Monthly Archives: July 2007

The Importance of Simple File Sharing – Part Two

Screenshot of Folder Options dialog box, showing how Simple File Sharing in Windows XP Professional is enabled or disabled

Screenshot of Folder Options dialog box, showing how Simple File Sharing in Windows XP Professional is enabled or disabled

In my previous post, I emphatically advised all administrators who have Windows XP computers in their list of responsibilities to to study Microsoft Support article 304040. As the support article suggests, Simple File Sharing strategically changes Windows XP mode of operation. The most important changes include:

  1. Properties dialog box: When Simple File Sharing is enabled, a simplified Sharing tab is used to manage both NTFS permissions (NTFS ACLs) and File Sharing permissions (SMB/CIFS ACLs) in a simplified manner. File and folder permissions (DACL) and audit rules (SACL) are not available.
  2. File and folder permissions: With Simple File Sharing on, Windows Explorer no longer retains file and folder permissions  when files and folders are moved around an NTFS volume. Traditionally, files retained even their inherited NTFS permissions when they were moved within the volume. This simple behavior is suitable for home computers when family members want to quickly exchange files. The classic behavior is an invaluable jewel for enterprise managers, where security is so important that ease of use is often sacrificed. This change, however, only affects Windows Shell. Other programs which do not use Windows Shell API continue to retain file and folder permissions regardless of Simple File Sharing configuration.
  3. Authentication: With Simple File Sharing active, Net Logon service no longer tries to authenticate network users: Every connection is admitted in context of the Guest user account. As a result:
    1. Neither managers nor attackers shutdown the computer remotely via standard Windows API.
    2. Remote access to file system, memory objects (via CIFS/SMB protocols) and registry (via Remote Registry service) is restricted to that of a Guest (which is very limited indeed.)
    3. Remote software installation via ActiveDirectory and Windows Installer is impossible, although joining a Windows XP Professional computer to a domain will cause Simple File Sharing to be disabled.
    4. Access to services, drivers, WMI and Microsoft Management Console is very limited.

Simple File Sharing is a local machine setting. Only administrators can turn it on or off, and when turned on or off, it affects any operation under any user account on the same machine. This setting is permanently enabled in Windows XP Home Edition and cannot be disabled.

%d bloggers like this: