Facilitate sharing to enhance network security

A workstation share lets users on your network share directories, files, and printers that reside on a Windows NT workstation. You can use sharing to enhance security on your network by granting users only the permissions to shares that they need to do their job. However, no matter how well you plan your network shares, events don't always run smoothly and complications are inevitable. Although in this article I can't cover every difficulty you might experience with shares, I focus on some common problems that administrators encounter.

One of my users accidentally deleted administrative shares from a workstation. How do I recreate them?

You can recreate the shares in Windows NT 3.5 and later by using the following commands. (In earlier NT versions, deleting administrative shares permanently isn't possible.)

At a command prompt, type

net share admin$

The system will respond with the following output:

Share Name   Admin$
Path         C:\WINNT
Remark       Remote Admin
Max Users    No Limit
The command completed successfully.

Now, at the command prompt, type

net share $=:

The system will respond with the following output:

C$ was shared successfully.

Is there a way I can save and restore existing Windows NT shares?

Yes, if you need to restore the shares for one of these three reasons: You've made a clean installation of NT over an existing NT installation, you've moved all data drives from one machine to another, or you've installed NT on a different drive or directory on a machine that already has NT installed.

You can save share names and any permissions that the original NT installation assigned to the shares. Be aware that you can't perform this procedure on a Macintosh volume. To save the share names and their permissions, take the following steps.

  1. At the NT machine that contains the share names and permissions that you want to save and restore, run the Registry Editor (regedt32.exe).
  2. Select the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\LanmanServer\Shares Registry key.
  3. From the Registry menu, click Save Key.
  4. Save the file to a 3.5" disk with a new filename. You don't need to add an extension; NT will add one for you.
  5. Reinstall NT on the machine over the existing installation.
  6. Reboot the machine, then run the Registry Editor.
  7. Select the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\LanmanServer\Shares key.
  8. From the Registry menu, click Restore.
  9. Enter the path and filename of the file you saved in step 4.
  10. Reboot the server.

Step 9 will override any shares that exist on the new NT installation with the share names and permissions on the file you are restoring from. If you decide that you shouldn't have restored the Shares key after you perform this procedure, you can reverse the process only if you haven't rebooted and logged back in after the restoration. To reverse the process, when you restart the machine for the first time after you've restored the shares, press the spacebar to restore the Last Known Good configuration. Doing so restores the machine to its original configuration. If you press the spacebar and your machine doesn't return to its original condition, you've already rebooted and logged back in, thus overwriting the Last Known Good configuration.

This procedure restores only domain users' permissions; it doesn't restore local users' SIDs. Therefore, you'll lose the local users' permissions you previously created. Network users need to use the Net Shares command to use the shares. After you reboot, you can view all the shares on the machine in Windows Explorer after you create a new share.

When I used the Windows NT 4.0 Server Manager for Domains to recreate an administrative share (i.e., ADMIN$ or C$), I tried to specify permissions on the share. This action seemed to cause a general protection fault error message. Why did this happen?

When you try to specify permissions on an administrative share, you see the error message

services.exe
Exception: access violation (0xc0000005), Address: 0x77f64bc3

You don't need to set permissions on the administrative shares you recreate. The system sets these permissions, and you can't change them. In fact, in NT 3.51, this problem doesn't exist. If you try to change permissions in NT 3.51, a pop-up window states This has been shared for administrative purposes. The permissions cannot be set. Installing Service Pack 4 (SP4) will correct the problem by making it impossible for you to change permissions for administrative shares as NT 3.51 does.

I've found numerous testdir.tmp files on my shared NTFS volume. What are they, and do I need to delete them?

When a user copies a file or folder to a shared NTFS volume, Windows NT creates a testdir.tmp file. If the user account or group has Full or Delete permissions on the volume, NT deletes the temporary file after the user copies the file or folder. However, if the user doesn't have Delete permissions for the NTFS volume, NT can't delete the temporary file. To resolve this problem, assign users Delete permissions. You can delete old testdir.tmp files, but be careful not to delete any temporary files that might be in use.

I created a share for a CD-ROM, but I can't always access it over the network. I sometimes get an Access Denied error message when I try to access the CD-ROM remotely. When I try to access the share name \\machine name\share name either remotely or locally, I get a File Not Found error message. I can share the hard disk remotely or locally with no problem. What's wrong with the CD-ROM share, and how can I fix the problem?

You can resolve this problem by editing the AllocateCDRoms:REG_SZ Registry entry. Windows NT considers the CD-ROM drive to be a volume; therefore, you can share the drive as an administrative share on the network. When the value of the AllocateCDRoms Registry entry is set to 1, NT assigns the drive to the local user as part of the interactive logon process. This assignment means that only the currently logged on local user can access the drive. NT prevents administrators and remote users, including the user who created the share, from accessing the drive when a local user is logged on to the computer. You can share the drive again when the local user logs off the computer. Setting the AllocateCDRoms Registry entry to 0 lets administrators in the domain access compact discs in the CD-ROM drive.

Before making changes, back up the Registry and update the Emergency Repair Disk (ERD). To edit the AllocateCDRoms entry, take the following steps.

