?
Solved

NTFS permissions and the default C$ share on servers - security issue?

Posted on 2007-10-11
7
Medium Priority
?
2,012 Views
Last Modified: 2013-12-04
I just have a simple question about NTFS permissions on a web server:

I have the site data on a seperate hard drive, E:, with group Everyone completely removed from the permissions. Should I do the same on the C: drive to lockdown the server further or will the ruin the server and I won't be able to login? Do you have any recommendations? The way it's currently setup, anyone that gains access to the network -- not even the server -- can simply access \\server\c$ to see EVERYTHING on the C: drive. If you ask me, that is a heck of a security threat. Do you have any recommendations for other servers such as DCs or file servers? Is this share necessary (I assume so...)?

That's all! Thanks!
0
Comment
Question by:Pugglewuggle
7 Comments
 
LVL 5

Accepted Solution

by:
Fridolin Mansmann earned 2000 total points
ID: 20063600
The c$ Share is an admin share and normally only accessable with administrative rights. I would NOT recommend to remove the share.
But you can remove the Everyone group from the NTFS permissions. Maybe you should add "Domain users" or another group with READ permissions if necessary to access something.
Be sure that on C: (Root) the "Administrators" group has FULL Control permissions

Detailed information see here:
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx

Also interresting tool:
http://support.microsoft.com/kb/318754

Guides:
http://technet2.microsoft.com/windowsserver/en/library/33572299-55a2-4868-b0bc-8f2875ddee471033.mspx?mfr=true

http://technet2.microsoft.com/windowsserver/en/library/33572299-55a2-4868-b0bc-8f2875ddee471033.mspx?mfr=true

MAYBE a good idea is to have a full backup of the server and a system restore point!
If you have doubts, use a VMWare session or VirtualPC2007 session to setup a new server for testing and playing around with permissions before doing this on a productive machine.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 20063603
I'm assuming because of the TA we are talking about an IIS web site?

OK there is a difference in permissions if we are - web permissions are set in the IIS management console, not at folder level :) your best bet id you are worried is to download the IIS lock down tool which will Analyse and recommends the best practice for your IIS server then run the Microsoft baseline security analyzer and the server to make sure everything else is OK :)

Pete

IIS Lockdown tool http://www.microsoft.com/technet/security/tools/locktool.mspx
M$ Baseline Analyser http://www.microsoft.com/technet/security/tools/mbsahome.mspx
0
 
LVL 12

Author Comment

by:Pugglewuggle
ID: 20063689
Here are a few extra notes to help your decision making/suggestions out a bit --

The server is running IIS 6.0 on WS 2003 Web Edition - fully patched - SP2
IIS 6.0 does not support the IIS lockdown tool
The MBSA has been run and the server is locked down as suggested
These hidden shares are located on the root of ALL drives in systems running at least XP
I DO NOT want to delete these shares, just secure them with NTFS permissions
SMB permissions CANNOT be set on these default shares - they are for administrative purposes

When I go to remove the Everyone group, the OS freaks out and tells me "You are about to change the permission settings on the root directory of the startup disk, which can result in unexpected access problems and reduce security. Do you want to continue?"

The message shouts "don't mess with me"... so I'm a bit worried.... Please advise.

Thanks!
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 2

Expert Comment

by:Vegaskid1973
ID: 20065007
These 'drive' shares C$, D$ etc are admin shares as previously stated and can only be accessed by members of the local administrators group, which include domain admins by default. You cant change the permission on them, only disable the share itself. Note that this could cause problems with applications that use them, plus it makes remote administration harder.

If you have a problem with people being able to access them, then a better procedure would be to remove them from unnecessary security groups - think principle of least privilege.
0
 
LVL 12

Author Comment

by:Pugglewuggle
ID: 20066940
For the purpose of the web server, a stand alone machine in a DMZ and not a member of a domain, what do you recommend? Should I remove the Everyone from the NTFS permissions on the C: drive or does it matter?
0
 
LVL 5

Expert Comment

by:Fridolin Mansmann
ID: 20070737
I personally would remove Everyone group
See about the links provided earlier, there are MS security guides and server hardening documentations of about 30 pages.....
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Screencast - Getting to Know the Pipeline

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question