File Sharing Under Windows XP

Depending upon your specific needs, you can get Windows XP in any one of five editions. Of those five, the choice of the two best known ones – XP Home and XP Pro – will differently affect your ability to share files. Both the Home and Pro editions have their advantages and disadvantages.

Please spend a few minutes deciding how you wish to use your computer, and whether you wish others to use your computer. If your computer is running Windows XP, make sure that you know which edition of Windows XP it is.

Windows XP Home has few options, and is easier for the typical home user to setup. Windows XP Professional (in its various editions) is more versatile than XP Home. It can be used in different ways, depending upon what other computers are on the LAN, and how secure you want your shared data to be.

Simple File Sharing

If your computer runs XP Home, then it has Simple File Sharing already. SFS, which only uses Guest authentication, cannot be disabled under XP Home.

If your computer runs XP Pro, or XP Media Center Edition, it may have SFS. If you want to enable Simple File Sharing on a computer running XP Pro or MCE, from Windows Explorer:

  • Select Tools – Folder Options.
  • On the Views tab, scroll to the end of the long Advanced settings list.
  • Check “Use simple file sharing”.

To use Simple File Sharing on any XP server, Home or Pro, make sure that the Guest account is properly activated, and the password is consistently set (blank or non-blank), on both the client and the server.

Please note the limitations of Guest authentication, when working with Simple File Sharing.

>>Top

Advanced aka Classic File Sharing

Advanced aka Classic File Sharing is available, as an alternative to Simple File Sharing, on XP Pro or MCE. To use AFS to it’s full advantage, you need to have formatted the drives, on the server, with NTFS. You then need to disable Simple File Sharing. From Windows Explorer:

  • Select Tools – Folder Options.
  • On the Views tab, scroll to the end of the long Advanced settings list.
  • Uncheck “Use simple file sharing”.

Next, identify a folder that you want to share on the network, but share selectively.

  • Setup and use an account (with matching password) on both the client and the server.
  • Make sure that the account is properly activated on the server.
  • In Windows Explore, right click on the folder in question, and select Properties.
  • On the Sharing tab, select “Share this folder” and give the share a name.
  • Hit Permissions, and make sure Everyone has full rights.
  • On the Security tab, find and select your account in the “Group or user names” list. If your account isn’t in the list, Add it.
  • In the Permissions list, make sure your account has the appropriate permissions. And make sure that no other accounts have inappropriate permissions.

Note that, if you want some openly available shares also, this can be done quite easily.

  • On the Sharing tab, select “Share this folder” and give the public share a name.
  • Hit Permissions, and make sure Everyone has full rights.
  • On the Security tab, find and select the group “All Users”, “Everyone”, or “Users”, in the “Group or user names” list.
  • In the Permissions list, make sure the group selected has the appropriate permissions.
  • Setup Guest, (with matching or no password) on both the client and the server.
  • Make sure that Guest is properly activated on the server.

Please note the limitations of Guest authentication, when setting up any share for non-selective access. And if you have a LAN with both XP Home and XP Pro systems, be careful when enabling Advanced File Sharing on an XP Pro system. Unbalanced authentication can have complex results.

>>Top

Get The Terminology Right Here

When you look at the Welcome screen, and you have multiple users setup on your computer, you’ll see a list (or group) of users, identified by User Name. When you change a password, or the picture associated with that user, you’ll use the User Accounts wizard in Control Panel. Here too, you’ll see a list of users, identified by User Name.

If you rename a user, or if you use any advanced procedures or wizards, there is another very relevant term – account. When you setup a user, using the User Accounts wizard in Control Panel, Account = User Name. For each account / user, a set of subfolders, under “C:\Documents and Settings” is created. This is the user profile.

  • You can change a User Name at any time, but the account, and the user profile, stays the same.
  • You can make much more versatile changes using the Control Panel – Administrative Tools – Computer Management – Local Users and Groups – Users wizard. Here you can change the account name, and profile path.
  • If you disable the Welcome screen, you login using the account name and password.

So, if you ever rename a User, and see elements of the previous name, you now know why.

>>Top

Activate An Account Properly For Network Access

Whether you’re depending upon the Guest account, or a non-Guest account, for authentication, the account that you use has to be properly activated. You use the “net user” command, or the Control Panel – User Accounts applet, to activate (or deactivate) an account for local use.

There are two possible ways to activate (or deactivate) an account for network access:

  • Run the “net user” command. Enter, in a command window:

    net user AccountName /active:yes

    • (Substitute actual account name for “AccountName”).
    • (Substitute “no” to deactivate).

    NOTE:There are 4 “words” (sequences of non-blank characters) in the command. If you have any doubt about where a space is needed, copy and paste as above (substituting the account name, and “no” or “yes”, as appropriate).

  • Alternatively, for XP Pro only, run (Control Panel – Administrative Tools – ) Computer Management. Under System Tools – Local Users and Groups – Users, find the account (Guest or non-Guest) in question. Doubleclick (or rightclick, and select Properties), and clear (or check) “Account is disabled”.

Finally, for XP Home, or for XP Pro using Simple File Sharing, make sure that Guest, in addition to being activated, has the appropriate rights.
>>Top

Synchronise Passwords On Accounts

Always synchronise passwords (for the Guest or non-Guest account) on all computers – make them identical (or blank) on each. For best results, make your password policy consistent throughout your network.

To set the password, you need to run the UserPassword applet.

  • Enter, in a command window, “control userpasswords2” (less the “”).
  • Select the account of interest in the User Accounts list.
  • Hit the Reset Password button.
  • Type either a blank, or non blank password, identically, into both “New password” and “Confirm new password” fields.
  • Hit OK twice.

Synchronising passwords can be tricky in a mixed LAN (XP Home and Pro together). With XP Home, the default is to have no password on the Guest account (it is, after all, anonymous). With XP Pro, you have to Disable the Local Security Policy setting, under Security Options, “Accounts: Limit local account use of blank passwords to console logon only”, if your server is going to allow network access by accounts with blank passwords.

>>Top

Making File Sharing Work

Once you get past the issues involved in accessing the server, such as browsing and name resolution, there are the issues of accessing the data itself – authentication (“Who are you?”), and authorisation (“Do we want you to have access here?”).

What authentication method are you using?

The message

Logon failure: the user has net been granted the requested logon type at this computer.

is easy to resolve under XP Pro, but may require extra effort under XP Home.

With XP Pro, there are a pair of Local Security Policy lists, under User Rights Assignment.

  1. “Deny access to this computer from the network”.
  2. “Access this computer from the network”.
  • If your server uses Guest authentication:
    • “Guest” must NOT be in list #1.
    • “Everyone” must be in list #2.
  • If your server uses non-Guest authentication:
    • Your properly setup, and activated, non-Guest account must NOT be in list #1.
    • Your non-Guest account, or a group of which it is a member (generally “Everyone”) must be in list #2.

Authentication varies depending whether this is a domain or a workgroup.

  • In a domain, you need an activated account on the domain controller.
  • In a workgroup, you need identical, activated accounts, with identical passwords, on both the client and the server.

Authorisation is described in Server Access Authorisation.

If the files and folders in question have been properly setup and shared as above, and you’re getting only partial access (maybe Read, although you intend to grant Write access), check both the Share and NTFS Authorisation lists.

Remember that if you grant access, to the share in question, to “Everyone”, that refers to Everyone who is properly authenticated. Either a properly setup Guest account (on the server), or non-Guest account (for a workgroup, on both the client and server, with matching passwords), is still required.

With XP Home, you don’t have the Local Security Policy Editor. And Simple File Sharing doesn’t give you the ability to set access rights either. In that case, you’ll have to use extra software and procedures.

If you’re using Guest authentication, and still getting “access denied” after all of the above steps, check the restrictanonymous setting.

Even with all of the above advice, there are known scenarios, with varying symptoms, with but one common factor – recent (or not) application of certain Windows Updates.

Next, look at the complete and exact text in any observed error messages. Some very obscure errors have very simple resolutions.

And finally, repeat Troubleshooting Network Neighborhood.

>>Top

Windows XP In A Domain

Both Windows XP Home and XP Pro can be used in a domain, but in different ways.

A Windows XP Home computer can only join a workgroup, it can not join a domain. Windows XP Media Center has the same internal components as XP Pro; however, XP MCE 2005 will not join a domain either.

If an XP Home or MCE 2005 client computer is on the same network with a domain, the computers in the domain should be visible, in Network Neighborhood, under Entire Network – Microsoft Windows Network – (name of domain). The XP Home / MCE 2005 computer(s) will not, however, be visible from other clients, or from the servers, in the domain, unless there is a browser server available for the workgroup of which the computer is a member (or if that computer is running the browser on its own).

If an XP Home or MCE 2005 client computer is on the network with a domain, the computer can be made a Member of a workgroup with the workgroup name equal to the domain name. This will allow the servers in the domain to be visible, in Network Neighborhood, and will make the client visible from other clients, or from the servers, in the domain.

Users on an XP Home or MCE 2005 client will have to authenticate to any domain servers as they would in a workgroup – using accounts defined locally on each client and server.

A Windows XP Professional computer can join a domain, just as any other Windows NT based computer, and can access domain resources in the same way. However, several XP features will be unavailable:

  • Fast User Switching.
  • Simple File Sharing.
  • Logon Welcome Screen.

Depending upon how your domain is setup, an XP computer may have problems logging in to the domain, and may require changes in the domain itself.

>>Top

Guest Authentication

Guest authentication is an option under Windows XP Pro with Advanced File Sharing. For XP Pro with Simple File Sharing, and for XP Home, Guest is the only available authentication.

With Guest authentication, you have normally two choices for any otherwise shareable folder: whether to allow access to it, and whether to allow read-only or read-write access. All shared folders and files are equally accessible by everybody with access to the network.

If your server only uses Guest authentication, any shared data is offered, on the network, based upon the status of the Guest account on the server. Other accounts on the server, and on any clients, will not be relevant. Make sure that the Guest account is properly activated for network access.

