what's the difference between sharing and advanced sharing?

Question

Hello,

I have a question about shared folders in Windows Server 2019.

I have created some folders and shred them via right click on the folder -> properties -> sharing

There I clicked the button "share..." and gave the access to the local admin group only, as well as to my ad account (see the second screenshot below.

The share works very well but the company now says there is a wide open access issue, I checked again and under the the button "advanced sharing..." -> permission, there a completely different groups shown. One of this groups is the group "everyone". I never added this group there and for people who are NOT in the admin group, it is also not possible to access the share. So why is Windows adding the group "everyone" in "advance sharing" -> permission?

For me it seems like a bug in "advance sharing..." -> permission, because everyone does not have any access to the shared folder, only the people inside the admin group ( like I set up and is shown in screenshot 2)

Can same one please explain the differences between "share..." and "advance share...", why Windows added the group "everyone in advance sharing and why is not everyone having access, even if everyone is added in advance sharing?

Thank you and best regards,

Nico Grüner

Screenshot 1 (general share properties

Screenshot 2 (share options after click the button 'share..."

Screenshot 3 "advance sharing..." -> permission

Answer 1

It works as intended. They control two different security descriptors. The advanced share controls the sharing of the share itself (share permissions) . So the ability to see the share exists. This defaults to Everyone read-only so everyone can see the share exists. The Sharing controls the contents and network access within that shared folder. You would have to go to sharing and add the everyone group read/write access for everyone to have unrestricted access to the contents of the share.

Answer 2

first of all, thank you for your answer.

Sorry but I don't get it fully.

Do I understand you right, that the "advanced sharing..." settings (my 3. screenshot) is only there, to see that a share exists. but only the settings for really access is the one under the button "share..." (my 2. screenshot)?

Do understand my issue. in my company, I have currently a so called "wide open access" issue because of the shared folders.

I tried it with a user who is NOT in the admin group (I shared the folder only with admin group, 2. screenshot) and the user does not have access to the share.

But the tool in the company how is reading the shared folder access information say's that the share is also given to everyone.

So what is right and what is wrong? Why is Windows even adding the group everyone in the advanced sharing options, if I only did settings in the "share" options? It makes no sense at all for me or I don't get it.

So can you please explain in detail the differences between button "share..." options and what they are for and button "advanced sharing..."->permission options? Which one is for the real share and the access to the share from outside?

Thank you

Answer 3

and one more thing, I NEVER changed anything under "advanced sharing..."-> permissions! So the 3. Screenshot shows the default settings from Windows and that Widnows gives by default the group "everyone" full control rights.

In my point of view, this is a real security issue caused by Windows Server 2019 itself!!!!

Answer 4

On Windows Server 2019, the default permissions are Everyone: Read-only. However, if that server is part of a domain using the Share button will append Everyone - Full to the advanced sharing properties (of the share) after adding any user. This is because the top sharing button is a wizard that can perform several functions like adjusting advanced sharing and NTFS security permissions as needed. I believe the Advanced sharing change may be related to aligning NTFS permissions with sharing permissions when part of a domain. Part of managing a share is removing elements you may not want. So you are free to lockdown a system as you see fit. However, keeping Everyone: Full is not any immediate security risk as security adheres to the most restrictive settings. Those are your NTFS permissions in the Security tab. So unless your Security tab is set to "Everyone - Full", they would not have access to modify the contents of the share. Only by adding "Everyone - Full" using the Share button or through the Security tab would everyone have full access.

Answer 5

Hello,

I have done many tests regarding the 'topic.

The share option, allows sharing and access to the folder, to users/groups that are entered in the share option box.

In fact you will notice that the users/groups that are entered in the share pane, are by default introduced in the security pane.

While advanced sharing directly allows users to share and 'access the folder, without interacting in the security pane.

Example: if you enable advanced sharing of a folder you will see that by default it is set all( which corresponds to control domain users)with only the 'read option. If in that pane, you add a group of users who must also edit and write to the folder below, you will only enable users in the group to edit and write files. The others( all ) will only be able to access the folder but not create or edit files.

I usually do advanced sharing, enter everyone with read and edit and administrators full control. After that on the security pane I remove the inheritability I delete the domain users/ users group and enter the users group who can access and edit that folder. At that point all users in the domain, who are not part of the group, will see the shared folder, but will not be able to access it.