[THIN] Re: [OT] NTFS Share/File Security
- From: "W. Andy Roche" <andy.roche@xxxxxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Thu, 19 Jan 2006 08:05:53 -0600
Nick, I don't think that what you said about the share being "not visible"
is correct. The share$ can still be enumerated, but not connected to by any
user even though they don't have the rights to connect to it. Denying a
user permission to a share is only restricting their ability to connect to,
and use, that share. The upside of that is that the user cannot connect and
enumerate the directories in the shared area.
We have found a happy medium ground in that we don't make shares open to
"everyone", but only domain users, or a specific group. This keeps the
auditors from busting our chops about the ability to enumerate directory
names. We then provide the full restrictions at the NTFS level.
Andy Roche
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Nick Smith
Sent: Thursday, January 19, 2006 2:30 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: [OT] NTFS Share/File Security
If you deny permissions on a share$, then it is not *visible* to the denied
user, while this effect does not occur with NTFS permissions.
I've known people who specifically want to hide the existence of a
particular share and this would be the way to do it. In general security
terms, it means a hacker cannot exploit something they can't see.
Nick
-----Original Message-----
From: Arthur Reyes [mailto:ARTADMIN@xxxxxxxxxxxxx]
Sent: 18 January 2006 23:59
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: [OT] NTFS Share/File Security
I'd also add that these are file servers only. They are not terminal
servers, where someone other than a "Domain Admin" would be able to TS into
the server.
--- Original Message ---
From: "Arthur Reyes" <ARTADMIN@xxxxxxxxxxxxx>
To: thin@xxxxxxxxxxxxx
Subject: [THIN] [OT] NTFS Share/File Security
>I have a client that is in the process of adopting best practises for
>File sharing on their MS 2003 File Servers. They have been informed
>that ACLs need to be set both on the Share and on the Folder itself.
>ie.
>
>Share$ = ShareUsers:Full
>D:\Share = ShareUsers:Full
>
>For the life of me, I can't understand why anyone would do this.
> I've reviewed groups and share permissions, and I see no scenario
>where the more liberal share permission vs. the more restrictive NTFS
>permission would somehow grant a group of users more or less access
>than is intended. Nor do I know of a vulnerability or exploit where
>one type of permission can be hacked while preserving the other kind of
>permission. All I do see, is convoluted a security practise and
>administrative overhead, with no net gain.
>
>Age and experience has taught me that I can't possibly know everything,
>so I present to you, the illustrious masters this question. Can anyone
>think of a reason
>(exploit/vulnerability/whatever) why you would set Share permissions
>and NTFS permissions when using one or the other would not result in
>more or less permissions than intended?
>
>I'm baffled.
>
>************************************************
>For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation
>mode use the below link:
>//www.freelists.org/list/thin
>************************************************
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
//www.freelists.org/list/thin
************************************************
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
Other related posts:
