IT Support | Sharing in Moderation
Posted by Dan Rodden on Thu, Nov 10, 2011
One thing I’ve noticed that is a leftover of old technology and old habits is that there are sometimes massive amounts of shared folders on a network. The idea is that the shares contain different contents or require different access rights – but one thing that has been true for a decade is that share permissions are redundant on an NTFS file system network. Best practice for Shared folders in an NTFS environment stipulates that the ‘Everyone’ group be given full control share permissions, and then the access control list for NTFS permissions are used to specify granular permissions.
Since NTFS permissions are used to control folder access, why do we bother with having multiple shares for the sake of controlling various permissions?
Well, the truth is there aren’t many reasons. One in particular that stands out is a situation wherein you have a mixed-operations environment with various Operating System technologies. If you run a Windows environment with Linux and Mac OSX clients then you will actually need to use the share permissions and will rely on them for granular access control. However, if you operate a purely windows environment you can consolidate all of your shares into a single share. Instead of having a volume or partition on your servers where there are several different shares at the root, you can create a single ‘SharedData’ folder and share that. If you are using the shared drives to create letter mappings on client computers, you can just map the letter to a sub-folder of the share drive.
What this approach does, aside from cleaning up your network folders, is reduce the surface area for both administration and security. There are less shared folders and thus less ACLs to manage. There is only a single shared folder broadcasted on the network, so any unwanted guests have a significantly reduced attack surface.