The Guest account, by definition, is a limited access account, and is similar to anonymous access under Windows. If your server only uses Guest authentication, your computer can’t be accessed with administrative authority, thru the network.

Shares which require administrative access, such as C$, “C:\Program Files”, and “C:\Windows”, can’t be accessed thru the network, if shared using Guest authentication. No matter what authority you are logged in with, to a client computer, when you access any server using the Guest account, those shares, and any folders and files within those shares, will be inaccessible. Any files that you want to be accessible thru the network should be kept in the Shared Documents folder, and they will be accessible to everybody.

Remember that the various folders in “C:\Documents and Settings” contain the personal data for each user of the computer. Those folders, by design, can only be accessed by the owner of the data, or by an adminstrator. Guest is neither of those, and shouldn’t be expected to have access. The public portions of “C:\Documents and Settings”, if at all accessible to Guest, will be read only.

If a computer using Guest authentication is providing browser services for other computers, those other computers, when running browstat, and having no other errors, will show an “error = 5” (access denied) when trying to access the registry on the browser.

Master browser name is: PChuck1
could not open key in registry, error=5 unable to determine build of browser master:5

Other network related tasks, like remote registry access, and remote shutdown, won’t work either. Those tasks require administrative access.

The Guest account may not provide network access if the restrictanonymous setting has the wrong value. The Guest account may not provide network access to specific shares, if the RestrictNullSessAccess setting has the wrong value.

For more information about the Guest account, see Description of the Guest account in Windows XP.

If you feel up to it, you can give additional authority to Guest. How to add authority will depend upon your edition and file sharing.

>>Top

Non-Guest Authentication

Non-Guest authentication is much more granular than Guest authentication, on a server using NTFS. It is possible only on a server running XP Pro, with Advanced File Sharing. If your server has either XP Pro with Simple File Sharing, or XP Home, you’ll be using Guest authentication.

You authenticate under Advanced File Sharing in 3 possible steps.

  1. If
    • The client is running Windows XP Pro (or Windows 2000).
    • The account that you’re using for desktop access, on the client, is already setup and activated for network access, on the server.
    • Both accounts have an identical, non-blank password.

    your computer will supply the token, and you will be given server access automatically.

  2. If automatic non-Guest authentication is not possible, the server is checked for the Guest account having been activated for network access.
  3. If neither automatic non-Guest, nor Guest, access is possible, you will have to supply the token manually. You will have to login to the server, interactively, using an activated non-Guest account, with correct password.

Once you’re authenticated with a non-Guest account, on a server running Advanced File Sharing, you need to be authorised. Authorisation, under Advanced File Sharing, is much more granular than Guest authorisation under Simple File Sharing.

>>Top

Windows XP And Other Operating Systems

Windows XP was designed to allow the merger of the two older operating system families – Windows 9x (Windows 95 / 98 / ME – predominantly home systems), and Windows NT (NT / 2000 / 2003 – predominantly business systems). By carefully choosing Advanced vs Simple File Sharing on your computer, it can better operate on the LAN with your older systems.

Simple File Sharing, which is selectable under XP Pro but not under XP Home, uses Guest authentication only. It makes it easier to setup sharing with Windows 9x systems, by simply creating openly available shares.

Advanced aka Classic File Sharing is directly compatible to file sharing under Windows NT / 2000 / Server 2003. It can use Guest, or it can use non-Guest, authentication.

Windows XP will share files with an XBox 360, given a small amount of work.

For additional details describing file sharing issues relevant to Windows XP and to other operating systems, see:

>>Top

Authentication Protocols

As described above, any connection created between a client and a server involves some form of authentication. The person using a client computer must prove who he / she is, so the server can decide whether to allow access. The simplest form of authentication is a simple account / password exchange. The user inputs the account (public secret) and password (private secret), these are passed to the server, which matches the two against its database.

Original versions of Windows, before NT V4.0, used LAN Manager, which used this procedure. With Windows NT V4.0, NT LAN Manager protocol, slightly more secure than a simple account / password exchange, was used.

For NT V4.1 and later, Microsoft Kerberos, which is considerably more complicated and secure than NTLM, is used. Kerberos, which involves multiple exchanges of identity and shared secrets between a client and the domain controller, and then between the client and the target server, is specifically designed for insecure networks, where snooping of a simple account password exchange would be unacceptable.

For an allegorical description of how Kerberos is designed, providing some background to enable you to tackle the Microsoft links referenced above, see Designing an Authentication System.

>>Top

Local Access Issues

If you follow recommended procedures, and setup your accounts to allow file sharing, you will have identical, non-blank passwords on the accounts. As I said above, by default, Windows XP Pro requires non-blank passwords for accounts used for network access.

Maybe you’re accustomed to not logging in at all when you turn your computer on – just start it, it comes up with the desktop, and you get to work. Or maybe you’d like to do this, but don’t know how. Well, Ramesh, another MVP, has written up the procedure for making your computer login automatically, in his article Configure Windows XP to Automatically Login.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: