How to Secure Shared Folders

What is folder sharing?
From a normal install of Windows 2000/XP, a service called File and Printer Sharing is turned on. The way files are shared is by enabling shared access to a folder. Hence, for simplification, we shall just call it shared folders.

What is the risk?
Windows XP by default uses a sharing type called Simple File Sharing (SFS).* This type of sharing allows anyone on the network to access your shared files and folders without a password.** It is more suited towards a small network where you know the other users and trust them; for example a home network. Also, in Windows 2000 and Windows XP (with SFS turned off), if you administrator's password is weak, an attacker can get into your computer and cause a lot of damage.

What can I do?
Ask yourself if you need to share files/folders. Yes or No?

If you do not need to share files/folders, turn off File and Print Sharing and/or turn off the firewall exception for File and Print sharing (webpage to explain this in progress).

• Click Start, click Run..., and type in "ncpa.cpl"
  
  Press Enter/Click OK


• For each network entry, perform the next two steps:
  Right-click and select Properties
  
  Wired networks are usually called Local Area Connection and Wireless networks are called Wireless Network Connection


• In the box that lists This connection uses the following items:
  Un-check the File and Printer Sharing for Microsoft Networks
  
  Click OK

If you do need to share folders, please make sure to

1. Create a limited account to use for sharing:
   Click Start, Click Run..., enter "nusrmgr.cpl", Click Create a new account,
   Enter a username, click Next, click Limited, and click Create Account
   
2. Make sure you have strong passwords for ALL the accounts on your computer
3. Set permissions on your shared folders
   • Right-click on the folder to be shared and select Sharing and Security...
     
   
   
   • Select Share this folder to enable sharing and change the Share name if you wish
     Then click on Permissions
     
   
   
   • Remove Everyone and add the user created earlier for sharing
     
     Make sure to Allow the minimum needed permissions

*Simple file sharing is on always for XP Home. It can be disabled in XP Pro.
**For more details, please see Microsoft's instructions on how to configure file sharing.
Note: Staff managed machines will need File and Printer Sharing to be left on, please do not turn it off.