Solved

Shared Domain folders, everyone has access.

Posted on 2004-09-15
4
246 Views
Last Modified: 2010-04-11
First off, i did not set up the domain at my company. I just have a question about file security. We have about 10 servers, (one at each location) that we use for different software, and as domain controllers. We also have shared files on each server for stuff that we need to install on clients. The problem is, anyone who had domain user rigts on the domain, can get into these shares if they know the svr name or ip. Since i use "run" to access them, alot of times they just just click run and can see the history. This hasent been a problem, but we are seeing some questionable files showing up on our servers. Our fear is that it could be used as a file dump.

How can we add a simple password to these directories, so that when i we try and get access to these particular files, it will ask for a password?
The trick is that some software uses shared files on these servers, these apps need FULL access to the directories. Should I just make those particular folders hidden?

Thanks!
0
Comment
Question by:ZLucas
4 Comments
 
LVL 2

Accepted Solution

by:
AlfaLAN earned 500 total points
ID: 12070879
Are you familiar with userrights?
If not, in short you have share-permissions and file(ntfs)-permissions.
Both use the same available users & groups but are NOT the same.

You can never give/get more userrights through share-permissions than the file(ntfs)-permissions allow.
So you could say that you can use the share-permissions as a limiting filter to assign userrights.

So you could set up the share-root's to authenticated users (having full control). No user Everyone. This provides at least some defence to user anonymous.

Then setup correct file(ntfs)-permissions: Remove user everyone, add group administraters (full controll), Add user/group creator-owner where needed (full controll), Add system (at least traverse folders, and add what is needed).. The most important part is to group your users in groups (Better even: OU's).

The idea in layman's language is: When a user tries to do something with a file, the harddrive checks to see if this user is a member of a group that has the right to perform this file-action. Otherwise it will ask for a username/password that has the appropriate rights. If this is not (correct) provided than the harddisk will deny access.

Where to find what:
Rightclick on a disk or directory and select properties. Then select tab sharing...should explain itself.
next tab called security is the tab that controlles the file(ntfs)-permissions.

What rights are needed? Use filemon.exe from www.sysinternals.com. It can show you wich application is trying to do what to what file as what user.
So if access was denied (operation not succesfull) you know what rights to put where.

BEWARE, you can get yourselfe some major nightmares when playing with userrights on a production machine if you do not know what you are doing!

Maby someone can post some links on increasing security using ntfs-permissions? What is generally needed and where? What should generally be edited?

Hope this helps,
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 12070920
What operating system are your servers running?  Are the drives formatted NTFS (if windows)?

Setting up share and NTFS permissions can get very tricky.  I would suggest you make a representation of your directory structure and who you want to have access to it and post it.  We can probably help more with that info.
0
 
LVL 8

Expert Comment

by:dhoustonie
ID: 12073898
As you have mentioned Domain Controllers, I'm assuming the basic Windows NT Domain.
The questions that spring into my mind are:
Users what rights do they have?  Are they local administrators, or power users? How or why do they have the rights to install software?
What operating System are your clients? Widows 98/me or a Windows NT 2000 or XP?
Why does each user account need full acces  to the apps, why don't you use the administraor account to install the software, and restrict the user accounts to read only access of the folders?
What sort of number of clients are there in total or per site?
I think that you will need to tighten up your security, particularly if you are starting to see unknown files on your domain Controllers. They could delete your applications that you are trying to protect.
Do you have a policy in place with regards the use of computers and domain cotrollers?
Do you have auditing enabled to find out which user is creating these files?

Dave
0
 
LVL 2

Expert Comment

by:adam1213
ID: 12081494
On the shares right click, select properties, sharing

in win xp click permisions and put a password
in 98 put a password in the password field

0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question