Announcement

Collapse
No announcement yet.

To Share or Not to Share?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • To Share or Not to Share?

    What are your thoughts on shares? For example, aside from the basic shares, would you create shares that encompass everything a user may need or the basics?

    When the team I'm on builds a server, we create the following shares:
    \\server1\home
    \\server1\data (which will contain AR, AP, Share, Finance, HR)
    \\server1\printers

    when the other team builds a server, they create numerous shares:
    \\server2\home
    \\server2\data
    \\server2\AR
    \\server2\AP
    \\server2\Share
    \\server2\Finance
    \\server2\HR
    \\server2\printers

    They may have 15-20 shares on each of the servers they build. They say it doesn't matter how many as "windows can take it". We argue the security risk.

    What are your thoughts? I apologize if this is the wrong place to post this.

    TIA.

  • #2
    Re: To Share or Not to Share?

    If you have one "Data" share with several departmental folders underneath, you have a small security risk in that the folders are there for the browsing if the script kiddie can get access. With multiple shares in separate folders, you can only see, under the share, the folders for YOUR department. More shares for me = BETTER security.

    The only disadvantage is the increased cost in administration time; more shares=more points of failure. However, if you lose a share, you lose access to less data than if your "Data" share went pete-tong; if that went up in smoke you lose access to the lot.

    So - I think the advantages fall down on the side of having lots of separate folders which are independantly shared.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: To Share or Not to Share?

      p.s. I **always** reccomend leaving share perms at "Everyone: FULL CONTROL" and controlling access through NTFS permissions. Share perms are not granular enough and add nothing to security. So - your argument that more shares=worse security doesn't hold any water if you use my permissions model.


      Tom
      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

      Anything you say will be misquoted and used against you

      Comment


      • #4
        Re: To Share or Not to Share?

        I agree on the shares + NTFS....I omitted the part where, with their shares their NTFS permissions are all over the place--and that's another story. We were recently audited and they nailed us on having "too many" shares, so we scaled back. Just trying to find a happy medium and step back from the we've always done it this way mentality.

        Comment


        • #5
          Re: To Share or Not to Share?

          Originally posted by Stonelaughter View Post
          p.s. I **always** reccomend leaving share perms at "Everyone: FULL CONTROL" and controlling access through NTFS permissions. Share perms are not granular enough and add nothing to security. So - your argument that more shares=worse security doesn't hold any water if you use my permissions model.
          ABSOLUTELY. Can not tell you how many "discussions" I've had over the years on this topic. Invariably, messing with share permissions always causes confusion down the road. And people don't get that share permissions were from the way back pre-NTFS and, IMHO, remain only to this day if you are silly enough to share a directory on a FAT* partition.

          Back to the OP's ?...

          My only concern w/ lots of shares is the alphabet. If I need to mount many of those shares that will take up many drive letters and standards on drive letters is a necessary evil in Bill's world.

          VAX VMS had this wonderful construct called a "global symbol". It effectively was a name to a path or UNC. Unfortunately Cutler did not prevail in his development on Windows NT as I'm certain he would have pushed for such a construct. UNC's have always been half-baked, IMHO.

          So I would try to minimize mount points (shares) and limit access within them via ACLs but that's my opinion and if you ask around my house, its value varies greatly from day to day.
          Cheers,

          Rick

          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

          2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

          Comment


          • #6
            Re: To Share or Not to Share?

            You only have to look at AmigaDOS. A "Volume" in AmigaDOS had a "Device Name" (256 characters, case insensitive) and a "Volume Name" (256 Characters, case insensitive). Suffix EITHER with a colon to access the volume. So: Volume "WorkBench3.0:" (Case was preserved but ignored for identity) could be mounted on volume "DH0:" and you could access the folder libs/graphics at either "WorkBench3.0:libs/graphics" or DH0:libs/graphics. In addition to this, you could "ASSIGN" arbitrary device names to ANY device/volume/folder. So you could have device name GRAPHICS: for the folder above if you wanted to.

            And let's remember this was a HOME USER's OS designed originally to play games from floppy disk (although it came a long way since the beginning, these features were present from the start).


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment


            • #7
              Re: To Share or Not to Share?

              I think that this is one of those issues that there's no one way to do the things right. Every case has its details.
              I use one share, with folders for every department (some 10 of them) and a common folder inside, and every department sees only the common and its folder. Whenever there is the need, I change the permissions to allow one team to see the other's files. But this is easy to do on the Netware volume (this share resides on Netware). To achieve the same on NTFS, you need to use both Allow and Deny permissions on every folder. This is a tremendous administrative overhead. And you can easily get to the situation when you're lost in your own permissions, and don't know why a user cannot see his/her files. At the end, you'll have to call Sysinternals' AccessEnum to save the day.
              One has to consider the pros and cons for each of the methods and to decide what suits him/her best. Tom and Rick covered them in their replies.
              Two notes:
              - auditors are a real pain in the neck. Not all of them know what are they talking about. But they decide what you should do. I had one of those too. I tried to convince him the way we did it it's the proper way for us. I partially succeeded.
              - a lot of shares does not always mean a lot of letters. As the OP describes his setup, it is to assume that Finance will map their share and HR theirs. It can be done easily with the same letter, by writing the login script using the user's membership in one or another group.

              Just me thinking loud...
              Great weekend to us all.

              Sorin Solomon


              In order to succeed, your desire for success should be greater than your fear of failure.
              -

              Comment


              • #8
                Re: To Share or Not to Share?

                You are oh so correct regarding those auditors. I'm sure you ran a demo for them and even with "proof" you were required to implement something lame because it was on their checklist.

                On the mapping, I'm betting some folks in Finance will need to also see the AP and AR shares and so on. Not enough to run out of letters but enough that you can't say "Joe, go look for file XXX on the Y: drive". Everyplace I've been has standard share to drive lettering and users identify with the letters, not the share names.
                Cheers,

                Rick

                ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                Comment

                Working...
                X