January 24th, 2008 12:07 PM
Windows Shares - Everyone Group
Windows users generally make the extensive use of file sharing. I wanted to know whether there is anyway to remove "Everyone" group being listed which comes by default when creating file sharing on Windows XP/2003 machines. Right now when anyone creates shares, "Everyone" group appears by default even though with Read permissions. But still from security perspective it is not good if someone accidentally shares some sensitive data and forgets to give proper permission on the user workstations. Can this be done through GPO??
Anyone has any insights into this one?
January 24th, 2008 12:35 PM
Yes, it is possible, but undocumented. I actually have never seen
the following on the web.
What you find[1,2] are information about a registry binary called
SrvsvcDefaultShareInfo. This binary defines the default permission
when creating a new share (resp. for all old shares with the
default security descriptor).
What value to use?
Do the following:
1. Create a new share "test" and give it the default permission you want
2. Go to the following registry key
and export the binary called "test".
3. Use this value for
(best way: export/import the key).
4. Setup you GPO accordingly.
As an additional remark: After passing the share-permission, the user still
has to pass the filesystem permissions.
(Q: How do I secure file shares on my computer?)
Last edited by sec_ware; January 24th, 2008 at 12:40 PM.
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
January 24th, 2008 03:04 PM
two types of permissions
resource [files etc]
ntfs [users gpo]
I seem to remember MS best practice is to give everyone account access to resource, and use group policy to control access
so that you are only having to consider ONE thread of permissions, not both
because there are things to remember when altering permissions
RSoP [Resultant Set of Policy] tool can quickly determine just what your policies have actually allowed
I posted a thread a little while back, will link later
but there are other reasons TO remove everyone group
and it isn't just because you are not on a domain
starting to ramble now
Last edited by foxyloxley; January 24th, 2008 at 03:08 PM.
55 - I'm fiftyfeckinfive and STILL no wiser,
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
January 25th, 2008 08:09 AM
From a security perspective you shouldn't allow regular users to create shares in the first place.
Experience is something you don't get until just after you need it.
January 26th, 2008 04:20 PM
thanks a lot for ur replies. excellent
By mohaughn in forum Microsoft Security Discussions
Last Post: August 9th, 2005, 07:37 PM
By s3nate in forum Operating Systems
Last Post: July 20th, 2004, 10:32 AM
By pooh sun tzu in forum The Security Tutorials Forum
Last Post: March 6th, 2004, 08:54 PM
By warl0ck7 in forum Microsoft Security Discussions
Last Post: August 14th, 2003, 12:23 PM
By Remote_Access_ in forum Security Archives
Last Post: January 12th, 2002, 02:02 AM