Results 1 to 5 of 5

Thread: Windows Shares - Everyone Group

  1. #1
    Junior Member
    Join Date
    Jan 2008
    Posts
    1

    Windows Shares - Everyone Group

    Hi All,

    Windows users generally make the extensive use of file sharing. I wanted to know whether there is anyway to remove "Everyone" group being listed which comes by default when creating file sharing on Windows XP/2003 machines. Right now when anyone creates shares, "Everyone" group appears by default even though with Read permissions. But still from security perspective it is not good if someone accidentally shares some sensitive data and forgets to give proper permission on the user workstations. Can this be done through GPO??

    Anyone has any insights into this one?

    Thanks.

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    Yes, it is possible, but undocumented. I actually have never seen
    the following on the web.

    What you find[1,2] are information about a registry binary called
    SrvsvcDefaultShareInfo. This binary defines the default permission
    when creating a new share (resp. for all old shares with the
    default security descriptor).

    What value to use?

    Do the following:
    1. Create a new share "test" and give it the default permission you want
    2. Go to the following registry key
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security
    and export the binary called "test".
    3. Use this value for
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity\SrvsvcDefaultShareInfo

    (best way: export/import the key).
    4. Setup you GPO accordingly.


    As an additional remark: After passing the share-permission, the user still
    has to pass the filesystem permissions.


    Cheers





    [1] http://www.microsoft.com/windowsserv...urity_faq.mspx
    (Q: How do I secure file shares on my computer?)
    [2] http://www.derkeiler.com/Newsgroups/...5-06/0097.html
    Last edited by sec_ware; January 24th, 2008 at 01:40 PM.
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  3. #3
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,534
    two types of permissions
    resource [files etc]
    ntfs [users gpo]

    I seem to remember MS best practice is to give everyone account access to resource, and use group policy to control access
    so that you are only having to consider ONE thread of permissions, not both
    because there are things to remember when altering permissions
    RSoP [Resultant Set of Policy] tool can quickly determine just what your policies have actually allowed

    I posted a thread a little while back, will link later

    linking http://antionline.com/showthread.php...477#post934477

    but there are other reasons TO remove everyone group
    and it isn't just because you are not on a domain

    starting to ramble now
    better stop
    Last edited by foxyloxley; January 24th, 2008 at 04:08 PM.
    so now I'm in my SIXTIES FFS
    WTAF, how did that happen, so no more alterations to the sig, it will remain as is now

    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    From a security perspective you shouldn't allow regular users to create shares in the first place.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Junior Member
    Join Date
    Mar 2006
    Posts
    15
    thanks a lot for ur replies. excellent

Similar Threads

  1. August security hotfixes
    By mohaughn in forum Microsoft Security Discussions
    Replies: 1
    Last Post: August 9th, 2005, 07:37 PM
  2. Whats a good stable OS?
    By s3nate in forum Operating Systems
    Replies: 25
    Last Post: July 20th, 2004, 10:32 AM
  3. Windows XP Security Guide (phase two)
    By pooh sun tzu in forum The Security Tutorials Forum
    Replies: 10
    Last Post: March 6th, 2004, 09:54 PM
  4. Windows 2003 Server Vulnerability
    By warl0ck7 in forum Microsoft Security Discussions
    Replies: 7
    Last Post: August 14th, 2003, 12:23 PM
  5. OS History and other info.
    By Remote_Access_ in forum Security Archives
    Replies: 9
    Last Post: January 12th, 2002, 03:02 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •