September 2nd, 2005, 06:23 PM
Finding Rogue SMB File Shares On Your Network
Finding Rogue SMB File Shares On Your Network
See the video supplement to this article here:
see this article with the images here:
Description of the problem
A "Rogue File Share" is a network accessible file space that a user or application creates, sometime unintentionally, that has lax permissions and may offer access to files that should be more closely guarded. For those who have read my "Information Security in Campus and Open Environments" article some of this information will be old hat. While some parts of that previous writing will be repeated here, this article will go into far greater detail about rogue file Shares, how to detect them and how to prevent them. I'll just be covering SMB (Server Message Block) file shares as used by MS Windows networking and the *nix package Samba but some of the concepts may apply to other network files systems.
In environments where most of the users are administrators on their own computers rogue file shares are fairly common. Here are two quick scenarios to give you a better grasp of how rogue file share may be created. Scenario 1: Someone in the office decides to share some office records on their computer with fellow employees, but unintentionally end up sharing them with everyone on the network including some who should not be able to view the information. Scenario 2: A user sets up his laptop so that he can easily copy files to and from his desktop PC while he is at home, but because of weak file and share permissions people at the university campus or the local coffee bar he frequents can also easily read/modify/delete his files.
Most problems with rogue file shares are caused by users who don't know how to secure their shares properly and just go with the default settings. When a share is created, by default, Windows 2000 gives the Everyone group full Read and Write access to shares, and Windows XP gives just Read to the Everyone group. To give an example of how bad this can be, let’s assume a secretary in one of the offices wants to share a database of student names, Social Security Numbers, and addresses with others in the office. She simply right clicks on the folder she wants to share and takes all of the defaults. Now one of the students is poking around on the network to see what computers are out there and what shares they can get into. They could just be curious, or they could be looking for other students who have shared out their MP3 and movie collections off of their laptops or dorm computers (Not that I've ever looked for such things ). They may just browse around using Network Neighborhood, or use an automated tool like Legion or SoftPerfect's NetScan to find all of the network shares available to them in a certain IP range. While looking around, the student comes across a share called “Student Database”; two guesses what kind of information is in it.
Odd and Arcane things to keep in mind
When it comes to Microsoft Windows's file sharing, its default settings, and their ramifications there are a lot of little arcane factoids you might want to keep in mind. This is a list of but a few of them. How things work with different versions of Windows varies quite a bit, and this section will mostly cover Windows XP Professional since that's what I have. Please email me anything else you think should go in this section.
Who belongs to the Everyone group is a bit of a tricky question. The local Guest account belongs to Everyone (in fact, it is the only group that Guest belongs to) as well as any authenticated users. If HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous is set to 1 (the default is 0) it may also include null sessions, but I'm still not sure of this. By default on a Windows XP box not in a domain Simple file sharing is on (this can be changed in Local Security Policy under Administrative Tools), meaning that only guests can connect and the interface for setting up file and share permissions isn't very granular (See the figures below) .
The figure above shows the Security Policy setting you may want to tweak; notice that "Network Access: Sharing and security" is set to "Guest Only" (the default when not a part of a Domain), meaning that all network file access to the box will use the built-in Guest account. With it set to "Guest Only" the file sharing tab should look something like the following (Right click on a folder and choose "Sharing and Security" to see these panes).
The screen shot above and on the left shows what the the Sharing tab should look like with sharing turned off and in "Guest Only" mode, and the one on the right shows it turned on and with write rights given to Everyone. Notice that the controls do not allow you to set share rights for different users. This is because all network file share access to this box will be using the local Guest account. Also notice that the "Security" tab is missing so you can't set NTFS security permissions either.
Now, if "Network Access: Sharing and security" is set to "Classic" (the default when part of a Domain, or if you just choose to set it that way) thing are a bit different.
With "Network Access: Sharing and security" is set to "Classic" you Sharing and Security tabs should look like the following.
Notice that you are now allowed to set file and share permissions to individual users. If you decide to switch to "Classic" mode you may want to disable the local Guest account, otherwise clients may try to use it to access the share instead of being prompted for a specific user name and password.
Here are a few more bits of minutia for you to digest. If the Everyone group has permissions to a share on a box that's not part of a domain, the Guest account is used to access the shared folders, even if "Classic" mode is set (unless the local Guest account is disabled, in which case the user will be prompted for a username and password). If the Everyone group has permissions to a share on a box that IS part of a domain the Guest account will not be used and the connecting user should be prompted for a username and password.
Sorry if the above seems unclear, but it's hard to come up with a comprehensible way to present this information.
Also, sometime shares may pop up without you expecting them to. Under some conditions XP Home will just share out the ShareDocs folder to Everyone, and some versions of Visual studio will automatically create a share called wwwroot$ with read/write permissions given out to everyone. Also, certain admin shares (ADMIN$, C$ for the local C: drive, D$ for the local D: drive and so on) are automatically shared out to the local Administrators group by default. The only real way to be sure of what shares are open is to look for them.
One final factoid; if a computer is part of a domain, shares with access given to the Everyone group can be accessed by any user authenticated to the domain, but not by just a user logged into his computer with a local account (unless that local account has the same name and password as the box it's trying to connect to).
Thing you can do to control rogue file share
I've related a few scenarios where rogue file shares could be a problem; now it's time for me to give a few suggestion on how to stamp them out. Not all of these suggestions are practical depending on your environment so choose accordingly.
1. Scan your own network for open file shares before someone else does. Besides Legion and NetScan there’s also ShareEnum which can scan for shares by Domain/Workgroup or IP range and report what permissions different groups have to the shares (see notes at the bottom of this page for links to the software). Login and run your scans with an account that should be least privileged (for example, at the campus where I work we would login to a student level account). If you find any rogue file shares go check out the boxes. Check out the video linked at the top of this article to see how to use these tools.
Above is a screen shot of Legion 2.1, recommended by books like Hacking Exposed. It is a bit dated and does not seem to work well on some modern networks with Null sessions turned off.
ShareEnum is pretty good, and can show you what groups have rights to the shares.
SoftPerfect's NetScan is my personal favorite because it's flexible, fast, and you can save out reports of what share it has found. Notice the legend that explains the different icons. NetScan makes it very easy to spot open file shares.
2. Don't let your users have the rights necessary to create network shares. It might be easier to get some Windows applications working by just putting all users in the Administrators Group, but it's not a good idea from a security standpoint.
3. As generally suggested in security circles, if you don't need a service turn it off. In XP go to Settings->Control Panel->Network Connection then right click on the network connection you are using and choose Properties. Uncheck the box next to "File and Printer Sharing for Microsoft Networks" to disable file sharing on that adapter. Repeat those steps for all network adapters you wish to disable file sharing on. You could also go to Settings->Control Panel->Administrative Tools->Services and disable the "Server" service, but this may have unintended side effects.
4. Segment your network to help keep out intruders. For example, if you run a coffee bar that offers WiFi don't have your business computers on the same LAN as your patrons laptops. If you're working on a campus keep the student network separate from the staff/faculty one. If possible block ports 139 and 445 TCP at the borders.
5. As mentioned above, blocking ports 139 and 445 TCP should disable SMB file sharing so tuning on a host based firewall and filtering those ports should do the trick.
If you have any questions, comments or suggestions please feel free to contact me. I'm pretty sure this article will need to be expanded.
Simple Sharing and ForceGuest
Description of the Guest account in Windows XP
Video supplement to this article