Windows File Shares Configuration – Best Practice
In order to exchange data in companies, various file shares are repeatedly created by IT and published for the users.
In the following article, we explain how to create file shares, provide information on the special features that need to be taken into account, and give various tips for managing file shares.
Content
Initial Situation
A new file share is to be created on a new volume, which is to be used for different users. For this we create a folder “Share” in the root directory of the new volume.
Newly created folder to be used as a file share
In the NTFS file system, the NTFS permissions of the volume are propagated to the newly created folder. At this point, the folder is not yet shared and therefore has no share permissions.
Initial NTFS permissions of the folder to be shared
Note
The initial NTFS permissions should be adjusted before sharing the folder and should not be left in their initial state. In addition, it is strongly recommended to break inheritance on the folder to be shared (especially if the folder is to be published to a DFS namespace later).
Get the Whitepaper!
Deepen your knowledge with our Whitepaper on NTFS Best Practices.
Adjustment of NTFS Permissions
Before the folder is now shared and linked in a DFS namespace, the NTFS permissions should be cleaned up. To do this, break the inheritance and make sure that the BUILT-IN object “CREATOR-OWNER” is removed. In addition, it should be noted that the permission for the “user” object does not apply to all folders, subfolders and files. This ensures that users can only access the new file share for the time being and do not unintentionally receive permissions on various subfolders. Furthermore, the group of “Authenticated Users” should be used instead of the “User” object.
Folder to be shared with customized NTFS permissions
Once the NTFS permissions have been adjusted and corrected, the folder can be shared and the file share created.
Create File Shares and set up Share Permissions
On Windows servers, file shares can be created in several ways. As a rule, most administrators use the Windows Explorer to create file shares directly.
Creation via Windows Explorer
To create the share via Windows Explorer, go to the folder’s settings.
Calling up the advanced share settings
Check the ” share this folder” box and assign a share name.
Note
For security reasons, a “$” character should be appended to the end of the share name. This creates the share hidden and not easily visible to every user.
Approval and naming of the file share
Subsequently, the share permissions have to be assigned. Therefore it is recommended to assign the “full access” permission for administrators and the “change” permission for users at the share level. In any case, the standard object “Everyone” should not be allowed in the share permissions!
Recommended share permissions
If you want to make sure that users only see the folders and subfolders they have permissions on in the file share, you need to enable the access-based enumeration (ABE) feature. The option to enable ABE can be found in the Server Manager (“File and Storage Services” – “Shares”).
Activation of ABE via the Server Manager
Get in touch with us
Do you have any questions about our products or services? Do you need support?
We will be happy to help you!
Creation via PowerShell
To create the share via PowerShell, the folder must already exist. Also the NTFS permissions should be adjusted initially (see “Creation via Windows Explorer”).
Then start a PowerShell session and issue the following command:
New-SmbShare -Name “Share$” -Path “E:\Share” -FullAccess “AD\Domain Admins” -ChangeAccess “NT AUTHORITY Authenticated Users” -FolderEnumerationMode AccessBased
Creation of the file share via PowerShell
This shared the previously created folder, the sharing permissions were assigned and the setting for ABE was also enabled.
There are further setting options via the PowerShell. So it is possible to make the share in a volume of a failover cluster failsafe. To do this, simply append the switch “-ContinuouslyAvailable $true” to the above command (note that this switch only works on a cluster volume). Another useful switch is “-EncryptData $true” which enables SMB encryption.
Especially if you need to create multiple file shares, the way via PowerShell is recommended.
Tips for Creating File Shares
When creating file shares, keep the following tips in mind to avoid security vulnerabilities:
- Use short names for the share
- Create the share hidden by appending a “$” sign to the name
- Do not use the “Everyone” object in the share permissions under any circumstances
- Enable “access based enumeration” to hide non-permissioned folders for users
- Use PowerShell to create multiple file shares to keep the time required to create them to a minimum
About the Author
Christoph Schulze is a Senior Consultant at permSECURE. He has been designing and supporting file server projects and helping customers to optimise their authorisation concepts since 2011.
Related Articles
-
Modify Permissions – Protect Permission Endpoints in NTFS using Modify Plus
In Microsoft Windows networks, permissions on the file server can be assigned either via share permissions or NTFS permissions. A combination of both types of permissions is also possible. However, NTFS permissions are predominantly used, since access can be controlled more granularly. As a rule,…
-
Dark Data – About the Data Load and how to face it
In our customer projects, we repeatedly experience a wide variety of file storage structures. But there is always one common denominator: a very high proportion of legacy data. Data is constantly captured, stored and therefore filed. After some time, nobody thinks about the data…
-
Fileserver Migration or Permission Optimization – Best Practice
Almost every company uses fileservers to make data available to employees. Over the years, the amount of data grows continuously. At the same time, the permissions on the individual folder structures are constantly changing. New employees are given permissions, in the best case obsolete permissions…