File Sharing Under Windows XP / Vista

Depending upon your specific needs, you can get Windows XP in any one of five editions. Of those five, the choice of the two best known ones - XP Home and XP Pro - will differently affect your ability to share files. Both the Home and Pro editions have their advantages and disadvantages. There are also 5 well known editions of Windows Vista, though the distinctions between the Home and Business (not Professional) edition groups will be less relevant to Windows Networking issues.

This article will focus on how Windows XP and Vista are similar, with specific differences noted. In Windows XP And Vista On The LAN Together, I focus on differences in Windows Vista.

Please spend a few minutes deciding how you wish to use your computer, and whether you wish others to use your computer. If your computer is running Windows XP, make sure that you know which edition of Windows XP it is.

Windows XP Home has few options, and is easier for the typical home user to setup. Windows XP Pro / Vista (in its various editions) is more versatile, and can be used in different ways, depending upon what other computers are on the LAN, and how secure you want your shared data to be.


Simple File Sharing

If your computer runs XP Home, then it has Simple File Sharing already. SFS, which only uses Guest authentication, cannot be disabled under XP Home, without some work.

If your computer runs XP Pro, or XP Media Center Edition, it may have SFS. If you want to enable Simple File Sharing on a computer running XP Pro or MCE, from Windows Explorer:

  • Select Tools - Folder Options.
  • On the Views tab, scroll to the end of the long Advanced settings list.
  • Check "Use simple file sharing".

To use Simple File Sharing on any XP server, Home or Pro, make sure that the Guest account is properly activated, and the password is consistently set (blank or non-blank), on both the client and the server.

On a computer running Windows Vista, you disable Password Protected Sharing, giving the equivalent of Simple File Sharing.

Please note the limitations of Guest authentication, when working with Simple File Sharing / PPS Disabled.

>> Top

Advanced aka Classic File Sharing

Advanced aka Classic File Sharing is available, as an alternative to Simple File Sharing, on XP Pro or MCE. To use AFS to it's full advantage, you need to have formatted the drives, on the server, with NTFS. You then need to disable Simple File Sharing. From Windows Explorer:

  • Select Tools - Folder Options.
  • On the Views tab, scroll to the end of the long Advanced settings list.
  • Uncheck "Use simple file sharing".

On a computer running Windows Vista, you enable Password Protected Sharing, giving the equivalent of Advanced File Sharing. Unlike Windows XP, the option to enable PPS is available in all editions of Windows Vista.

Next, identify a folder that you want to share on the network, but share selectively.

  • Setup and use an account (with matching password) on both the client and the server.
  • Make sure that the account is properly activated on the server.
  • In Windows Explorer, right click on the folder in question, and select Properties.
  • On the Sharing tab, select "Share this folder" and give the share a name.
  • Hit Permissions, and make sure Everyone has full rights.
  • On the Security tab, find and select your account in the "Group or user names" list. If your account isn't in the list, Add it.
  • In the Permissions list, make sure your account has the appropriate permissions. And make sure that no other accounts have inappropriate permissions.

Note that, if you want some openly available shares also, this can be done quite easily.

  • On the Sharing tab, select "Share this folder" and give the public share a name.
  • Hit Permissions, and make sure Everyone has full rights.
  • On the Security tab, find and select the group "All Users", "Everyone", or "Users", in the "Group or user names" list.
  • In the Permissions list, make sure the group selected has the appropriate permissions.
  • Setup Guest, (with matching or no password) on both the client and the server.
  • Make sure that Guest is properly activated on the server.

Please note the limitations of Guest authentication, when setting up any share for non-selective access. And if you have a LAN with both XP Home and XP Pro systems, be careful when enabling Advanced File Sharing on an XP Pro system. Unbalanced authentication can have complex results.

>> Top

Get The Terminology Right Here

When you look at the Welcome screen, and you have multiple users setup on your computer, you'll see a list (or group) of users, identified by User Name. When you change a password, or the picture associated with that user, you'll use the User Accounts wizard in Control Panel. Here too, you'll see a list of users, identified by User Name.

