It’s been 15 years or more since Microsoft launched Windows NT. No one has used a Windows 3.11 Server in production since Windows 2000 was around.
So why oh why do we still have share permissions in W2K3 and Longhorn? All they do is confuse Administrators and allow for weird security configurations and the problems that come with them. I frequently see mismatched configurations, confusion over remote and local access or confusion over other sharing methods such as HTTP.
There is a small supportive argument or them that goes along the lines of “but what if the NTFS permissions are wrong”. Well, lets look at the failure mechanisms.
1. Attacker has User Account and Password – Share permissions do nothing that NTFS wouldn’t – “All your base are belong to us”
2. NTFS vulnerability found – After this many years, I trust the NTFS ACL’s far more than I trust the Share Permission controls.
3. Mis-configuration of NTFS Permissions – This is generally due to an inadequate design for management of the user groups and permissions. If your change control is inadequate, Share Permissions are not going to save you. I’m working on a paper at the moment to smooth this problem out.
Microsoft, please get rid of them, they are a legacy solution that confuses many administrators.
In the meantime – Share Permission – EVERYONE FULL CONTROL