Solved

Shared Domain folders, everyone has access.

Posted on 2004-09-15
4
248 Views
Last Modified: 2010-04-11
First off, i did not set up the domain at my company. I just have a question about file security. We have about 10 servers, (one at each location) that we use for different software, and as domain controllers. We also have shared files on each server for stuff that we need to install on clients. The problem is, anyone who had domain user rigts on the domain, can get into these shares if they know the svr name or ip. Since i use "run" to access them, alot of times they just just click run and can see the history. This hasent been a problem, but we are seeing some questionable files showing up on our servers. Our fear is that it could be used as a file dump.

How can we add a simple password to these directories, so that when i we try and get access to these particular files, it will ask for a password?
The trick is that some software uses shared files on these servers, these apps need FULL access to the directories. Should I just make those particular folders hidden?

Thanks!
0
Comment
Question by:ZLucas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 2

Accepted Solution

by:
AlfaLAN earned 500 total points
ID: 12070879
Are you familiar with userrights?
If not, in short you have share-permissions and file(ntfs)-permissions.
Both use the same available users & groups but are NOT the same.

You can never give/get more userrights through share-permissions than the file(ntfs)-permissions allow.
So you could say that you can use the share-permissions as a limiting filter to assign userrights.

So you could set up the share-root's to authenticated users (having full control). No user Everyone. This provides at least some defence to user anonymous.

Then setup correct file(ntfs)-permissions: Remove user everyone, add group administraters (full controll), Add user/group creator-owner where needed (full controll), Add system (at least traverse folders, and add what is needed).. The most important part is to group your users in groups (Better even: OU's).

The idea in layman's language is: When a user tries to do something with a file, the harddrive checks to see if this user is a member of a group that has the right to perform this file-action. Otherwise it will ask for a username/password that has the appropriate rights. If this is not (correct) provided than the harddisk will deny access.

Where to find what:
Rightclick on a disk or directory and select properties. Then select tab sharing...should explain itself.
next tab called security is the tab that controlles the file(ntfs)-permissions.

What rights are needed? Use filemon.exe from www.sysinternals.com. It can show you wich application is trying to do what to what file as what user.
So if access was denied (operation not succesfull) you know what rights to put where.

BEWARE, you can get yourselfe some major nightmares when playing with userrights on a production machine if you do not know what you are doing!

Maby someone can post some links on increasing security using ntfs-permissions? What is generally needed and where? What should generally be edited?

Hope this helps,
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 12070920
What operating system are your servers running?  Are the drives formatted NTFS (if windows)?

Setting up share and NTFS permissions can get very tricky.  I would suggest you make a representation of your directory structure and who you want to have access to it and post it.  We can probably help more with that info.
0
 
LVL 8

Expert Comment

by:dhoustonie
ID: 12073898
As you have mentioned Domain Controllers, I'm assuming the basic Windows NT Domain.
The questions that spring into my mind are:
Users what rights do they have?  Are they local administrators, or power users? How or why do they have the rights to install software?
What operating System are your clients? Widows 98/me or a Windows NT 2000 or XP?
Why does each user account need full acces  to the apps, why don't you use the administraor account to install the software, and restrict the user accounts to read only access of the folders?
What sort of number of clients are there in total or per site?
I think that you will need to tighten up your security, particularly if you are starting to see unknown files on your domain Controllers. They could delete your applications that you are trying to protect.
Do you have a policy in place with regards the use of computers and domain cotrollers?
Do you have auditing enabled to find out which user is creating these files?

Dave
0
 
LVL 2

Expert Comment

by:adam1213
ID: 12081494
On the shares right click, select properties, sharing

in win xp click permisions and put a password
in 98 put a password in the password field

0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question