If you rename a user, or if you use any advanced procedures or wizards, there is another very relevant term - account. When you setup a user, using the User Accounts wizard in Control Panel, Account = User Name. For each account / user, a set of subfolders, under "C:\Documents and Settings" is created. This is the user profile.

  • You can change a User Name at any time, but the account, and the user profile, stays the same.
  • You can make much more versatile changes using the Control Panel - Administrative Tools - Computer Management - Local Users and Groups - Users wizard. Here you can change the account name, and profile path.
  • If you disable the Welcome screen, you login using the account name and password.

So, if you ever rename a User, and see elements of the previous name, you now know why.

>> Top

Activate An Account Properly For Network Access

Whether you're depending upon the Guest account, or a non-Guest account, for authentication, the account that you use has to be properly activated. You use the Control Panel - User Accounts applet, to activate (or deactivate) an account for local use.

There are two possible ways to activate (or deactivate) an account for network access:

  • Run the "net user" command. Enter, in a command window (which will be slightly different, for Windows Vista):

    net user AccountName /active:yes

    • (Substitute actual account name for "AccountName").
    • (Substitute "no" to deactivate).


    NOTE:There are 4 "words" (sequences of non-blank characters, separated by spaces) in the command. If you have any doubt about where a space is needed, copy and paste as above (substituting the account name, and "no" or "yes", as appropriate).
  • Alternatively, for Vista Business or Ultimate, or XP Pro, run (Control Panel - Administrative Tools - ) Computer Management. Under System Tools - Local Users and Groups - Users, find the account (Guest or non-Guest) in question. Doubleclick (or rightclick, and select Properties), and clear (or check) "Account is disabled".

Finally, for XP Home, for XP Pro using Simple File Sharing, or for Vista with PPS Disabled, make sure that Guest, in addition to being activated, has the appropriate rights.
>> Top

Synchronise Passwords On Accounts

Always synchronise passwords (for the Guest or non-Guest account) on all computers - make them identical (or blank) on each. For best results, make your password policy consistent throughout your network.

To set the password, you need to run the UserPassword applet.

  • Enter, in a command window, "control userpasswords2" (less the "").
  • Select the account of interest in the User Accounts list.
  • Hit the Reset Password button.
  • Type either a blank, or non blank password, identically, into both "New password" and "Confirm new password" fields.
  • Hit OK twice.

Synchronising passwords can be tricky in a mixed LAN (home and business/pro operating system editions together). With home editions (Vista or XP Home), the default is to have no password on the Guest account (it is, after all, anonymous). With business / professional editions (Vista Business / Enterprise / Ultimate, XP Pro), you have to Disable the Local Security Policy setting, under Security Options, "Accounts: Limit local account use of blank passwords to console logon only", if your server is going to allow network access using accounts with blank passwords.

>> Top

Making File Sharing Work

Once you get past the issues involved in accessing the server, such as browsing and name resolution, there are the issues of accessing the data itself - authentication ("Who are you?"), and authorisation ("Do we want you to have access here?").

What authentication method are you using?


The message

Logon failure: the user has net been granted the requested logon type at this computer.

is easy to resolve under XP / Vista Pro, but may require extra effort under a home edition. Remember, the edition of the operating system on the server is what's relevant here.

With XP / Vista Pro, there are a pair of Local Security Policy lists, under User Rights Assignment.

  1. "Deny access to this computer from the network".

  2. "Access this computer from the network".




Authentication varies depending whether this is a domain or a workgroup.

  • In a domain, you need an activated account on the domain controller.
  • In a workgroup, you need identical, activated accounts, with identical passwords, on both the client and the server.


Authorisation is described in Server Access Authorisation.

If the files and folders in question have been properly setup and shared as above, and you're getting only partial access (maybe Read, although you intend to grant Write access), check both the Share and NTFS Authorisation lists.

Remember that if you grant access, to the share in question, to "Everyone", that refers to Everyone who is properly authenticated. Either a properly setup Guest account (on the server), or non-Guest account (for a workgroup, on both the client and server, with matching passwords), is still required.

Note: Vista uses deny by default, so if you want "Everyone" (Guest) to have access, you have to explicitly add permission - new shares don't give Full permission automatically (though in some cases, "Everyone" may have read access by default). Always check Security and Sharing, when there is a question.

With XP / Vista Home, you don't have the Local Security Policy Editor. And Simple File Sharing doesn't give you the ability to set access rights either. In that case, you'll have to use extra software and procedures.

If you're using Guest authentication, and still getting "access denied" after all of the above steps, check the restrictanonymous setting.

Even with all of the above advice, there are known scenarios, with varying symptoms, with but one common factor - recent (or not) application of certain Windows Updates.

Next, look at the complete and exact text in any observed error messages. Some very obscure errors have very simple resolutions.

And finally, repeat Troubleshooting Network Neighborhood.

>> Top

Windows XP / Vista In A Domain

If you have a network with more than 3 or 4 computers, running Windows XP or Vista, a domain is worth considering. Both Windows XP Home and XP Pro (and their related editions), and the various editions of Vista, can be used in a domain, but in different ways.

A Windows XP / Vista Home edition computer can only join a workgroup, it can not join a domain. Windows XP Media Center has the same internal components as XP Pro; however, XP MCE 2005 (KB887212): will not join a domain either.

If a Home edition client computer is on the same network with a domain, the computers in the domain should be visible, in Network Neighborhood, under Entire Network - Microsoft Windows Network - (name of domain). The Home edition computer(s) will not, however, be visible from other clients, or from the servers, in the domain, unless there is a browser server available for the workgroup of which the computer is a member (or if that computer is running the browser on its own).

If a Home edition client computer is on the network with a domain, the computer can be made a Member of a workgroup, with the workgroup name the same as the domain name. This will allow the servers in the domain to be visible, in Network Neighborhood, and will make the client visible from other clients, or from the servers, in the domain.

Users on a Home edition client will have to authenticate to any domain servers as they would in a workgroup - using accounts defined locally on each client and server.

A Windows XP Professional computer can join a domain, just as any other Windows NT based computer, and can access domain resources in the same way. However, several XP features will be unavailable:

  • Fast User Switching.
  • Simple File Sharing.
  • Logon Welcome Screen.


Depending upon how your domain is setup, an XP / Vista computer may have problems logging in to the domain, and may require changes in the domain itself.

>> Top

Guest Authentication

Guest authentication is an option under Windows XP Pro with Advanced File Sharing, and for Windows Vista with Password Protected Sharing Enabled. For Vista with PPS Disabled, XP Pro with Simple File Sharing, and XP Home, Guest is the only available authentication. Guest authentication is part of the authentication decision process, in general.

With Guest authentication, you have normally two choices for any otherwise shareable folder: whether to allow access to it, and whether to allow read-only or read-write access. All shared folders and files are equally accessible by everybody who has access to the network.

If your server only uses Guest authentication, any shared data is offered, on the network, based upon the status of the Guest account on the server. Other accounts on the server, and on any clients, will not be relevant. Make sure that the Guest account is properly activated for network access.

The Guest account, by definition, is a limited access account, and is similar to anonymous access under Windows. If your server only uses Guest authentication, your computer can't be accessed with administrative authority, thru the network.

Shares which require administrative access, such as C$, "C:\Program Files", and "C:\Windows", can't be accessed thru the network, if shared using Guest authentication. No matter what authority you are logged in with, to a client computer, when you access any server using the Guest account, those shares, and any folders and files within those shares, will be inaccessible. Any files that you want to be accessible thru the network should be kept in the Shared Documents folder, and they will be accessible to everybody.

Remember that the various folders in "C:\Documents and Settings" ("C:\Users" in Windows Vista) contain the personal data for each user of that computer. Those folders, by design, can only be accessed by the owner of the data, or by an adminstrator. Guest is neither of those, and shouldn't be expected to have access. The public portions of "C:\Documents and Settings" ("C:\Users"), if at all accessible to Guest, may be read only.

If a computer using Guest authentication is providing browser services for other computers, those other computers, when running browstat, and having no other errors, will show an "error = 5" (access denied) when trying to access the registry on the browser.

Master browser name is: PChuck1
could not open key in registry, error=5 unable to determine build of browser master:5


Other network related tasks, like remote registry access, and remote shutdown, won't work either. Those tasks require administrative access. Utilities like CPSServ won't be able to diagnose problems on a computer using Guest-only access, through the network.

The Guest account may not provide network access if the restrictanonymous setting has the wrong value. The Guest account may not provide network access to specific shares, if the RestrictNullSessAccess setting has the wrong value.

For more information about the Guest account, see Microsoft: Description of the Guest account in Windows XP.

If you need to do so, you can give additional authority to Guest. How to add authority will depend upon your edition and file sharing.

>> Top

Non-Guest Authentication

Non-Guest authentication is much more granular than Guest authentication, on a server using NTFS. It is possible on a server running Windows 2000, Windows XP Pro, with Advanced File Sharing, or Windows Vista with Password Protected Sharing (PPS) enabled. If your server has XP Home, XP Pro with Simple File Sharing, or Vista with PPS disabled, you'll be using Guest authentication. Like Guest authentication, it's part of the same decision process.

Once you're authenticated, whether with a Guest or a non-Guest account, you need to be authorised. Authorisation, under AFS / PPS, is much more granular than Guest authorisation under SFS.

>> Top

The Authentication Process - Step By Step

You authenticate in 4 possible scenarios, based upon the status of both the client and the server

  1. If
    • The client is running Windows Vista Pro (Business, Enterprise, or Ultimate), XP Pro, or Windows 2000.
    • You previously logged in to this server from this client, and selected "Reconnect at login".
    your computer will have cached a token for server access. Your computer will supply the token, and you will be given server access transparently ("transparent token caching").
  2. IfYour computer will supply the token, and you will be given server access transparently ("transparent first time login").
  3. If automatic non-Guest authentication is not possible, the server is checked for the Guest account having been activated for network access. If Guest is activated, and has no password, you will be given automatic Guest access.
  4. If neither automatic non-Guest, nor Guest, access is possible, you will have to supply the token manually. You will have to login to the server, interactively, using an account that is activated for network access on the server, with correct password. You may have the opportunity, here, to select "Reconnect at login" (based on Rule 1).
  5. If there is no account activated for network access, you will see the old
    ... access denied.
    or similar well-known error.


>> Top

Windows XP And Other Operating Systems

Windows XP was designed to allow the merger of the two older operating system families - Windows 9x (Windows 95 / 98 / ME - predominantly home systems), and Windows NT (NT / 2000 / 2003 - predominantly business systems). By carefully choosing Advanced vs Simple File Sharing on your computer, it can better operate on the LAN with your computers running older systems. And, looking forward, it can operate fine on the LAN with your computers running Vista.

Simple File Sharing, which is selectable under XP Pro but not under XP Home, uses Guest authentication only. It makes it easier to setup sharing with Windows 9x systems, by simply creating openly available shares.

Advanced aka Classic File Sharing is directly compatible to file sharing under Windows NT / 2000 / Server 2003. It can use Guest, or it can use non-Guest, authentication.

Windows XP will share files with an XBox 360, given a small amount of work.

For additional details describing file sharing issues relevant to Windows XP and to other operating systems, see:

>> Top

Authentication Protocols

As described above, any connection created between a client and a server involves some form of authentication. The person using a client computer must prove who he / she is, so the server can decide whether to allow access. The simplest form of authentication is a simple account / password exchange. The user inputs the account (public secret) and password (private secret), these are passed to the server, which matches the two against its database.

