My thoughts on server shares

by In General Rants, windows Tagged , , ,

Over the years I’ve installed, configured and setup hundreds of servers. I don’t get stuck naming them and I don’t get stuck securing them. I don’t really get stuck setting up file shares but that is where a lot of my time explaining my decision goes into.

Some administrators and managers are of the opinion that they should setup a single file share (\\share), give everyone in the company access to it and let them go to town. This is quite possibly the worst thing you can do to your network. Over time (and a short time at that) your single file share will devolve in to the wild-wild west. Your backups will include twenty to thirty empty new folders, several hundred or thousand tilde temp files and a file structure resembling the plotline to the movie Primer.

You should always split your file sharing structure into whatever works best for your users. Notice I said your users, not your network administrators. Either by department, division, operations or teams, whatever makes sense.

Security management of a file sharing scheme with one share can become a nightmare. You will, over time, find yourself removing inheritance and applying folder specific shares with individual users instead of maintaining security through the use of AD groups. Segmented sharing will give you a finer grain of control over the users who need access to that data. A single share gives you nothing but a headache.

Part of the security control on multiple shares is the ability to designate access via GPO mapping to shared resources. If you are using “logon.bat” in 2017 it’s time to open your browser and search for “GPO disk shares” and dig in to some reading with a nice cup of tea.

Segmenting will also help mitigate malware outbreaks if a ransomware application gets lose in your network. With a network segmented by department (and security locked), any outbreak will be limited to the areas of business the user has access to.

On the subject of segmentation, I have some clients who absolutely insist on being able to “see” the root level of all system shares on their network. I will always take time to explain why this is a terrible idea and if I am unable to dissuade, will demand my clients sign a separate addendum to our agreement absolving me of damage should malware hit, network wide, due to the actions of the managers or owners who insist on this level of access.
With that in mind, never give any one account direct access to all network shared data. Operationally, you don’t even need the administrator account to update or manage shares. You can create domain accounts whose sole purpose is the management of network shares.

Segment your shares, secure them with groups, share them with GPO mapping and enable VSS for instant recovery of files. Spend the time now to set your shares up and you will thank me (and many others) later.