Skip to Content

How to Prevent Users from Accessing the Network Share on Windows Server

By: Author Alex Lim

Posted on

Categories Troubleshooting

  • The article explains how to prevent users from accessing network shares on Windows Server using NTFS permissions, share permissions, and Group Policy.
  • The article also provides some common questions and answers related to this topic, such as how to check who has access to a network share, how to prevent users from creating network shares, and how to audit access to network shares.

If you are a network administrator, you may want to restrict access to certain shared folders on your Windows server. This can help you protect sensitive data, enforce security policies, and prevent unauthorized changes. In this article, we will show you how to prevent users from accessing the network share on Windows Server using different methods.

How to Prevent Users from Accessing the Network Share on Windows Server

What is a Network Share?

A network share is a folder or drive that is accessible by other computers on the same network. You can create a network share on a Windows server by right-clicking on the folder or drive, selecting Properties, and then clicking on the Sharing tab. You can then choose to share the folder or drive with everyone or specific users or groups.

Why Prevent Access to the Network Share?

There are several reasons why you may want to prevent access to the network share on Windows Server, such as:

  • To protect confidential or sensitive information from unauthorized users.
  • To comply with legal or regulatory requirements for data security and privacy.
  • To prevent users from modifying, deleting, or copying files that are essential for the server’s operation.
  • To reduce network traffic and improve performance by limiting the number of users who can access the share.

How to Prevent Access to the Network Share on Windows Server

There are different ways to prevent access to the network share on Windows Server, depending on your needs and preferences. Here are some of the most common methods:

Method 1: Use NTFS Permissions

NTFS permissions are the most granular and flexible way to control access to files and folders on a Windows server. NTFS stands for New Technology File System, which is the default file system for Windows operating systems. NTFS permissions allow you to assign different levels of access (such as Full Control, Modify, Read, Write, etc.) to different users or groups for each file or folder.

To use NTFS permissions to prevent access to the network share on Windows Server, follow these steps:

  1. Right-click on the folder or drive that you want to restrict access to, and select Properties.
  2. Click on the Security tab, and then click on the Edit button.
  3. In the Permissions for [folder name] window, select the user or group that you want to deny access to, and then check the Deny box for Full Control. This will automatically check all the other boxes under Deny as well.
  4. Click on Apply, and then click on OK.
  5. Repeat steps 3 and 4 for any other users or groups that you want to deny access to.
  6. Click on OK to close the Properties window.

Note: If you want to allow some users or groups to access the network share, you can check the Allow box for the appropriate level of access instead of Deny.

Method 2: Use Share Permissions

Share permissions are another way to control access to shared folders or drives on a Windows server. Share permissions are simpler than NTFS permissions, as they only have three levels of access: Full Control, Change, and Read. Share permissions apply to all files and subfolders within a shared folder or drive.

To use share permissions to prevent access to the network share on Windows Server, follow these steps:

  1. Right-click on the folder or drive that you want to restrict access to, and select Properties.
  2. Click on the Sharing tab, and then click on the Advanced Sharing button.
  3. In the Advanced Sharing window, check the Share this folder box, and then click on the Permissions button.
  4. In the Permissions for [folder name] window, select the user or group that you want to deny access to, and then uncheck all the boxes under Allow.
  5. Click on Apply, and then click on OK.
  6. Repeat steps 4 and 5 for any other users or groups that you want to deny access to.
  7. Click on OK to close the Advanced Sharing window.
  8. Click on OK to close the Properties window.

Note: If you want to allow some users or groups to access the network share, you can check one of the boxes under Allow for the appropriate level of access instead of unchecking them.

Method 3: Use Group Policy

Group Policy is a feature of Windows that allows you to configure settings and restrictions for computers and users in a domain environment. Group Policy can be used to prevent access to network shares by using software restriction policies or firewall rules.

To use Group Policy to prevent access to network shares on Windows Server, follow these steps:

  1. Open the Group Policy Management Console (GPMC) by clicking on Start > Administrative Tools > Group Policy Management.
  2. In the GPMC window, expand your domain name, and then right-click on the organizational unit (OU) that contains the computers or users that you want to restrict access to. Select Create a GPO in this domain, and Link it here.
  3. In the New GPO window, enter a name for your GPO, and then click on OK.
  4. Right-click on the newly created GPO, and select Edit.
  5. In the Group Policy Management Editor window, expand Computer Configuration or User Configuration, depending on whether you want to apply the policy to computers or users.
  6. To use software restriction policies, expand Policies > Windows Settings > Security Settings > Software Restriction Policies. Right-click on Additional Rules, and select New Path Rule.
  7. In the New Path Rule window, enter the path of the network share that you want to block access to, such as \Server\Share. Select Disallowed as the security level, and then click on OK.
  8. Repeat steps 6 and 7 for any other network shares that you want to block access to.
  9. To use firewall rules, expand Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security. Right-click on Outbound Rules, and select New Rule.
  10. In the New Outbound Rule Wizard window, select Custom as the rule type, and then click on Next.
  11. In the Program screen, select All programs as the program that the rule applies to, and then click on Next.
  12. In the Protocol and Ports screen, select Any as the protocol type, and then click on Next.
  13. In the Scope screen, select These IP addresses as the remote IP address that the rule applies to, and then click on Add.
  14. In the IP Address dialog box, enter the IP address of the network share that you want to block access to, such as 192.168.1.100. Click on OK.
  15. Repeat steps 13 and 14 for any other network shares that you want to block access to.
  16. Click on Next to continue with the wizard.
  17. In the Action screen, select Block the connection as the action that the rule performs, and then click on Next.
  18. In the Profile screen, select Domain, Private, and Public as the profiles that the rule applies to, and then click on Next.
  19. In the Name screen, enter a name and a description for your rule, and then click on Finish.

Note: You can also use Group Policy Preferences to hide or remove network shares from Windows Explorer.

Frequently Asked Questions (FAQ)

Here are some common questions and answers related to preventing access to network shares on Windows Server.

Question: How can I check who has access to a network share?

Answer: You can use the Effective Access tab in the folder or drive properties to check who has access to a network share. To do this, right-click on the folder or drive, select Properties, click on the Security tab, and then click on the Advanced button. In the Advanced Security Settings window, click on the Effective Access tab, and then click on Select a user. Enter the name of a user or group that you want to check, and then click on OK. You will see a list of permissions that apply to that user or group for that folder or drive.

Question: How can I prevent users from creating network shares?

Answer: You can use Group Policy to prevent users from creating network shares. To do this, open the GPMC window, create or edit a GPO that applies to your users, and then navigate to User Configuration > Policies > Administrative Templates > Windows Components > File Explorer. Double-click on Remove “Map Network Drive” and “Disconnect Network Drive”, select Enabled, and then click on OK.

Question: How can I audit access to network shares?

Answer: You can use audit policies to audit access to network shares. To do this, open the GPMC window, create or edit a GPO that applies to your computers or users, and then navigate to Computer Configuration or User Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access. Double-click on Audit File System or Audit Handle Manipulation, select Configure the following audit events, check Success and/or Failure boxes depending on what you want to audit, and then click on OK.

Conclusion

In this article, we have shown you how to prevent users from accessing network shares on Windows Server using different methods: NTFS permissions, share permissions, and Group Policy. We have also answered some frequently asked questions related to this topic.

We hope you have found this article helpful and informative. If you have any questions or feedback, please feel free to leave a comment below.

Disclaimer: The information in this article is provided for educational purposes only and does not constitute legal or professional advice. Please consult your own IT expert before implementing any of these methods in your environment.