Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How to create hidden shares in server 2003 for backups?

Posted on 2006-04-25
11
Medium Priority
?
348 Views
Last Modified: 2013-12-04
We are trying to create hidden shares on our internal server so that we can back up private information and have access to only certain users. Is there any type of step by step guide to doing this? Currently we are able to map to the hidden share but it does not ask for a password to open them.
0
Comment
Question by:healthcomputing
  • 5
  • 3
  • 3
11 Comments
 
LVL 7

Assisted Solution

by:Isigow
Isigow earned 1200 total points
ID: 16537853
To hide a share add a $ (dollar sign) to the end of the share name.
As for passwords, make sure that the security of the share or the NT Security does not have the 'Everyone' group added, or domain users, authenticated users. Use a specific account or group to secure it (recommened to do this through NT Security)

Right click the shared folder->properties->security tab. Make sure the only items listed are those you wish to have access to the share. This will make it so only certain users can access the information

Isi
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16544209
If you have permissions to that folder then your not prompted for a username/pass, as your current credentials are tried by-default when you attempt the connection, so when you map to a share, and have the username and password listed either though the command line (net use) or the GUI "map to network drive" that username and pass are used. If the share was on a PC/Server that is not in the domain, and or has permissions to allow only UserX to access it, and you tried to connect to the share you would be prompted for the username and pass, as long as your not logged in as UserX, or your not in the group that is allowed GroupX

If you have 2003 SP1 applied, you can try this tool: http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en
http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx
Not sure about shares hidden or otherwise...
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16544298
When we setup a share, we use the Everyone (full control)permission for the share, and use the NTFS permissions to secure the folders access, as M$ uses the MOST RESTRICTIVE permission to determine what actions to take. The most restrictive permission taken from both the share and the ntfs right's. So if I have Everyone FullControl on the share, and have only myself listed for read/execute on the NTFS permissions, anyone who is not me, or using my credentials will be denied access to the share, even though they may be able to map or see it, hidden or not. You can easily enumerate hidden shares still. Using the Everyone, FC setting on the share makes it easy to administer the NTFS rights as you don't have to worry about making two restrictive lists, just make the one list restrictive.
http://www.microsoft.com/technet/archive/community/columns/security/askus/au061900.mspx
NTFS versus Share-level file system permissions
Q: Does Microsoft recommend share-level security over NTFS permissions in a multi-domain environment? Which is more secure and easy to administer?

A: I've seen experienced Windows administrators make this semantic error (including myself) so often, I had to pull this one from the mailbag and answer it. You really can't pick one or the other – file system permissions in Windows NT or 2000 result from the intersection of both share-level and NTFS access control lists (ACLs). In other words, the most restrictive effective rights are distilled from the combination of both the share and NTFS settings. Typically what this means is that one is set to the most liberal access possible, and then the other is used to determine actual permissions on a given file or directory.
Microsoft (and I, coincidentally) recommend using NTFS permissions wherever possible. It offers more granularity in assigning permissions, and it also works from the perspective of the local user as well as over the network. Thus, whether a user is logged in at the local console or browsing a directory over the network, security is enforced.
To set up NTFS share permissions in a multi-domain environment, simply share out the drive or folder you want, and then configure the NTFS permissions. By default, both share-level access and NTFS permissions are set to Everyone:Full Control, so all you have to do is change the NTFS permissions and you're done. Need I advise anyone to set it to something other then Everyone:Full Control?
Phew! It's the simple questions that challenge you to think the most. Keep 'em pouring in, and I'll do my best to get to them next time we take a spin around security.
-rich
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:healthcomputing
ID: 16546906
I am able to hide the shares. How do  you use NT Security? ---Isigow
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16547025
He meant NTFS security. There are share and ntfs permissions, the share are under the "sharing" tab, and the NTFS security permissions are under the "Security" tab
-rich
0
 
LVL 7

Expert Comment

by:Isigow
ID: 16549478
On later versions of windows it also sometimes has a 'Sharing and Security' options on the context (right click) menu.

NT Security is pretty easy to understand the main permissions being:
Full Control: All Control, including changing permissions, dont set this for anyone but an administrator
Read and Execute: Read and Open files, run programs
Write: Create a new file
Modify: Change an Existing File

Without modify, users cannot change or delete files, even if they created them unless you do slightly more complex premissions (in case your wondering)
For backups, I would give a backup operator (account running your backups) Modify and Administrators Full Control and no other accounts listed. Deny shouldnt be necessary unless there are certain Administrators or Backup Operators that should not have access to the directory.

NT Security is always recommened (as mentioned above) over share security.

Isi
0
 

Author Comment

by:healthcomputing
ID: 16556701
Ok, I am using NT Security. I want to create something like we already have but am unsure how to do it. We don't have a Domain. We have a share called xxxx and when you go to map that folder on any of our machines it asks for a password. Maybe this will help-- it is part of the following users/groups: Admin which has full access, Creator (owner), Everyone-- full control, XXX(share name) --modify, System-full control, Users--read/write. Somewhere in there it is set up to ask for a password when I try to map to it. I would like to do this for several shares.
0
 
LVL 7

Accepted Solution

by:
Isigow earned 1200 total points
ID: 16561260
remove everyone full control, I assume you mean the users have to put in a login/password in order to access other shares in which case you create a user with a certain password and give that local user control over the share (modify)

so you would end up with admin full control, specific user -- modify, creator owner full control.
Thing you need to remember is that without a domain, user information is not passed between different computer within a workgroup, every account has different information depending on what computer it is on. Users are users to the local machine and nothing beyond. If what your looking for is really a file share type system, you may want to just upgrade your existing infrastructure to a domain enviornment which will give you tons more control and flexability. If that is not an option, you might need to create local users on your machine, give users read to the share level, then in their own user share type folder below the master level give them modify. Like so:

c:\Users -- Admin full control, Users Read/Exec (Share name Users$)
c:\Users\JohnSmith -- admin full control, JohnSmith Modify (No share)
c:\Users\Administrator -- Administrator full control
c:\Users\JaneDoe -- admin full control, JaneDoe Modify (no Share)


Or if it is more of a general backup location, but remember each user would need a local account
C:\Backup -- admin full control, Users Read/Write (no modify), Creator Owner Full Control

Hope this all makes sense,
Isi
0
 

Author Comment

by:healthcomputing
ID: 16610995
I am trying to create shares on a central server that we are running and trying to put the backup files onto different shares for each user.
0
 

Author Comment

by:healthcomputing
ID: 16652579
I must be missing something somewhere. We have a workgroup created for all of the computers and I am trying to make specific folders on the server require anyone in the workgroup to enter a username and password. Is there a simple solution to this?
0
 

Author Comment

by:healthcomputing
ID: 16662205
Going to try something else, thanks.
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Screencast - Getting to Know the Pipeline
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question