NTFS vs. File Share

Question

In helping out a friend with a few questions for CS, I came across one that I had no prior experience with and was hoping someone would be able to clarify the difference between NTFS and File Share for me.

To help, the question we faced was:

A folder storing a faculty member’s personal documents are set as a share to which everyone has full access. The only person with NTFS permissions on the folder is said faculty member. Can everyone else access the documents?

I appreciate any clarification you can provide. I'd love your help in learning about this!

Answer 1

Short answer: No.

In Windows each file and directory has an ACL controlling access to it. Each file share also has an ACL controlling access to the share.

When you access a remote file through a share you are doing so using the credentials used to login to the local computer. (You can connect using different credentials by entering a username/password when connecting).

The remote computer tests the supplied credentials against the ACL on the share. Once you are past that, then every file you attempt to access on the remote machine through this connection will be checked using your credentials against the ACL on the file and the share. This allows a file share to offer more restricted access to some files than if the same user were attempt to access them locally. (So you could share files as read-only, even if the ACLs on the files themselves would allow that user write access).

If the file share is of a FAT file system then the only ACL checking that is done is against the file share itself because FAT doesn't support ACLs.

When computer are not in a domain and all user accounts are local user accounts then permissions are maybe not what you expect. Unlike Unix/linux, it is generally not possible to create the same user account (uid) on two computers because Windows basically uses a GUID for the UID (a big random number). So when you attempt to look at file owner or ACL information on remote files, since those files are all owned by local accounts on the remote computer, to your local computer those UID will not be recognized (See dir/q from the command line).

Windows can be setup to make non-domain file sharing a little easier. It can be set so that when you attempt to access the remote file share, as long as the remote computer has an account with the same username and password as the local computer, then the connection is allowed -- and you are logged into the remote computer using the remote computer users account.

For reference, see information on NTLM, SMB and NETBIOS.