-
January 24th, 2008, 01:07 PM
#1
Junior Member
Windows Shares - Everyone Group
Hi All,
Windows users generally make the extensive use of file sharing. I wanted to know whether there is anyway to remove "Everyone" group being listed which comes by default when creating file sharing on Windows XP/2003 machines. Right now when anyone creates shares, "Everyone" group appears by default even though with Read permissions. But still from security perspective it is not good if someone accidentally shares some sensitive data and forgets to give proper permission on the user workstations. Can this be done through GPO??
Anyone has any insights into this one?
Thanks.
-
January 24th, 2008, 01:35 PM
#2
Hi
Yes, it is possible, but undocumented. I actually have never seen
the following on the web.
What you find[1,2] are information about a registry binary called
SrvsvcDefaultShareInfo. This binary defines the default permission
when creating a new share (resp. for all old shares with the
default security descriptor).
What value to use?
Do the following:
1. Create a new share "test" and give it the default permission you want
2. Go to the following registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security
and export the binary called "test".
3. Use this value for
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity\SrvsvcDefaultShareInfo
(best way: export/import the key).
4. Setup you GPO accordingly.
As an additional remark: After passing the share-permission, the user still
has to pass the filesystem permissions.
Cheers
[1] http://www.microsoft.com/windowsserv...urity_faq.mspx
(Q: How do I secure file shares on my computer?)
[2] http://www.derkeiler.com/Newsgroups/...5-06/0097.html
Last edited by sec_ware; January 24th, 2008 at 01:40 PM.
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
January 24th, 2008, 04:04 PM
#3
two types of permissions
resource [files etc]
ntfs [users gpo]
I seem to remember MS best practice is to give everyone account access to resource, and use group policy to control access
so that you are only having to consider ONE thread of permissions, not both
because there are things to remember when altering permissions
RSoP [Resultant Set of Policy] tool can quickly determine just what your policies have actually allowed
I posted a thread a little while back, will link later
linking http://antionline.com/showthread.php...477#post934477
but there are other reasons TO remove everyone group
and it isn't just because you are not on a domain
starting to ramble now
better stop
Last edited by foxyloxley; January 24th, 2008 at 04:08 PM.
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
-
January 25th, 2008, 09:09 AM
#4
From a security perspective you shouldn't allow regular users to create shares in the first place.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
January 26th, 2008, 05:20 PM
#5
Junior Member
thanks a lot for ur replies. excellent
Similar Threads
-
By mohaughn in forum Microsoft Security Discussions
Replies: 1
Last Post: August 9th, 2005, 07:37 PM
-
By s3nate in forum Operating Systems
Replies: 25
Last Post: July 20th, 2004, 10:32 AM
-
By pooh sun tzu in forum The Security Tutorials Forum
Replies: 10
Last Post: March 6th, 2004, 09:54 PM
-
By warl0ck7 in forum Microsoft Security Discussions
Replies: 7
Last Post: August 14th, 2003, 12:23 PM
-
By Remote_Access_ in forum Security Archives
Replies: 9
Last Post: January 12th, 2002, 03:02 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|