Securing Windows Shares

Securing Windows Shares
by h3r3tic


Purpose

The purpose of this tutorial is to protect you against tactics described in RiOtEr's two posts about netbios hacking:
http://www.antionline.com/showthread...hreadid=228798
http://www.antionline.com/showthread...hreadid=228778
and to give you a better sense of security when sharing files on your home or small office network.
This tutorial is mostly geared toward windows XP pro users. You may also want to check out this post by spools.exe before selecting your passwords:
http://www.antionline.com/showthread...229#post683229

Prior to step one

If you are not on a network and don't need to share files then don't. To disable file sharing right click on "My Network Places" and select properties, then right click on your local area connection and select properties. In the properties you will want to uninstall "Client for Microsoft Networks" and "File and Printer Sharing for Microsoft Networks" if they are installed. You also might want to turn on the XP firewall under the advanced tab, although I recommend using an alternative firewall. If you are going to share items, don't turn on the XP firewall, because I cannot get sharing to work with it on. Instead download and install the free firewall from www.zonelabs.com, They have a trusted zone which you can put all the computers on your network in, which makes for ease of configuration for file sharing.

Step one

The first thing you should do for more security is to disable simple file sharing. To do this open up my computer. In my computer go to the tools menu and select folder options. In folder options click on the view tab. The very last option should be "Use simple file sharing(Recommended)", you will want to uncheck that box to enable advanced file sharing. Then click apply and OK and you are done with step one.

Step two

Next you will want to to set a password for your Administrator and Guest accounts and rename them. To do this right click on my computer and select the option "Manage". In the box that pops up under system tools go to "Local Users and Groups". Select the Users folder and right click on the Administrator account and select "Set Password...". Then type in your selected password and click ok. Next, right click on the Administrator account again, select "Rename", and just type in a hard to guess username. Now do the same thing with the Guest account. You will also want to turn off the Guest account. Do not disable it in computer management or your computer will not function properly. Note that you should have the Guest account off not disabled. The difference is that if the Guest account off it disables local logon with that account, whereas when it is disabled it takes away all logon priviledges including network logon. This doesn't matter though when connecting through the network, because it still uses the Guest account whether it is off or on. You can try disabling it if you want to, but don't blame me if your operating system complains. I think that windows has the Guest account turned off by default, to check go to the control panel. Then click on "User Accounts". In user accounts you should see the account you just renamed in grey, and it should say "Guest account is off" under it. If it is like that you are in good shape if not, you should just be able to click on it and it will give you the option to turn it off.

Step three: Sharing files and assigning permissions

Now that you have advanced file sharing turned on and you are secure, you are going to want to share some files. To do this open up my computer and choose a folder you want shared. Right click that folder and select "Sharing and Security...". In the window that pops up go to the sharing tab and select the circle to "Share this folder". Then give your share a name under "Share name:". Next, click on the permissions button near the bottom of teh window. In the window that pops up there should be a list of Groups and users allowed to access that file. Remove all of them except the user you want to be able to access the share. If the user is not in that list do the following: Click the "Add..." button. Then, click on the "Advanced..." button and click the "Find Now" button. From the list that comes up choose the user you want to have access to the share then click OK then click OK on the other window. Now you should have just added the user you want to have access to the shared folder. One other thing to check, go to start>run. At the run prompt type gpedit.msc. In the group policy editor go to Computer Configurations>Windows Settings>Security Settings>Local Policies>User Rights Assignment. In the user rights assignment the first option should be "Access this computer from the network". Double click that and make sure that you remove "Everyone" from that list if it is there. On mine the only entries I have are as follows:

• Administrators
• Backup Operators
• Power Users
• Users

You may be able to remove some of those but you should be ok with how it is.


Concluding statement

I know that this is just a drop in the bucket when it comes to securing your windows box, but at least it is something. In addition to this, you will want to pick up a firewall and anti-virus software. For anti-virus I recommend AVG from Grisoft, it is free and works pretty well. For a free firewall I only have experience with zonealarm, and it wasn't too bad. for a non-free firewall, I recommend McAfee because it won the roundup on the screensavers. Also, FrameWork highly recommends Sygate, followed by, coming in second place, Outpost.I want to here comments and suggestions about this tutorial, so don't hold back.

