Microsoft Windows XP Networking Inside Out
.pdf
14 Chapter
Part 4: Network Resources
Understanding Network Resource Access
You can share just about anything on your Microsoft Windows XP computer, so that other users can access the shared resource from the network. The act of sharing resources on the network is fast and easy, and consists of four steps:
1Sharing the resource
2Configuring share permissions
3Configuring NTFS permissions (if NTFS is used)
4Managing the shared resource as needed
Before you dive into the process of sharing resources with others on the network, it’s important to understand the conceptual model used to allow access to those assets. The following real-world example of accessing shared resources is used to explain this conceptual model.
Assume that Stephanie Bourne and George Jiang are both graphic designers at Tailspin Toys. Both users are running Microsoft Windows XP Professional, and both machines are members of a Windows domain. George has done some preliminary work on a set of drawings, and he would like Stephanie to take a look at them and give him some feedback. The drawings are too large and numerous to easily send as e-mail attachments, so he decides to make them available to her by sharing them from his hard disk drive. He creates a share called Stephanie on his PC (which is named Gjiang_pc) and grants Stephanie’s user account within the domain access to the share. Because George is using NTFS on his computer, he also grants her access to the files. After this is done, he sends Stephanie an e-mail asking for her feedback and tells her she can find the files at the share \\gjiang\stephanie.
Stephanie receives the e-mail message and attempts to access the network share. Windows first attempts to connect to the remote workstation using Stephanie’s user credentials. Because she’s using her domain account, George’s remote computer contacts a domain controller to validate her credentials.
note If George and Stephanie were not using domain user accounts, she would instead have to log on using a user account that exists locally on George’s computer.
Stephanie is properly logged on to the domain, so this validation is successful. Once Stephanie’s user credentials are validated, George’s computer determines whether that user has been granted access to the requested resource. Because George granted Stephanie the appropriate rights to the Stephanie share, this step is also successful. If George were using FAT as the file system on his computer, the process would be
398
4: Network Resources
Chapter 14: Understanding Resource Sharing and NTFS Security
complete, and Stephanie would be able to open any file in the share; however, as noted earlier, George’s hard disk is formatted using NTFS. George’s computer must now determine whether Stephanie has the appropriate rights to the actual files. Because George granted those rights, Stephanie can now open the files and review them at her leisure.
As shown in the illustration, the process of determining whether Stephanie can access George’s files consists of multiple steps. It can be helpful to think of these steps as potential layers of security that must be passed through before being granted access to the files in question.
Security Process for Accessing a Network Resource
1. Client account is authenticated.
Client requests file or other
network resource.
Workstation
2.Client has proper network share permissions.
Client is granted access to resource.
3. Client has NTFS permissions
(NTFS drives only).
Network resource
For shared resources such as printers (or files located on FAT file systems), the third step is skipped. To summarize, once George has taken the steps to properly grant access to resources he wants to share, Windows handles all the work of user authentication to the resource whenever Stephanie (or anyone else) attempts to access them.
Now that the conceptual model for Windows resource access has been covered, the specific steps for sharing resources are discussed in the next section.
Chapter 14
399
4: Network Resources
14 Chapter
400
Part 4: Network Resources
Sharing Resources
Computers running Windows XP Professional can share a tremendous array of resources including documents, music, photos, printers, Web pages, and more. However, when sharing these resources on the network, this array of resources can be sorted into three categories:
●Printers. Printer shares can share any type of device that uses the Windows printing interface, whether that printer is a dot-matrix, a thermal, an inkjet, or a laser printer, or even a fax machine or document conversion system such as Adobe Acrobat Distiller.
●File shares. File shares encompass all types of data files, whether they are located on a hard disk, a compact disc, a removable disk, or even an offline storage system.
●Web sharing. Sharing files over the World Wide Web using Internet Information Services (IIS) is not covered in this chapter but rather in Chapter 9, “Using Internet Information Services.”
This chapter covers the simplest forms of sharing first, working from printer sharing to file sharing and NTFS file system permissions.
Sharing Printers
Shared printers are often the driving force behind creating a home or small office network. After all, the expense of buying multiple printers, not to mention the desk space they consume, makes the concept of a single shared printer used between several home or small office computers very inviting.
To share a network printer, connect a printer directly to a Windows XP computer on your network. Then configure it as necessary so that the printer works the way you want it to from the local computer. If you are having problems installing the printer, see the printer manufacturer’s help files or Web site. Once the printer is installed and working correctly on the local computer, you can then share the printer so that users on the rest of the network can access it. There are a few different ways that you can share and manage the shared printer: The following sections explore these features and options.
Some printers have a network interface card (NIC) built into the printer that can be directly plugged into a network hub. For information about configuring a network-ready printer, see “Connecting to a Network-Ready Printer,” page 418.
Sharing the Printer
To share the printer, work from the computer to which the printer is directly connected and follow these steps:
4: Network Resources
Chapter 14: Understanding Resource Sharing and NTFS Security
1 |
Choose Start and then choose Printers And Faxes (you can also open it in |
|
Control Panel). |
2 |
Right-click the printer that you want to share and choose Sharing. |
3 |
On the Sharing tab, shown in Figure 14-1, you have the option of sharing |
|
the printer or not. Select Share This Printer, and then enter an informative |
|
name in the Share Name box. Keep in mind that network clients will be able |
|
to see your printer and connect to it by the share name, so the share name |
|
should be simple, yet as descriptive as possible. It’s a good idea to avoid |
|
using spaces in printer names. |
|
Chapter 14 |
Figure 14-1. Select Share This Printer and assign a meaningful network name.
Notice that the Sharing tab has an Additional Drivers button. When a network computer wants to use the shared printer, the correct drivers must be installed on that network computer for use by its operating system. If you installed the printer on a Windows XP computer and all the other network clients are also running Windows XP, there is nothing else you need to do: Any network client that wants to print to the specified share will automatically download and install the needed driver software. However, if you have a mixture of Windows clients, such as Microsoft Windows 9x or Microsoft Windows NT, the driver installed for Windows XP might not work on these other computers, so Windows will instead prompt these clients to manually install the correct driver. However, Windows XP will allow you to place drivers for other versions of Windows on the computer that maintains the printer share, so that they can also be automatically downloaded and installed.
To take advantage of this feature, click the Additional Drivers button. In the Additional Drivers dialog box, shown in Figure 14-2 on the next page, select each Windows version that you want to support and click OK. When these clients attempt to connect to the shared printer, the correct drivers will be available for them. Depending on the other
401
4: Network Resources
Part 4: Network Resources
Windows versions you need to support, you might need to download those drivers from the printer manufacturer’s Web site. If Windows XP does not contain a compatible driver, a dialog box appears asking you to specify the location of an appropriate driver.
14 Chapter
Figure 14-2. Choose the operating systems used on your network for which additional printer drivers are needed.
Assigning Printer Permissions
Printer permissions are rather simple to assign. By default, Windows XP uses a new feature called Simple File Sharing to streamline security management. When this option is activated, you are not able to directly manage printer permissions.
See “Sharing Resources with Simple File Sharing Enabled,” page 419, for more information about Simple File Sharing.
On Windows XP Professional, if Simple File Sharing is turned off, you have far more control over the ability of remote users to print to and manage printers on your system. These rights are managed using the Security tab found in the shared printer’s properties dialog box. Note that Simple File Sharing must be turned off to be able to see the Security tab. There are three standard printer permissions:
●Print. This is the default printer permission assigned to users. This permission allows users the right to print documents and to manage their own documents in the print queue.
●Manage Printers. This permission, assigned to administrators by default, gives the user full control over the printer (but not the print queue). The user can change the configuration of the printer and even stop sharing it.
402
4: Network Resources
Chapter 14: Understanding Resource Sharing and NTFS Security
●Manage Documents. This permission, also assigned to administrators by default, grants full control of the print queue. A user with this permission can manage his or her own files in the print queue as well as everyone else’s files. The user can also pause the entire printing process and delete all documents in the print queue.
tip You can also set special permissions for the printer standard permissions if necessary. Click the Advanced button on the Security tab, select an account, and click Edit to access its special permissions.
By default, the Everyone group is granted the Print permission, as shown in Figure 14-3. This allows anyone on the network to print to this shared printer. On a small office or home network, the Print permission is normally sufficient, particularly if the network is either not connected to the Internet or uses a firewall to protect the network. However, your computer might be located on a more publicly accessible network, or you might want to only share the printer with certain individuals.
Figure 14-3. The Everyone group is granted the Print permission by default on new printer shares.
There are other good reasons to restrict access to printer shares; you can learn more about them in “Securing Printers,” page 585.
To restrict access to a printer:
1From the Start menu, choose Printers And Faxes. Right-click the shared printer you want to configure and choose Sharing.
Chapter 14
403
4: Network Resources
14 Chapter
404
Part 4: Network Resources
2Select the Security tab, and then select Everyone in the Group Or User Names section.
3In the Permissions For Everyone section, clear the check box under Allow for the Print permission, and then click Apply. The Everyone group should disappear from the list of groups or users that can access the printer.
Now, by default, only user accounts that belong to the Administrators or Power Users group on your computer will be able to use the printer. To grant printer access to additional users:
1Open the properties dialog box for the printer and select the Security tab. Click the Add button to add a new user or group.
