How to Know If Your Files Are Safe on a Local Network
Local network file sharing keeps data off the internet — but that does not automatically mean it is safe. Here is how to assess and improve the security of your office file sharing.
The Core Safety Question
"Are my files safe on a local network?" depends on three separate things:
- Can people outside the office access them? (external exposure)
- Can the wrong people inside the office access them? (internal access control)
- Are they protected against loss? (backup and redundancy)
A local file share that satisfies all three is genuinely safe. Most small office configurations satisfy only the first — and even that is not always deliberate.
Are Your Files Accessible From Outside the Office?
By default: no. Your office router uses NAT (Network Address Translation), which means your internal machines are not directly reachable from the internet. Any device on the internet sending a packet to your office IP address hits the router — not your file server.
Exceptions that break this:
- Port forwarding rules on your router (check: router admin panel → Port Forwarding or Virtual Server — should be empty unless deliberately configured)
- A VPN that exposes the LAN to remote devices (intended — check what the VPN's split tunneling settings are)
- Remote Desktop or remote management tools that someone has set up and forgotten
- RDP port forwarding (port 3389) — this is a known target for automated attacks
Quick check: visit canyouseeme.org from your office network and check ports 445 (SMB), 139, and 3389. If any show "Success," those ports are exposed.
On your router: Look for a list of "Port Forwarding" or "Virtual Server" rules. There should be none relating to SMB, RDP, or file sharing unless intentionally configured.
Are Your Shared Folders Accessible to Everyone on Your WiFi?
If your WiFi is open or uses a widely-shared password, anyone who connects to it has access to your internal network — including shared folders with loose permissions.
Check:
- Is your WiFi WPA2 or WPA3 secured?
- Does your office have a guest WiFi (separate from staff WiFi) that clients and visitors use?
- Is the guest network isolated from the main LAN? (router admin → Guest Network → Client isolation: enabled)
Without a separate guest network: a client who visits your office and connects to your WiFi has LAN access and could discover and browse your shared folders.
Is Your File Share Properly Authenticated?
The next question: if someone is on your LAN (a staff member, or a visitor on your WiFi), can they access your shared folders without credentials?
Check:
- Open Network and Sharing Centre → Advanced Sharing Settings → All Networks
- Confirm "Password protected sharing" is On
- Test from another machine: browse to
\\HOSTNAME\ShareNamewithout entering credentials — if it connects without prompting, authentication is off
If authentication is off, anyone on your WiFi network can browse your shared folders.
The fix: Enable password-protected sharing. Add local accounts for each authorised user on the host machine.
Can Staff Access Files They Should Not?
Internal access control is the most commonly overlooked security layer. A shared folder with one set of permissions is all-or-nothing — anyone with access can see everything.
For sensitive data (HR files, payroll, contracts, individual client information):
- These should be on a separate share with permissions restricted to the people who legitimately need them
- Do not rely on the assumption that "the team trusts each other" — this is about having auditable, separable control
Windows: Advanced Sharing → Permissions → remove Everyone → add only specific accounts with appropriate level (Read Only or Full Control)
NAS: ACL → per-user, per-folder permissions → staff can be given access to project folders without access to admin or financial folders
Are Files Protected Against Hardware Failure?
A RAID array is not a backup. This is one of the most important things to understand about data safety on a local network.
RAID 1 (mirroring) copies data to two drives simultaneously — if one drive fails, the other continues. RAID 5 distributes data across three or more drives with a parity block — one drive can fail without data loss. Both protect against hardware failure in the moment. They do not protect against:
- Accidental deletion (deleted from both drives simultaneously)
- Ransomware (encrypts all drives including the mirror)
- Controller failure (damages data on both drives simultaneously)
- Fire or theft (the RAID enclosure leaves the building with both copies)
Genuine protection requires:
- At least one copy of the data that is physically separate from the primary copy
- Regular verification that backups are intact and restorable
Minimum backup setup for a small office:
- Primary: the shared folder (NAS or shared machine)
- Backup 1: a second external drive or backup NAS that updates nightly (Synology HyperBackup, Windows Backup, or similar)
- Backup 2: an encrypted cloud backup (Backblaze B2, Wasabi, Cloudberry) for offsite recovery
Are File Transfers Encrypted?
For data passing between machines on your local network via file transfer tools:
| Tool | Transfer encryption |
|---|---|
| Windows SMB 3 | Encrypted by default between modern Windows machines |
| Windows SMB 2 | Not encrypted by default |
| Oxolan | Encrypted in transit |
| LocalSend | HTTPS (encrypted) |
| FTP (FileZilla) | No encryption by default; SFTP is encrypted |
On a private office network inaccessible to outside parties, unencrypted LAN traffic is a low practical risk for most small businesses. For high-sensitivity data (medical records, legal documents, financial data), encrypted-in-transit tools provide additional assurance.
The Quick Safety Assessment
Rate your current setup:
- External ports 445, 139, 3389 are closed (verified via canyouseeme.org)
- WiFi is WPA2/WPA3 secured with a strong password
- Guest WiFi is separate from staff WiFi and isolated from the LAN
- Password-protected sharing is enabled on file shares
- Sensitive folders have restricted access (not visible to all staff)
- Data has an offsite backup (not just on the same physical device)
- Backup has been tested with a file restore in the last 90 days
If you can tick all seven: your files are well-protected. Missing any of the first four means there is a real access risk worth addressing.
Get Oxolan for Windows — transfers without exposing shares to the network
Frequently Asked Questions
If our internet goes down, are our files still accessible? Yes. Local network file sharing does not depend on the internet. All machines on the same physical network can still access shared folders and transfer files through the office switch/router even during an internet outage.
Can a hacker on the internet access our shared folders? Not if your router is not forwarding the relevant ports. The most common way this happens for small offices is through a compromised RDP (Remote Desktop) setup or a router with default credentials that someone has modified. Check both.
Should we use a VPN for staff working from home? A VPN lets remote staff access the office network securely — effectively placing their machine on the office LAN. Yes, it is appropriate for staff who need to access local shares from home. Ensure the VPN itself is secured (strong credentials, MFA if possible) since it is the point of external access.
Is Oxolan more secure than Windows shared folders? Different security model. Oxolan uses application-level authentication and encryption in transit, and doesn't require Windows networking services to be exposed. Windows SMB is lower-level with more configuration surface area. For non-technical offices, an application-level tool has fewer misconfiguration opportunities.
Done troubleshooting Windows?
Oxolan handles file sharing so you never have to think about this again.
Get Oxolan for Windows