Best Practices for Designing Share Sizes
Relying on Microsoft to find a way to define share sizes for your server may not be that easy. There’s no clear definition as to how Administrators should handle share sizes by following a set standard. In the server environment, it takes a personal intuition to develop some of the best practices that can be implemented when defining shares over a network.
Most, if not all, network shares are deployed on NTFS file system that enables Administrators to set permissions that affect local users and all network users based on access rights granted to each one of them at the login session. Regardless of the situation, system administrators can control access to shared resources as part of system security. File shares are commonly used and thus very vulnerable if you are unsure of what to do. To protect your data, you need to adopt the best practices that determine the security of file shares.
1. Have Standard Permissions
Every user or group members in a network should be assigned customized permissions according to theory individual requirements. It is therefore wise to have a standard set of permissions to all shared location. In a typical setup, the standard permissions are the Administrators and System-Full Control settings. You can use the Global Deny Group that defines all “Deny” permissions.
2. Use Simplified Permissions Structure
Managing and installing a simple share structure is the dream of any System Administrator. A simplified structure gives confidence to the owners of the share concerning data security. Pressure from the management could force you to set up unrealistic or complicated share structure that can only lead to poor share management for both the IT staff and management. Sometimes, a better solution should always include integrating staff training when new share policies are implemented.
3. Share with Security Groups
Instead of assigning shares to individual accounts, Microsoft recommends the use of security groups when assigning permissions. Giving share rights to individual users becomes and administration headache when additional users require the same permissions and end up duplicating or cloning permissions. This can be avoided by assigning permissions at the top group level.
4. Use Ideal Share Names
Making use of names that define the kind of permissions assigned to a group is highly recommended. This approach makes it easier for other administrators to map share locations when new employees are added to the network. Use of shares names with less than 20 characters with no special signs and Symbols is encouraged. This naming structure allows for easy manipulation of shares when using the command prompt.
5. Share Permission Should Reflect the Department or Nature of Work
When defining share permissions and the creation of top-level groups, you can add groups that have user accounts named according to the department or work they are assigned to do. For example, you can have the IT Administrators group with all the names of individual IT staff accounts. By doing so, it gives the Administrators the flexibility of changing the individual access permissions simply and accurately. Changing user permission becomes as easy as changing the user group (moving users to a group with the required permissions).
6. Define Effective Permissions
When effective share permissions are not done correctly, a user will see “Access Denied” errors when trying to access files assigned to them. On the other hand, poor design of effective permissions may lead to loose access. There are three levels of effective share permissions — the Loose, Loose, and Tight.
- The first Loose refers to the folder permission which applies to the root folder with the share permissions. This Loose here defined the Read/List permission everyone in that group has.
- The second Loose is the share permissions which is assigned to a user with different share permissions. For example, a user that requires both Read and Change permissions will be granted the less restrictive Change permission.
- The Tight, effective permission combines folder and share permission. For example, a user with a Read permission at the NTFS level and Change permission at the share level, the effective permissions should be restrictive and in this case, Read.
7. Avoid Using the Everyone Group
The best design share approach is to limit NTFS permissions to the root level folder that is created by administrators. Within the Read-only root level folder, you are allowed to create 3 to 10 logical folders to accommodate user data and assign change permission either on the logical folders or sub-folders.
8. Constantly Review Permission Changes
As time goes by, new users join the network as additional tweaking are done to reflect new changes. Lack of a proper follow up from the System Administrators may result to giving many users Full Control rights to the share volumes. Therefore, exposing the network by the creation of security holes and possibly lock out authorized users.
9. Have A Central Management and Response System
The best way to reduce server attacks is to create local shortcuts pointing out to share resource locations. They deployment of such shortcuts via Group Policy minimized the risk of users spreading the virus to mapped network drives.
When setting up file shares, Administrators adopted the limitation of Storage Area Network (SAN) volumes and shares to 2TB to enhance performance, restore time, and snapshots. According to the Microsoft website, you can go as far as 16TB to 256TB depending on your cluster size.
The best practice is to use 2TB, which translates to easier, and faster cloning, quick backups and restore. Using the Distributed File System (DFS) gives more room for those who want to use share volumes across multiple servers and still give the users an impression of using one large share volume.
Some of the best practices when designing share sizes depend on the organizations structure and their needs. Another approach is to re-evaluate the need for a large share volume given the increasing internet speeds and increased bandwidths. Administrators can also use reasonable space and enforce policies that restrict users on the type of files that can be stores on the server and when to store files. This prevents dumping of files that may be irrelevant after a few days.
Do you have unclear NTFS Permissions assignments?
Do you have too many special permissions set on your fileservers?
Or blocked NTFS Permission Inheritance?
Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!