healthcomputing
asked on
How to create hidden shares in server 2003 for backups?
We are trying to create hidden shares on our internal server so that we can back up private information and have access to only certain users. Is there any type of step by step guide to doing this? Currently we are able to map to the hidden share but it does not ask for a password to open them.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
When we setup a share, we use the Everyone (full control)permission for the share, and use the NTFS permissions to secure the folders access, as M$ uses the MOST RESTRICTIVE permission to determine what actions to take. The most restrictive permission taken from both the share and the ntfs right's. So if I have Everyone FullControl on the share, and have only myself listed for read/execute on the NTFS permissions, anyone who is not me, or using my credentials will be denied access to the share, even though they may be able to map or see it, hidden or not. You can easily enumerate hidden shares still. Using the Everyone, FC setting on the share makes it easy to administer the NTFS rights as you don't have to worry about making two restrictive lists, just make the one list restrictive.
http://www.microsoft.com/technet/archive/community/columns/security/askus/au061900.mspx
NTFS versus Share-level file system permissions
Q: Does Microsoft recommend share-level security over NTFS permissions in a multi-domain environment? Which is more secure and easy to administer?
A: I've seen experienced Windows administrators make this semantic error (including myself) so often, I had to pull this one from the mailbag and answer it. You really can't pick one or the other – file system permissions in Windows NT or 2000 result from the intersection of both share-level and NTFS access control lists (ACLs). In other words, the most restrictive effective rights are distilled from the combination of both the share and NTFS settings. Typically what this means is that one is set to the most liberal access possible, and then the other is used to determine actual permissions on a given file or directory.
Microsoft (and I, coincidentally) recommend using NTFS permissions wherever possible. It offers more granularity in assigning permissions, and it also works from the perspective of the local user as well as over the network. Thus, whether a user is logged in at the local console or browsing a directory over the network, security is enforced.
To set up NTFS share permissions in a multi-domain environment, simply share out the drive or folder you want, and then configure the NTFS permissions. By default, both share-level access and NTFS permissions are set to Everyone:Full Control, so all you have to do is change the NTFS permissions and you're done. Need I advise anyone to set it to something other then Everyone:Full Control?
Phew! It's the simple questions that challenge you to think the most. Keep 'em pouring in, and I'll do my best to get to them next time we take a spin around security.
-rich
http://www.microsoft.com/technet/archive/community/columns/security/askus/au061900.mspx
NTFS versus Share-level file system permissions
Q: Does Microsoft recommend share-level security over NTFS permissions in a multi-domain environment? Which is more secure and easy to administer?
A: I've seen experienced Windows administrators make this semantic error (including myself) so often, I had to pull this one from the mailbag and answer it. You really can't pick one or the other – file system permissions in Windows NT or 2000 result from the intersection of both share-level and NTFS access control lists (ACLs). In other words, the most restrictive effective rights are distilled from the combination of both the share and NTFS settings. Typically what this means is that one is set to the most liberal access possible, and then the other is used to determine actual permissions on a given file or directory.
Microsoft (and I, coincidentally) recommend using NTFS permissions wherever possible. It offers more granularity in assigning permissions, and it also works from the perspective of the local user as well as over the network. Thus, whether a user is logged in at the local console or browsing a directory over the network, security is enforced.
To set up NTFS share permissions in a multi-domain environment, simply share out the drive or folder you want, and then configure the NTFS permissions. By default, both share-level access and NTFS permissions are set to Everyone:Full Control, so all you have to do is change the NTFS permissions and you're done. Need I advise anyone to set it to something other then Everyone:Full Control?
Phew! It's the simple questions that challenge you to think the most. Keep 'em pouring in, and I'll do my best to get to them next time we take a spin around security.
-rich
ASKER
I am able to hide the shares. How do you use NT Security? ---Isigow
He meant NTFS security. There are share and ntfs permissions, the share are under the "sharing" tab, and the NTFS security permissions are under the "Security" tab
-rich
-rich
On later versions of windows it also sometimes has a 'Sharing and Security' options on the context (right click) menu.
NT Security is pretty easy to understand the main permissions being:
Full Control: All Control, including changing permissions, dont set this for anyone but an administrator
Read and Execute: Read and Open files, run programs
Write: Create a new file
Modify: Change an Existing File
Without modify, users cannot change or delete files, even if they created them unless you do slightly more complex premissions (in case your wondering)
For backups, I would give a backup operator (account running your backups) Modify and Administrators Full Control and no other accounts listed. Deny shouldnt be necessary unless there are certain Administrators or Backup Operators that should not have access to the directory.
NT Security is always recommened (as mentioned above) over share security.
Isi
NT Security is pretty easy to understand the main permissions being:
Full Control: All Control, including changing permissions, dont set this for anyone but an administrator
Read and Execute: Read and Open files, run programs
Write: Create a new file
Modify: Change an Existing File
Without modify, users cannot change or delete files, even if they created them unless you do slightly more complex premissions (in case your wondering)
For backups, I would give a backup operator (account running your backups) Modify and Administrators Full Control and no other accounts listed. Deny shouldnt be necessary unless there are certain Administrators or Backup Operators that should not have access to the directory.
NT Security is always recommened (as mentioned above) over share security.
Isi
ASKER
Ok, I am using NT Security. I want to create something like we already have but am unsure how to do it. We don't have a Domain. We have a share called xxxx and when you go to map that folder on any of our machines it asks for a password. Maybe this will help-- it is part of the following users/groups: Admin which has full access, Creator (owner), Everyone-- full control, XXX(share name) --modify, System-full control, Users--read/write. Somewhere in there it is set up to ask for a password when I try to map to it. I would like to do this for several shares.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am trying to create shares on a central server that we are running and trying to put the backup files onto different shares for each user.
ASKER
I must be missing something somewhere. We have a workgroup created for all of the computers and I am trying to make specific folders on the server require anyone in the workgroup to enter a username and password. Is there a simple solution to this?
ASKER
Going to try something else, thanks.
If you have 2003 SP1 applied, you can try this tool: http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en
http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx
Not sure about shares hidden or otherwise...
-rich