2The Select Users Or Groups dialog box, as shown in Figure 14-4, appears. By default, this dialog box allows you to select groups or users from your computer’s account database (unless your computer is a member of a Windows domain, in which case the default location for groups and users will be the Windows domain itself).
Figure 14-4. The Select Users Or Groups dialog box gives you a range of options for setting permissions on a resource.
3If you need to find groups or users from another source (such as a Windows domain or your local account database), you can select a location by clicking the Locations button to open the Locations dialog box, as shown in Figure 14-5.
4Once you’ve selected a location, you can either type in the name of the users and groups to which you want to grant printer access, or you can use the Advanced button to search for groups and users. In the dialog box shown in Figure 14-6, you can display groups and user names. If the account database you are using supports any of the attributes on the Common Queries tab, you will also be able to search on those attributes. To list all the users and groups in your account database, click the Find Now button.
4: Network Resources
Chapter 14: Understanding Resource Sharing and NTFS Security
Figure 14-5. You can select an account database from which to select users and groups.
Figure 14-6. This dialog box helps you determine which users and groups are available.
5After you’ve added the users and groups to which you want to grant access to the Users And Groups dialog box, click OK. You will be returned to the Security tab of the properties dialog box, where you can select each user or group and explicitly set Allow or Deny permissions.
Chapter 14
405
4: Network Resources
14 Chapter
Part 4: Network Resources
caution Be careful when assigning permissions. If you assign the Deny permissions to some groups, all members of those groups will be denied access, even if they are granted access through their user accounts or as members of other groups that have access. This occurs because Allow permissions are cumulative, but Deny permissions override all other permissions. Although denying access to entire groups might be desirable on occasion, try to establish permissions by clearing or selecting the check boxes in the Allow column and avoid using the check boxes in the Deny column.
note If you are using Windows XP Professional in a domain environment, you can also advertise your local printer in the Active Directory printer list. If your computer has been placed in a domain, you’ll also see a List In The Directory option on the Sharing tab. By activating this option, computers running Windows 2000 or Windows XP Professional can share printers and have them automatically published to Active Directory. Network users can then browse Active Directory and locate the printer based on its location and even by its features.
Connecting to a Shared Printer
Users can connect to a shared printer in the same way they connect to a shared folder, through My Network Places or by specifying the printer’s Universal Naming Convention (UNC) path. The first time you connect to a shared printer, the appropriate drivers are downloaded to the computer, and the current print queue opens. You can browse the print queue and see which files are waiting to be printed so that you can monitor your print jobs.
By default, users on the network are given the Print permission. This means that they can print to the printer and manage their own print documents in the queue. As shown in Figure 14-7, users can access the print queue, select their files that are waiting to be printed, and use the Document menu to pause or cancel any of their print jobs. Users cannot alter the state of another user’s print jobs or control the printer in any other way.
Figure 14-7. Network users can manage their own documents in the print queue.
406
4: Network Resources
Chapter 14: Understanding Resource Sharing and NTFS Security
tip Users can choose the Printer menu and choose Printing Preferences to control the printing options, such as Orientation and Page Order, for their documents. Users can also choose Properties from the Printer menu and browse the printer’s properties, but these options appear dimmed and are unavailable so that users don’t change the printer’s base configuration.
Managing the Shared Printer
Once you share a printer, it is your job to manage the printer and make sure it is available and working when network clients need it. This includes keeping the paper tray full and managing ink cartridges of course, but the tasks described in the following sections also fall within the scope of management.
Managing the Print Queue
As mentioned in the previous section, users cannot manage other users’ print jobs. However, you, as the printer administrator, do have total control over the print queue. This means that you can open the print queue at any time and cancel or pause files that are in the queue. You can also use the Printer menu to cancel all documents that are waiting to be printed, or you can pause all printing. Why might you need these options or this level of control? Consider a few examples:
●In a small network of five computers, there might be a single shared printer. As the administrator, you can look in the print queue, and you might observe that five print jobs are waiting. If the second print job waiting to print is over 200 pages and the remaining three are only one page each and are needed immediately, you can select the large print job and use the Document menu to simply cancel it. You can then inform the user that larger print jobs must wait until a less busy time of the day. Or, you can pause the large print job, let the remaining jobs print, and then allow the large job to print.
●In an office network, you might observe 10 jobs in the print queue. As the administrator, you notice that the print device’s ink cartridge needs to be changed. Rather than deleting all of the print jobs and disrupting users’ work, you can use the Printer menu to pause printing. You can then replace the cartridge and continue printing when you are ready.
tip For quicker access, right-click the printer icon in the Printers And Faxes folder and choose Pause Printing or Cancel All Documents.
●In your office, there might be several jobs in the print queue, but the printer has suddenly stopped responding. You can use the Printer menu to cancel all documents so that the printer can be repaired.
407
Chapter 14
4: Network Resources