Security Recommendations for Shared Resources
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
When you create a new shared resource, offline access is permitted by default; this means that secure shared resources can be stored offline on potentially unsecured computers. You must ensure that you set appropriate permissions by using share permissions or access control on the NTFS file system.
Assigning permissions to groups, not to user accounts
Assigning permissions to groups simplifies the management of shared resources because you can then add users to or remove them from the groups without having to reassign permissions. To deny all access to a shared resource, deny the Full Control permission.
Assigning the most restrictive permissions that still allow users to perform required tasks
For example, if users only need to read information in a folder, and they will never delete, create, or change files, assign the Read permission.
Centralizing the administration of shared resources
On computers running Windows XP Professional that are connected to a domain, allow access to shared resources by using domain user accounts, instead of by using local user accounts. This centralizes the administration of share permissions.
Avoid explicitly denying permissions to a shared resource unless you want to override specific permissions that are already assigned.
Using NTFS file system permissions or access control shared resources
Use NTFS file system permissions and access control if users log on locally to access shared resources (such a Terminal Services). Share permissions apply only to users who access shared resources over the network; they do not apply to users who log on locally.
Organizing resources for objects with similar security requirements
Organize resources so that objects with the same security requirements are located in the same folder. For example, if users require Read permissions for several application folders, store the application folders in the same parent folder. Then, share the parent folder, instead of each individual application folder. If you need to change the location of an application, you might need to reinstall it.
Limiting membership in Administrators group
To enable administrators to manage application software and to control user rights, limit membership in the Administrators group, and assign Full Control permissions to that group.
Creating a strong password
To keep drives secure, make sure that you use a strong password for all accounts. A strong password has the following characteristics:
Is at least seven characters long.
Does not contain your user name, real name, or company name.
Does not contain a complete dictionary word.
Is significantly different from previous passwords and does not contain incremental numbers or letters — such as Password1, Password2, Password3 or PasswordA, PasswordB, and so on.
Contains characters from each of the following four groups: upper case letters, lower case letters, numerals, and symbols. An example of a strong password is J*p2leO4>F.
You can use Group Policy to enforce password complexity requirements. You can configure the Password must meet complexity requirements security setting by selecting the appropriate GPO and expanding the console tree: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy. For more information about password policy, see "Apply or modify password policy" in Help and Support Center for Windows Server 2003.
Using a firewall
To protect shared resources from unauthorized Internet access, use a firewall. For more information about making shared resources more secure, see "Securing shared resources" in Help and Support Center for Windows Server 2003.