Original versions of Windows, before NT V4.0, used LAN Manager Authentication, which used this strategy. Starting with Windows NT V4.0, authentication protocols of increasing complexity have been used.

>> Top

Local Access Issues

If you follow recommended procedures, and setup your accounts to allow file sharing, you will have identical, non-blank passwords on the accounts. As I said above, by default, Windows XP Pro requires non-blank passwords for accounts used for network access.

Maybe you're accustomed to not logging in at all when you turn your computer on - just start it, it comes up with the desktop, and you get to work. Or maybe you'd like to do this, but don't know how. Well, Ramesh, another MVP, has written up the procedure for making your computer login automatically, in his article Configure Windows XP to Automatically Login.

>> Top

7 comments:

ehgoodrich said...

Chuck,
Still reading through your blog with interest. I was a bit surprised to read your recommendation to:
"Always synchronise passwords (for the Guest or non-Guest account) on all computers..." in this topic.
While this might be acceptable in many situations, I would have thought that in certain cases, it might be more secure to require the client to connect to a share using a separate token via the "Connect As..." dialog. Is there some reason you didn't touch on this functionality??
Also, what file sharing option(s) do you recommend for the best security in a small (<10) workstation environment with varying degrees of access needed between the members ??

Chuck said...

Hey EH,

Good questions. This issue applies for XP Pro, in a workgroup. For XP Home, there's no token caching. For XP Pro in a domain, token caching is automatic.

The question of whether its better to connect, each time, using an explicit password vs connect, repeatedly using a token, has been posed before.

That would make a good article, so I will add it to my list. Thanks for the idea.

If you have varying degrees of access requirements, XP Home is out. I try to recommend XP Pro and a domain for 5 or more clients, but normally 8 - 10 is the decision point. I almost always suggest a domain though.

ehgoodrich said...

Yes, I should have been more specific in my post: my questions assume XP Pro in a workgroup environment.

I thought that tokens generated by the Connect As... dialog (using a specific user/password) could also be cached for later use (rather than having to specify them each time)??

Given the environment mentioned (workgroup XP Pro), what would be your answer to my 2nd question??

Thanx,
emmette

Chuck said...

Emmette,

A token is an authentication that is cached on the client computer, and used for connection to a server (a specific user/password for later use rather than having to specify them each time).

Since a token is specific to each user of a client computer, it can't be used by another person. Using a token, to automatically connect to a server, is just as safe as the initial local connection to the client.

If you have a computer running XP Pro, or any Pro edition of Vista, that's how I recommend that you connect. Using tokens is safe, if the client computer is safe.

Galane said...

I have some 2000 Pro, XP Pro and Vista Ultimate systems on a LAN that's not connected to the internet.

I just want everything on all of them totally open to each other, like it was with Win9x. Share a drive or printer and it's *shared*, just browse to it in Explorer and have fun. No need for logins, passwords or anything getting in the way. They're MY computers, nobody else touches them so there's no need for all this 'barbed wire' between them.

Is there some 3rd party utility that makes networking Windows 2000 and later a simple job?

Chuck said...

Galane,

That's what Guest Authentication does. But it has limitations, and those limitations are righteous.

Busybee said...

Thanks so much for the great info on here though some of it flies over my head at a rate of knots!

Recently I added a password for the main user account of one of my XP home computers and did not know what chaos that would cause on my network! It was weird when it couldn't browse itself through the network neighbourhood so I knew it was something to do with the network settings. Nearly reinstalled windows and you've saved me from that fate.

I changed the password back to blank and had to enable net user on that account and all seems fine again. Thanks!

When you say password need to by synchronised do you mean there could be a unique password on each computer on the network so long as both the guest and user account are the same or do you mean throughout the network they must be all blank or all the same? For windows XP home I mean.
Recently I connected to a windows 7 machine by enabling sharing and naming it into my workgroup. When connecting I was prompted for a password and used the main logon. That gave me that mad idea to add a password to one of my machines which I thought I'd be prompted for. Should know different versions of windows are like apples and oranges!