two buttons do similar things, but Advanced sharing allows for a much greater control over what is shared and how. We can limit the maximum number of connection allowed, which can be useful to prevent your network infrastructure to get overburdened by shares, it allows you to configure whether data should be synchronised across computers for offline availability, and also allows you to explicitly deny access to a particular user or group.
Clicking the Advanced Sharing button will bring up this dialog. Let’s see what each setting does.
Share name is the name that will be shown when users try to access it from another computer. It defaults to the folder name. You can use the Add and Remove buttons to assign multiple names with different permissions and user limits. These will become active only after the share has been created, however.
You can input a number to Limit he number of simultaneous users, which will prevent additional users from logging in when that limit is reached. It defaults at 20, with permitted values ranging from 1 to 20.
It’s also possible to write a comment that will appear in the Network section of File Explorer when the user hovers the mouse over the share icon, as shown in the screenshot below. This field defaults to blank.
We’ll ignore the Permissions button for now and instead will focus on Caching. This is an often overlooked feature that lets you decide whether you want to keep a copy of the files in the client computer.
Its options are self-explanatory: you can choose to only keep a copy of files that have been opened, keep no local copies at all, or keep a copy of everything from the share. In my opinion, you should opt for either the first or second option, since the third may be overkill for most networks. Additionally, the Optimize for performance checkbox has no effect on computers running the Windows Vista operating system or newer.
Permissions are the meat of sharing files and folders over a network. They’re what allow you to keep data away from people who aren’t supposed to access them. They can be set using the Permissions button in the Advanced Sharing dialog. By default, everyone has read-only access to newly-created shares. You may want to edit this to allow other users to edit the share’s content and to require user authentication to view files.
The default permissions look like these.
In Windows computers, Everyone is a group that comprises every user connected to the local network. As in, you know, everyone. You can allow or deny access to a group or user, but be wary of what users or group you deny access to.
You can use the Remove button to… Well, remove the currently-selected item from the list. On the contrary, the Add button is used to specify what users are allowed to access the share. Clicking it will bring up this dialog.
In normal usage, you won’t need to select Object types and Windows 10 Home and Pro won’t allow you to select a different Location (i.e., another computer), but you can enter a user or group name in the text field at the bottom and click Check names to see if you entered an acceptable value. Windows 10 Home won’t allow you to create custom groups, so the accepted values for groups are the following:
- Authenticated Users
Note: In actuality, Authenticated Users and Everyone aren’t really groups, but special entities called Security Principals. They act as groups for all intents and purposes, but aren’t restricted to local machines alone.
Alternatively, you can add specific permissions for specific users. In this case, just enter the user name.
Note: It should be made extremely clear that it’s only possible to add users that are present in the remote computer. If you have a machine named Accountancy with user John and he wants to access files in a computer named Executives, a user account named John must be present in that machine as well.
You can control permissions for each item in the list. Specifically, you can Allow, Deny, or grant No access. The difference between Deny and No access lies in how Windows handles permissions: Denials always take precedence, even in cases where an user theoretically should have access because she has more higher privileges.
Pro-tip: Be extremely wary of denying access, especially read access to Security principals and the Users group. For example, denying access to the security principal Everyone will give you exactly what you’re asking for: literally everyone will be denied remote access. Similarly, since by default every new user account is added to group Users, denying that group access will prevent every user from accessing that share.
Each item in the permission list has three configurable parameters:
- Read means that that user, group or security principal will be able to see the contents of a share and open the files inside it;
- Change enables file and folder editing and creation;
- Full control allows that user or group all the above permissions, plus the ability to edit permissions on that share.
Share permissions and NTFS permissions: How they interact
Share permissions aren’t the only thing that Windows checks for when someone tries to access a resource remotely. NTFS permissions are still in effect and checked when a user tries to read, write or edit a share’s content. However, it’s possible that one of the two is less restrictive than the other. What happens in this case is that Windows will check both permission sets and determine if that user has access rights by enforcing the most restrictive set of rules.
Indeed, this can cause some eyebrow-raising if a user is getting an access denied error when in theory she should be allowed to view or edit a file. For this reason, many systems administrators suggest to give extensive privileges at the share level and much more restrictive access at the file system level.
Since this article is about shares, however, we’re not going to discuss NTFS permissions in depth. That’s a topic for another article.