Do You Still Hide Your Share$?
|
by Helge Klein on 03/01/2009 | 1 Comments | 5,686 Views
|
Subtitle: Fighting Another Legacy of the NT Era
Hiding network shares by appending a dollar sign is a common practice among administrators. While by itself that is neither good nor bad, it is a perfect example of how customs establish themselves in the IT industry in exactly the same way they do in other subcultures. Putting it differently, another fine specimen of an IT legend.
Although I would very much like to, I cannot provide a history of how and when the dollar share custom got established. What I can say is that when I started my IT career in the late 90s, the custom was already prevalent. "Good" administrators hid their shares, whilst "bad" or careless admins did not. It has been a source of pride for many an administrator (including myself for a long time) to have an "invisible" network. The benefits? Apart from feeling good about running a tight ship, security (apparently) is guaranteed and end users do not get confused by the myriad of shares.
Security...
Do you still think dollar shares are hidden? I myself did until recently when a colleague mentioned that I was very much mistaken, indeed. At first I would not believe him, but I soon realized that filtering of shares is not done at the (file) server, but at the client.
What? The client?!!
If there is one golden rule in security, it is this: "Never trust the client". Sending information to the client it is not supposed to see is a no-go.
But then, not everybody adheres to this simple principle. Or knows about it. The dollar share issue probably dates back to the LAN Manager days, when security was associated with bodyguards, not IT systems.
...by Obscurity
One way or another, the problem with dollar shares is this: the server always sends a full list of its shares to any client asking for them. It lies in the "responsibility" of the client to filter out the dollar shares. Such a methodology obviously cannot last forever: There are tools out there in the wild, wild net that disrespectfully ignore the etiquette and display all shares returned by the server. One of the more respectable of such tools is by now owned by Microsoft itself, Sysinternals ShareEnum. Another one is even built into the operating system starting with Vista: net view \\computername /all.
Moving on
Using dollar shares obviously is superfluous. It adds a layer of security that is only felt by the administrator but really does not exist.
One open question remains: How to hide unnecessary folders from end users. The answer is simple: Use DFS in conjunction with access-based enumeration (ABE).
References:
- ‹ previous
- 54 of 156
- next ›
+++ Profile Migrator 2 - Ein neuer Desktop, ein frisches Benutzerprofile und alle bewährten Einstellungen und Daten. Jetzt kostenlos und unbefristet testen!
1 responses for "Do You Still Hide Your Share$?" |
Aktuelle Artikel
Über den Autor
  |
Helge Klein IT-Architect Blogs about Windows, Terminal Services and other things |
Most viewed
| 153,894 Views |
Where is the Hosts File on Windows x64? |
| 82,692 Views |
Deleting a Local User Profile - Not as easy as one Might Assume |
| 52,813 Views |
Printer Driver Isolation in Windows 7 and Server 2008 R2 |
Hear, hear! I've been telling
Hear, hear! I've been telling people the same thing for a couple of years now.