Solved

Shared Domain folders, everyone has access.

Posted on 2004-09-15
4
242 Views
Last Modified: 2010-04-11
First off, i did not set up the domain at my company. I just have a question about file security. We have about 10 servers, (one at each location) that we use for different software, and as domain controllers. We also have shared files on each server for stuff that we need to install on clients. The problem is, anyone who had domain user rigts on the domain, can get into these shares if they know the svr name or ip. Since i use "run" to access them, alot of times they just just click run and can see the history. This hasent been a problem, but we are seeing some questionable files showing up on our servers. Our fear is that it could be used as a file dump.

How can we add a simple password to these directories, so that when i we try and get access to these particular files, it will ask for a password?
The trick is that some software uses shared files on these servers, these apps need FULL access to the directories. Should I just make those particular folders hidden?

Thanks!
0
Comment
Question by:ZLucas
4 Comments
 
LVL 2

Accepted Solution

by:
AlfaLAN earned 500 total points
ID: 12070879
Are you familiar with userrights?
If not, in short you have share-permissions and file(ntfs)-permissions.
Both use the same available users & groups but are NOT the same.

You can never give/get more userrights through share-permissions than the file(ntfs)-permissions allow.
So you could say that you can use the share-permissions as a limiting filter to assign userrights.

So you could set up the share-root's to authenticated users (having full control). No user Everyone. This provides at least some defence to user anonymous.

Then setup correct file(ntfs)-permissions: Remove user everyone, add group administraters (full controll), Add user/group creator-owner where needed (full controll), Add system (at least traverse folders, and add what is needed).. The most important part is to group your users in groups (Better even: OU's).

The idea in layman's language is: When a user tries to do something with a file, the harddrive checks to see if this user is a member of a group that has the right to perform this file-action. Otherwise it will ask for a username/password that has the appropriate rights. If this is not (correct) provided than the harddisk will deny access.

Where to find what:
Rightclick on a disk or directory and select properties. Then select tab sharing...should explain itself.
next tab called security is the tab that controlles the file(ntfs)-permissions.

What rights are needed? Use filemon.exe from www.sysinternals.com. It can show you wich application is trying to do what to what file as what user.
So if access was denied (operation not succesfull) you know what rights to put where.

BEWARE, you can get yourselfe some major nightmares when playing with userrights on a production machine if you do not know what you are doing!

Maby someone can post some links on increasing security using ntfs-permissions? What is generally needed and where? What should generally be edited?

Hope this helps,
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 12070920
What operating system are your servers running?  Are the drives formatted NTFS (if windows)?

Setting up share and NTFS permissions can get very tricky.  I would suggest you make a representation of your directory structure and who you want to have access to it and post it.  We can probably help more with that info.
0
 
LVL 8

Expert Comment

by:dhoustonie
ID: 12073898
As you have mentioned Domain Controllers, I'm assuming the basic Windows NT Domain.
The questions that spring into my mind are:
Users what rights do they have?  Are they local administrators, or power users? How or why do they have the rights to install software?
What operating System are your clients? Widows 98/me or a Windows NT 2000 or XP?
Why does each user account need full acces  to the apps, why don't you use the administraor account to install the software, and restrict the user accounts to read only access of the folders?
What sort of number of clients are there in total or per site?
I think that you will need to tighten up your security, particularly if you are starting to see unknown files on your domain Controllers. They could delete your applications that you are trying to protect.
Do you have a policy in place with regards the use of computers and domain cotrollers?
Do you have auditing enabled to find out which user is creating these files?

Dave
0
 
LVL 2

Expert Comment

by:adam1213
ID: 12081494
On the shares right click, select properties, sharing

in win xp click permisions and put a password
in 98 put a password in the password field

0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now