How to password protect shared folder windows 7 without active directory

passwordpermissionssharewindows 7

We are currently running a group of machines where (for now) everybody logs in locally, with no network accounts, and no active directory (as of yet), there are generic usernames and passwords on all the machines.

We have a machine in our server room that we use as a share – how can I password protect a shared folder on this machine so that only 1 or 2 users (out of 30) will be able to access?

Please bare in mind that

Everybody uses the same user log ins for their machine (WorkUser1) – so I cannot simply add the WorkUser1 account as having shared/owner access
The machine was part of a different build process – so doesn't initially have any of the same local admin accounts that everything else has.

I want someone to have a shortcut on their desktop (not RDP) and be able to drop their confidential files into the folder, though naturally I don't want the rest of the company to be able to see the contents of this folder

It seems I can only choose users from the parent object (the server) to give access to – or 'Everyone' which I have now.

I know, the setup is far from optimal..for now.

Any help appreciated

Best Answer

Everybody uses the same user log ins for their machine (WorkUser1) - so I cannot simply add the WorkUser1 account as having shared/owner access

This is your problem which you must fix first:

If you use a workgroup, you create user accounts with the same usernames and password combinations like on your local PCs and optionally create groups where those users are members (on the server). Then you can give permissions to the server users/groups and if a user connects from the network with existing username/password combination, access is granted. If all your users have the same credentials, you cannot distinguish between them.
If you use a domain, the user management is centralized and you don't need to create all those accounts in two places (also password changes are easier), but the rest is the same: If only one user account exists, you cannot decide which user is which.

A non-Windows alternative may be the creation of another service, like an SFTP server for file access, where you can define new usernames that are independent of the Windows accounts. I would only go this route if you cannot change anything on the username/password policy and just need it for dropoff. You could create a directory with subdirectories for each user and then only give those users write permissions for their own subdirectory. Then, collect the dropped files via a recursive find & move.

Edit: This solution would work even with your current Windows network - you would need to create new user accounts on the server and then map a network share to a local drive letter. There is an option Connect using different credentials where you can specify name and password of the new user(s). I believe you could even just use one new user, ShareUser1, only allow creation of new files and directory listing. Have a look at this thread - while it is about a Solaris server, the second screenshot shows you the permissions that can also be found in the security tab of the properties window on your Windows server or share (the ACL settings are NFSv4 compatible).

Related Solutions

Linux – How to set up a shared directory on Linux

What you have actually looks correct. You have the setgid bit set on the directory, so new files created should inherit the staff group. They do still remain owned by the creator, though. I suspect the problem is that the umask for your users is defaulting to 022 or even 077, which means new files they create will not have the group-write permission by default. The user/group ownership is correct, but the group permissions do not permit other members of the group to write (or maybe even read) the files.

Pick a user in the staff group and set the umask to 002 or 007, which means new files will be owner- and group-writable. I suspect this will correct the problem:

bash$ umask
0022
bash$ umask 002
bash$ umask
0002

Also, you noted you don't want anyone outside of the staff group to have any access to the directory at all. You should modify the directory permissions to 2770 to achieve this, otherwise non-staff will be able to read (but not modify) files in the directory.

For the last question about the apache user, the easiest way is probably to add that user to the staff group.

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

Linux – How to set up a shared directory on Linux

Ssh – How to automate SSH login with password

Related Topic