Heretic"

Quote:

---

Do not disable it in computer management or your computer will not function properly

---

You confuse me with this statement..... You were referring to the Guest account yet you make that statement. I'm typing right now on a WinXP box with all accounts except the Admin account, (suitably renamed, of course). In fact the only two accounts that have any access to the drive on this box are the renamed admin account and the system account, and it runs just fine..... ;)

I would suggest that if you want to share things in an environment that you don't implicitly trust all the people able to see the share that you disable all accounts except admin and system, set the permissions across the whole drive to those two accounts and create a new account specifically for your "sharer's". Then grant only the rights you want to the folders you want to the new account..... That way you know M$ hasn't allowed a Guest to access something "behind your back"..... ;)

Quote:

---

Originally posted here by Tiger Shark
Heretic"



You confuse me with this statement..... You were referring to the Guest account yet you make that statement. I'm typing right now on a WinXP box with all accounts except the Admin account, (suitably renamed, of course). In fact the only two accounts that have any access to the drive on this box are the renamed admin account and the system account, and it runs just fine..... ;)

I would suggest that if you want to share things in an environment that you don't implicitly trust all the people able to see the share that you disable all accounts except admin and system, set the permissions across the whole drive to those two accounts and create a new account specifically for your "sharer's". Then grant only the rights you want to the folders you want to the new account..... That way you know M$ hasn't allowed a Guest to access something "behind your back"..... ;)

---

What I meant was that when you right click the guest account in computer management and choose properties, there will be five check boxes(two greyed out). Check the first two and do not check the one that says account is disabled. I could be wrong but I thought that some things needed to use the guest account to run. I think that file sharing wouldn't work with it disabled. I could be wrong though. There are probably alternative ways to do this. I guess the best thing to do is just run a firewall and not worry about remote users having access to your shares.

Heretic: It wasn't so much a criticism as a "I read the paragraph five times and it didn't gel". A communication issue I guess......

I would still hang towards a "home-made" account or those folders you want to share and using that..... Then, just for giggles, click the "advanced" button I think it is, and see how granular you can really get.... things like "can add to the file but not delete" etc. can give you some real "control".... ;) Handy for log servers for example... Mr. Cracker figures he can mess with the log files..... But all he can do is "add".... That's his problem, not mine... :D

I think either way you would get the same effect. I have fooled around with this stuff a lot. I think with the default sharing enabled you have to have the guest account enabled because that is what is used to access it. In my experience if I wanted to get just user access, that user would have to have an account on the client and host computer. I think this can be overcome if you are in a domain instead of a workgroup. Do you agree that it is the same effect, except that you are just changing the guest account to make it almost like a user account? That's how I see, but I could be way off. I would like to hear more about your setup whether it be by pm or on here. I have tried many things to get it down to user access instead of guest access and the best I have come up with is user access, but having to have the same account on each computer. Check out this post on the main page, it explains my struggles of last night: http://www.antionline.com/showthread...hreadid=250808
Thanks for the feedback, I appreciate it. Don't hesitate to set me straight when I am wrong.

I could be just as wrong and am waiting for other input from the others in here that fileshare.

As far as I am concerned I don't share anything personally, Call me a crabby, selfish old bastard if you want..... ;)

In a _trusted_ environment I still prefer to drop all permissions to all drives to the admin account and the system acount on the system drive and work from there. I simply don't trust the Guest account.... That's the crabby, insecure, untrusting old fart in me..... and proceed to grant rights to who _I_ chose later.... Then, at least _I_ know where the login and password went and can determine what happened after that myself..... If you are sharing to multiple "untrusted" users then spend the time to create an account for each.... Then you know where things came fromand you can cut off one without cutting off all.....

I thought I had hit this thing from all angles, but I was just doing some more testing it again and I was able to access the shares with the username Guest even though I renamed it. But it still required the password. That's kindof wierd, I could have sworn that last night I couldn't access it with the user Guest. I think that you can access it with both the normal Guest account and the renamed Guest account when you follow the directions in the tut. Another thing to do is what Tiger Shark has suggested. You can just find all the usernames from the computers you want to access the shares. And for each one make an account on the sharing computer with the same username. Then just configure that account however you please. That is probably the way to go. Sorry about the false info.

edit
I don't know what happened between last night and now but now I am able to specify a username and password from a different computer and get access to the shares without having an account name of the same username specified. I'll explain in the tut, I'm going to edit it so please reread.

Just a quick note...
The only "system whining" that you might get from disabling a certain account is the SYSTEM account. A lot of applications use this to communicate with other servers/client computers in a trusted environment.

Just my quick 2 cents.

disc0rd, in that case I would say go on ahead and disable the Guest account. You can always re-enable it if it gives you problems anyway. Thanks for that quick note.

Good tutorial/discussion.

I just have one thing to add.

Quote:

---

Next you will want to to set a password for your Administrator and Guest accounts and rename them.

---

IN XP: If you rename the admin account (which is good practice and I ALWAYS do) then you will loose access to the recovery console on the XP disk.

Since the recovery console prompts for the password for the account "Administrator" and it won't let you put in any other username. Since you have renamed the account "Administrator" it can't find it to compare the password against.

Workaround: Use win2k pro cd to get to recovery console. It bypasses the password alltogether because it doesn't read the registry.

You can then either work from the win2k disk, or insert your xp disk and work from that one.

As far as the file permissions, I remove permission to EVERYTHING except from the system account and admin account. When I need to share something, I either xfer the files to a file server OR create a temporary limited account along with a temporary shared folder with permissions for only admin, system and temp account access. After I've finished with that, I kill the account, delete the folder and disable file/print.

I don't trust the guest either...