Question Creating a read-only share - Security Descriptor help?

[johnwaz]

I've figured out how to create a share by using this:

Dim objWMI As Object = GetObject("winmgmts:\\localhost\root\cimv2")
Dim objShare As Object = objWMI.Get("Win32_Share")
intRC = objShare.Create(strPath, strName & "$", intType, intMaxAllowed, strDescr)

But, the share created above allows users to read and write to it. I'm looking for a way to create a read-only share from vb.net. Ideally, I would like to set it up to be password protected also, but read only is much more important to me.

Thanks for your help.

 

[JohnH]

But, the share created above allows users to read and write to it.

Peculiar. According to documentation when Access parameter is Nothing or not supplied "then Everyone has read access to the share", this means ReadOnly. I can confirm that when running your code a readonly share is created.

When working with WMI in .Net you can really simplify things by generating strongly typed VB classes for these, see this thread post 5. Sample code using Win32_Share:

Win32.Share.Create(Nothing, "test description", 5, "testShare", "", "d:\testShare", 0)

 

[johnwaz]

First off, thanks for the pointer to the other thread.

I tried the code again, and although the documentation says that without an access parameter provided, it will be read only, I'm getting read write. Here is what I'm doing:

1) Run the app as administrator (username: admin) on machine 1
2) Map created share on machine2 - when prompted for user name & password, enter admin/adminpassword.
3) Write to share - Success! (or failure since it's not what I want)

Ideally, what I would like is run the app to open a share which is only available with known user name and password, then be able to map that share with the known info and only be able to read from the share. Any ideas?

 

[JohnH]

If you inspect the properties for the share created you will see the admin user that created it has all rights (of course), and that the Everyone group is granted readonly rights. Obviously if you connect to the share with admin account you also get all rights. What you must do is create a regular user account that can be used to connect to the share, this will fall under Everyone group and also get only readonly access to the share.

 

[johnwaz]

OH! That makes perfect sense. So the share created will work fine for me once I figure out how to create a new user from the app. So, the question I should have been asking is how do I create a limited user (from this app) with a password that will be able to read this share?

 

[JohnH]

There are some tips on how you can go about in recent thread Set Password Never Expire Local Machine User (Not Active Directory User)

 

[johnwaz]

Thanks for the tips JohnH. I tried the method you described to add a user, but that also adds a user to the login screen. I'd like to do the equivalent of right clicking a directory and choosing to share a folder with the network, using a password, but not allowing users to modify files - it is windows home (no AD) if it makes a difference. Any ideas how to do it programatically?

 

[JohnH]

Password protected shares requires a user account. You don't create virtual user/pass for the share alone, the share is configured to allow existing real user accounts/groups access, password is set for each user account. You may be thinking about Win98 where there was no user access control, one could only set a share password, but that's a really long time ago in security timeline, even NT4 had proper share ACL way before that.

If you decide to disable password protected sharing as described in article File and Printer Sharing in Windows Vista you may (?) be able to connect without user/pass or with "guest" and no password. It will still be readonly.