  1. Start the Registry Editor (regedt32.exe).
  2. Select the HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\WindowsNT\CurrentVersion\Winlogon Registry key, then select the entry AllocateCDRoms:REG_SZ
  3. Change the entry's value to 0.

Can I copy files and directory structures to other partitions, hard disks, or computers and still maintain the NTFS and share permissions?

Yes, if you perform the following procedure on an NTFS partition. This procedure requires you to use two utilities in the Microsoft Windows NT Server 4.0 Resource Kit—Scopy.exe and Permcopy.exe.

Scopy is a command-line utility that lets you copy files and directories to and from NTFS partitions and keep the files' and directories' security intact. To use Scopy, you must log on as a member of the Administrators group; if you copy files from one machine to another, you need to log on as a member of the Administrators group on both of the machines involved. Scopy.exe won't copy from High-Performance File System (HPFS) or FAT file systems.

Scopy's syntax is

Scopy \[Source\] \[Destination\] \[/o\] \[/a\] \[/s\]

Here's an example:

Scopy C:\Source D:\Destination /o /a /s

To copy owner security information to the destination directory, use the /o switch. When you use the /a switch, you can copy all existing auditing information directly to the destination directory. To use the /a switch, you must have the Manage Auditing and Security Log user right, which you obtain from the User Right Policy menu in User Manager for Domains. The /s switch copies all subdirectories to the destination directory. You can display all these command-line switches by using the /? switch.

Permcopy is a command-line utility you use to copy ACLs from one share to another. Permcopy's syntax is

Permcopy \\\[Source Computer\]
   \[ShareName\]
   \\\[DestinationComputer\]
   \[ShareName\]
   

Here's an example:

Permcopy \\SComputer testing \\DComputer testing

Use the following procedure to copy the files or directories. (Note that the destination directory on the root of the destination drive must be present for Scopy to succeed.)

  1. Run scopy.exe with the /s switch and any other necessary switches. This action will copy the subfolders and files from the source machine to the target directory on the new partition. Check to make sure that everything copied properly.
  2. You must recreate the share names on the directories because Scopy doesn't create or copy this information for you. You need to recreate the share names exactly as they were on the source machine. You must recreate share names before you can copy the share-level permissions from the old share on the source computer.
  3. Run permcopy.exe to copy the share permissions from each of the original shares to each of the new target shares on the new partition.

If you copy files or directories from one domain to another domain, you need to remove local groups from file permissions before using the Scopy /o switch to copy files. If you don't do so, Scopy will create the appearance that local groups have permissions to files and directories that Scopy copied; however, such permissions don't exist. Consequently, if a user's only access permissions to the files or directories derive from membership in the domain's local group, NT won't allow the user access.

How can I create and manage shares on a remote machine?

With Administrator permissions, you can use Server Manager for Domains to remotely view shares on a computer, add new shares and remove shared directories, and monitor and control shared-file use. To create and manage share directories through Server Manager, select the Computer Name for the share, Computer, Shared Directories. The Shared Directories dialog box offers three choices: New Share, Properties, and Stop Sharing. In the New Share dialog box, you create a share by entering the Share Name and Path and setting the User Limit and Permissions on the share. The Properties dialog box lets you view and change current share information. Clicking the Stop Sharing button will immediately end a share without verification, so use this button with caution. When you stop a share, users who are connected to the share can lose data.

The Shared Directories dialog box's Shared Directories On list displays the computer's shared directories and the path to each directory. The list also displays resources that administrators or end users have shared. The system creates special shares for administrative and system use that you shouldn't usually remove or modify. Some special shares can appear on the list, depending on the workstation's configuration.

When I use RAS to connect to a server and also use Uniform Naming Convention (UNC) shortcuts, the shortcuts don't work. What's wrong, and how can I fix the problem?

This problem usually occurs on servers with 700 or more shares when the WNetGetResourceInformation function times out. When a workstation or server requests share names, WNetGetResourceInformation retrieves all the share names on the server and sends them to the requesting workstation or server. WNetGetResourceInformation has an associated timer function, NetLinkTimeout, with a default set to 7.5 seconds. The combination of a slow link to the server and a large amount of requested information causes the timeout.

To resolve this problem, you can add or modify the NetLinkTimeout Registry value on the computer requesting the shares. Then, you can adjust the value's default time setting and eliminate the timing-out problem. To add the NetLinkTimeout value, take the following steps.

  1. Run regedt32.exe, and locate the HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Explorer Registry key.
  2. If the key doesn't exist, create the following values to adjust the default time setting for WNetGetResourceInformation. Go to the NetLinkTimeout value (of data type REG_DWORD), and set the value to 9000. (This measurement is in milliseconds. The default for this value is 7500ms.)

Setting this value to 9000 will increase the timeout value to 9 seconds. If the function continues to time out, increase this value in increments of 1500 until timeouts no longer occur.

How do I create hidden shares?

To create a hidden share, whether for a directory or printer, add $ to the end of the share name. When you make this simple addition, the share name won't appear in share listings and users who don't need access to the share won't know that it exists. Creating hidden shares increases security for directories that contain sensitive information and for printers to which you need to limit access. Users who know the share name and have the proper permissions can still access the share.