• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 494
  • Last Modified:

SBS 2003 security risk,wide open shares like simple sharing to any machine not on domain.

I am converting from a work group to a domain with Server 2003 for small business.  I set all my users up and permissions for shares.  The server is basically a file server.  I have sensitive data in a few folders that I need to stay private.  Before I converted my last machine to the domain, I was looking at the "My Network Places" on an XP Pro SP2 machine.  Every share that is on my server is wide open to this machine off the domain.  When I browse to it through the network, it does not even ask for a username and password, it just offers every shared folder as though it were an XP machine using simple sharing.  I have locked down with the sharing permissions and NTFS permissions to no avail.  I realize that when I convert the last machine to the domain, I will have more control over the machine.  However, in the building I am in there are a couple of offices that share the internet connection and router that will never be on my domain.  I need to lock down this share.  I have taken the "Everyone" group off every folder both in "Sharing" and "Permissons".  I have only "Administrator" and the employee using the particular folder added in both tabs on every share.  What else is there to do?
0
Nukebug
Asked:
Nukebug
  • 3
  • 3
1 Solution
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
It doesn't sound like things have been setup appropriately.

1.  Unless you hide the shares with a $ at the end they will be seen when browsing the server in network neighborhood.  This is generally unimportant and does not significantly impact security.
2.  Share permissions, except for the default NetLogon share, should be set to EVERYONE FULL ACCESS.  Share permissions are largely ineffective as when users log on to the server console, they are COMPLETELY IGNORED.
3.  NEVER assign users to files and folders or shares.  This is a VERY bad way of managing permissions.  Create security groups and assign users to the security group.  Then assign the group to the folder.  Even if the only person who needs to access the accounting files is joe, the co-owner, setup an Accounting group and put Joe in it.  Then assign permissions to the accounting group.  This way, you will not have to edit permissions six months later when they hire Jill as the bookkeeper and she needs access as well - all you do is add her to the accounting group.  The one situation where you can assign users directly is to their home directories - but in ANY other case where you want files shared, you should always use groups and never users.
4.  NEVER Deny permission to something - I managed a network of 1000+ users for years and I don't recall a single instance where explicitly denying permissions was done or otherwise appropriate.

Permissions for ALL files should include the special account SYSTEM and the Domain Admins group for administrative purposes and to ensure things like your backup and antivirus software works appropriately.

If, after you confirm/make these settings, you are still having problems, post the user name who is able to see files they shouldn't, the group membership of that user, and the permissions on the folder they are trying to access.
0
 
NukebugAuthor Commented:
I will make the suggested changes today to test them.  One thing that I am not clear on, if there is a machine that is not on my domain but still phisically connected to my network, ie. other businesses in the same building, how do I prevent them from accessing my shares?  I cannot affect the physical topology of the building, and all my runs come from the centralized network closet.  Also, I am unfamilliar with the "Netlogon Share".  I am familliar with networking but have not been at it very long.
Thanks.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
If you are sharing an Internet connection you are going to have many issues to deal with in your configuration.  But does that mean that you also need to share the same IP Subnet with them?  Usually not.

So you need to have a firewall/router between your server and the Internet connection (whether it's shared or not).  Then, you will control your own network.  Please see http://sbsurl.com/msicw for a complete overview of how to configure this.

Then, the BEST way to manage your network shares is through SBS's Server Management Console (actually this is the place you should manage most all aspects of your network).  Click on the Shares (local) node in the left side tree to view all current shares.  But I wouldn't add any shares or configure anything like this until I was sure that the network was operating securely and properly.

Jeff
TechSoEasy
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
NukebugAuthor Commented:
Thanks for the router tip, Jeff.  I will add that to the mix as well.  However, I don't think that the crux of my question is covered.  The main thing I am concerned with is I expect that I should be able to set security on my server that would at least require authentication from any machine on my subnet or not that tries to access my server shares.  When someone would click on the icon representing the server in "My network places", a security window should come up asking for a username and password.  That is what I'm missing.  I'm not sure what setting I need to have in place.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, your network was secure when you first installed the server because it would be that way by default.  Somehow with all of these "shares" you've made you opened everything up.  My suggestion to use the Server Management Console's Share node is because from there you can delete all of the shares you made and start over.  Creating lots of shares is the "old" way of doing things... but more importantly you need to make sure your network is secure before creating ANY shares.

Then you should look at things like Sharepoint for your document libraries, which is how SBS likes to handle things.

If you don't like SharePoint, then you can set up network shares, but you should do so only after mapping out exactly how and what needs to be shared.

Jeff
TechSoEasy
0
 
NukebugAuthor Commented:
I will go ahead with the Sharepoint, but adding the router and changing the subnet, I think will satisfy my concern about machines I cannot control.  
Thanks.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
no prob.

Jeff
TechSoEasy
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now