Best practices for Shared Folders
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
- Assigning permissions to groups simplifies management of shared resources, because you can then add users to or remove them from the groups without having to reassign permissions. To deny all access to a shared resource, deny the Full Control permission.
- For example, if users need only to read information in a folder, and they will never delete, create, or change files, assign the Read permission.
If users log on locally to access shared resources, such as on a terminal server, set permissions by using NTFS file system permissions or access control.
- Share permissions apply only to users who access shared resources over the network; they do not apply to users who log on locally. For this situation, use NTFS and access control. For more information, see Set, view, change, or remove permissions on files and folders.
Organize resources so that objects with the same security requirements are located in the same folder.
- For example, if users require the Read permission for several application folders, store the application folders in the same parent folder. Then, share the parent folder, rather than sharing each individual application folder. Note that if you need to change the location of an application, you may need to reinstall it.
- Organizing all applications in one shared folder simplifies administration, because there is only one location for installing and upgrading software.
To prevent problems with accessing network resources, do not deny permissions to the Everyone group.
- The Everyone group includes anyone who has access to network resources, including the Guest account, with the exception of the Anonymous Logon group. For more information, see Default security settings for groups and Differences in default security settings.
- It is usually necessary to explicitly deny permissions only when you want to override specific permissions that are already assigned.
- This enables administrators to manage application software and to control user rights.
- The Everyone group includes anyone who has access to network resources, including the Guest account. In most cases, do not change this default unless you want users to be able to make changes to the files and objects in the shared resource. For more information about share permissions, see Share permissions.
- On computers running Windows XP Professional that are connected to a domain, grant access to shared resources through domain user accounts, rather than through local user accounts. This centralizes the administration of share permissions.
- With centralized data folders, you can manage resources and back up data easily.
- This ensures that the shared resources can be easily recognized and accessed by users and all client operating systems.
- A firewall protects shared resources from access through the Internet. In Windows XP and in the Windows Server 2003 family, you can take advantage of new firewall capabilities. For more information, see Internet Connection Firewall. Instead of Internet Connection Firewall, computers running Windows XP with Service Pack 2 (SP2) and computers running Windows Server 2003 with Service Pack 1 (SP1), use Windows Firewall. For more information, see Help: Windows Firewall.