$ is Stupid

$ is Stupid

A common and pervasive practice in Windows administration is to add a dollar sign ($) to the end of share names. The popular reasoning for this is that hides the share making it unavailable for users to use. This is false.

I liken this practice to cubicles which give you a false sense of privacy. You see three and a half walls around you and think that you are in your own, private little world. That is until you turn around (or look into your cubicle mirror) and see your co-worker or boss standing in your cubicle’s doorway waiting for you to notice them. Or you overhear the person in the cubicle next to you talking on the phone to their doctor, or fighting with their [hopefully] significant other, or having whatever conversation that you really didn’t want to hear (and know can’t unhear). Or the tall guy in the office (like me) looks over the cubicle wall to ask a question. Or a myriad of other possibilities that all shatter your illusion of privacy, distract you, and prevent you from being productive.

This is in fact no different than the $ at the end of a share name. The only thing this does is tell Windows Explorer to not display the shared folder in a list of shares on a system. It in no way truly hides the share, prevents users from finding it, or using it. Users can still type in the share name or use another tool that doesn’t care about the trailing $ to browse to the folder. Thus, you haven’t truly hidden anything by adding the $, and all you are doing is fooling yourself.

If you need privacy and security, put the proper NTFS permissions on folders that you share. Hint: you *always* need security. Hint #2: Use NTFS permissions and not share permissions to fully lock-down folders that are shared.

If you truly need to restrict the list of shared folders shown in a list, do it the right way: use Access Based Enumeration (ABE).

In the context of System Center Configuration Manager (ConfigMgr), I see folks using the trailing $ to hide source folders. This usually just ends up being a huge annoyance because no one remembers what this share name is and so it has to be looked up every time you create a new package or application. Of course, another major annoyance is having a separate shared folder for each different content type — that just makes no sense. Create one, top-level shared folder with sub-folders for organizational purposes; for more on this, see my post on ConfigMgr Folder Structure.

Note

If no user or administrator will ever access the shared folder directly, then using a trailing $ makes sense. For example, some of the shared folders that ConfigMgr creates use a trailing $ because only ConfigMgr itself uses or should ever use them.

Avoid annoyances and follow the KISS principle (keep it simple, stupid), just get rid of the $ and lock the folder down the way should be.

3 Comments

Cancel

  1. I use it specifically for anything that is automated. It can write and I can read. Anything a human doesn’t need to interact with should be hidden. Kind of like hidden folders in Windows. Not secure, just not visible.

    I agree that most people think it’s secure though – too bad smb-enum-shares chews through that in a couple of seconds.

  2. Great article (and funny).