As the sensitivity and confidentiality of an IT environment increases, so does the need to restrict user's capabilities...
in the area of sharing or distributing data. Once information disclosure becomes a significant issue for an enterprise, the ability to share folders from a client should be categorically revoked.
Windows 2000, XP, and .NET systems all grant users the ability to share resources they own. However, with group policy objects distributed by Active Directory, you can prune this capability away from users.
The controls to manage a user's ability to share resources are found in the User Configuration section of a GPO. The controls reside in the Administrative Templates, Shared Folders section.
The Allow shared folders to be published control, when disabled, turns off the ability of users to publish a folder to the network.
The Allow DFS roots to be published control determines whether users can publish their own DFS roots through Active Directory. In effect, by disabling this control, you prevent users from sharing files through DFS.
By disabling both of these controls, you will have effectively prevented users from sharing resources from their clients with other clients on the network. These controls are a significant step in the right direction for maintaining data confidentiality by limiting data disclosure and access. After you disable these controls, only administrators (or those users to whom you choose not to apply these controls) have exclusive capability to share resources. In most cases, you'll limit the sharing of resources to centrally managed systems, such as file servers.
Michael is a partner of ITinfo Pros, Inc., a technology-focused writing and training organization.