How to create hidden shares in server 2003 for backups?

We are trying to create hidden shares on our internal server so that we can back up private information and have access to only certain users. Is there any type of step by step guide to doing this? Currently we are able to map to the hidden share but it does not ask for a password to open them.
healthcomputingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IsigowCommented:
To hide a share add a $ (dollar sign) to the end of the share name.
As for passwords, make sure that the security of the share or the NT Security does not have the 'Everyone' group added, or domain users, authenticated users. Use a specific account or group to secure it (recommened to do this through NT Security)

Right click the shared folder->properties->security tab. Make sure the only items listed are those you wish to have access to the share. This will make it so only certain users can access the information

Isi
0
Rich RumbleSecurity SamuraiCommented:
If you have permissions to that folder then your not prompted for a username/pass, as your current credentials are tried by-default when you attempt the connection, so when you map to a share, and have the username and password listed either though the command line (net use) or the GUI "map to network drive" that username and pass are used. If the share was on a PC/Server that is not in the domain, and or has permissions to allow only UserX to access it, and you tried to connect to the share you would be prompted for the username and pass, as long as your not logged in as UserX, or your not in the group that is allowed GroupX

If you have 2003 SP1 applied, you can try this tool: http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en
http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx
Not sure about shares hidden or otherwise...
-rich
0
Rich RumbleSecurity SamuraiCommented:
When we setup a share, we use the Everyone (full control)permission for the share, and use the NTFS permissions to secure the folders access, as M$ uses the MOST RESTRICTIVE permission to determine what actions to take. The most restrictive permission taken from both the share and the ntfs right's. So if I have Everyone FullControl on the share, and have only myself listed for read/execute on the NTFS permissions, anyone who is not me, or using my credentials will be denied access to the share, even though they may be able to map or see it, hidden or not. You can easily enumerate hidden shares still. Using the Everyone, FC setting on the share makes it easy to administer the NTFS rights as you don't have to worry about making two restrictive lists, just make the one list restrictive.
http://www.microsoft.com/technet/archive/community/columns/security/askus/au061900.mspx
NTFS versus Share-level file system permissions
Q: Does Microsoft recommend share-level security over NTFS permissions in a multi-domain environment? Which is more secure and easy to administer?

A: I've seen experienced Windows administrators make this semantic error (including myself) so often, I had to pull this one from the mailbag and answer it. You really can't pick one or the other – file system permissions in Windows NT or 2000 result from the intersection of both share-level and NTFS access control lists (ACLs). In other words, the most restrictive effective rights are distilled from the combination of both the share and NTFS settings. Typically what this means is that one is set to the most liberal access possible, and then the other is used to determine actual permissions on a given file or directory.
Microsoft (and I, coincidentally) recommend using NTFS permissions wherever possible. It offers more granularity in assigning permissions, and it also works from the perspective of the local user as well as over the network. Thus, whether a user is logged in at the local console or browsing a directory over the network, security is enforced.
To set up NTFS share permissions in a multi-domain environment, simply share out the drive or folder you want, and then configure the NTFS permissions. By default, both share-level access and NTFS permissions are set to Everyone:Full Control, so all you have to do is change the NTFS permissions and you're done. Need I advise anyone to set it to something other then Everyone:Full Control?
Phew! It's the simple questions that challenge you to think the most. Keep 'em pouring in, and I'll do my best to get to them next time we take a spin around security.
-rich
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

healthcomputingAuthor Commented:
I am able to hide the shares. How do  you use NT Security? ---Isigow
0
Rich RumbleSecurity SamuraiCommented:
He meant NTFS security. There are share and ntfs permissions, the share are under the "sharing" tab, and the NTFS security permissions are under the "Security" tab
-rich
0
IsigowCommented:
On later versions of windows it also sometimes has a 'Sharing and Security' options on the context (right click) menu.

NT Security is pretty easy to understand the main permissions being:
Full Control: All Control, including changing permissions, dont set this for anyone but an administrator
Read and Execute: Read and Open files, run programs
Write: Create a new file
Modify: Change an Existing File

Without modify, users cannot change or delete files, even if they created them unless you do slightly more complex premissions (in case your wondering)
For backups, I would give a backup operator (account running your backups) Modify and Administrators Full Control and no other accounts listed. Deny shouldnt be necessary unless there are certain Administrators or Backup Operators that should not have access to the directory.

NT Security is always recommened (as mentioned above) over share security.

Isi
0
healthcomputingAuthor Commented:
Ok, I am using NT Security. I want to create something like we already have but am unsure how to do it. We don't have a Domain. We have a share called xxxx and when you go to map that folder on any of our machines it asks for a password. Maybe this will help-- it is part of the following users/groups: Admin which has full access, Creator (owner), Everyone-- full control, XXX(share name) --modify, System-full control, Users--read/write. Somewhere in there it is set up to ask for a password when I try to map to it. I would like to do this for several shares.
0
IsigowCommented:
remove everyone full control, I assume you mean the users have to put in a login/password in order to access other shares in which case you create a user with a certain password and give that local user control over the share (modify)

so you would end up with admin full control, specific user -- modify, creator owner full control.
Thing you need to remember is that without a domain, user information is not passed between different computer within a workgroup, every account has different information depending on what computer it is on. Users are users to the local machine and nothing beyond. If what your looking for is really a file share type system, you may want to just upgrade your existing infrastructure to a domain enviornment which will give you tons more control and flexability. If that is not an option, you might need to create local users on your machine, give users read to the share level, then in their own user share type folder below the master level give them modify. Like so:

c:\Users -- Admin full control, Users Read/Exec (Share name Users$)
c:\Users\JohnSmith -- admin full control, JohnSmith Modify (No share)
c:\Users\Administrator -- Administrator full control
c:\Users\JaneDoe -- admin full control, JaneDoe Modify (no Share)


Or if it is more of a general backup location, but remember each user would need a local account
C:\Backup -- admin full control, Users Read/Write (no modify), Creator Owner Full Control

Hope this all makes sense,
Isi
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
healthcomputingAuthor Commented:
I am trying to create shares on a central server that we are running and trying to put the backup files onto different shares for each user.
0
healthcomputingAuthor Commented:
I must be missing something somewhere. We have a workgroup created for all of the computers and I am trying to make specific folders on the server require anyone in the workgroup to enter a username and password. Is there a simple solution to this?
0
healthcomputingAuthor Commented:
Going to try something else, thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.