RE: Any way to remove ADMIN$ only?
From: David Vincent (david.vincent@mightyoaks.com)Date: 11/07/02
- Previous message: Evan Mann: "RE: Any way to remove ADMIN$ only?"
- Maybe in reply to: Palumbo, Dave (Factiva): "Any way to remove ADMIN$ only?"
- Next in thread: Aaron Milis: "RE: Any way to remove ADMIN$ only?"
- Next in thread: Deus, Attonbitus: "RE: Any way to remove ADMIN$ only?"
- Reply: Aaron Milis: "RE: Any way to remove ADMIN$ only?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: David Vincent <david.vincent@mightyoaks.com> To: 'Evan Mann' <emann@questinc.org>, focus-ms@securityfocus.com Date: Thu, 7 Nov 2002 08:51:25 -0800
zack is talking about microsoft's "best practices". check out this URL...
http://www.google.ca/search?q=site%3Amicrosoft.com+best+practices&ie=UTF-8&o
e=UTF-8&hl=en&meta=
..for a quick jaunt through google.
speaking as a graduate of microsoft's mcse program and having read more than
my share of their corproate propaganda, let me tell you there was page after
page after page, every section had a bit devoted to "best practices".
a lot of it was quit good stuff to know (esp. if you were a newbie) like the
wisdom of setting up a DMZ on your network. but they also had page after
page of best practices for setting up their services (DNS, SMTP, etc.),
often you'll find they want you to do it one way and someone like the NSA
want you do to it another way for security. eventually the admin has to
decide for themselves what they want and what is the best way to get there.
that's my $0.02
-d
-----Original Message-----
From: Evan Mann [mailto:emann@questinc.org]
Sent: November 6, 2002 5:09 AM
To: focus-ms@securityfocus.com
Subject: RE: Any way to remove ADMIN$ only?
Could this be elaborated more on the list by others? I do not recall any
conversations about the practice of which is the "best practice" or "ideal"
method of setting permissions between share level and file level within the
past year and a half or so that I've begun monitoring the list. Perhaps its
a good time to bring the subject up?
-----Original Message-----
From: Zack Berkovitz [mailto:zberkovitz@pga-inc.com]
Sent: Tuesday, November 05, 2002 2:27 PM
To: Jim Harrison (SPG); Eric; Palumbo, Dave (Factiva);
focus-ms@securityfocus.com
Subject: RE: Any way to remove ADMIN$ only?
The best practice is in fact to use default (Everyone=Full) share
permissions and to set NTFS security on all drives (with inheritance for
2K and newer systems running NTFS 5 or greater). Share permissions
should really only be used when absolutely necessary, such as on FAT
volumes where ACE's cannot be applied. Conflicts between share and NTFS
perms always cause headaches down the road, and NTFS perms secure the
files and directories for locally logged on users as well.
If you are sharing C and D, of which one is the system drive, how will
removing the admin$ share (winnt) make the system any more secure, if
the drive it resides on is shared out? NTFS permissions seem like a
more comprehensive solution. The presence of any of the administrative
shares is a security hole, regardless.
- Zack
-----Original Message-----
From: Jim Harrison (SPG) [mailto:jmharr@microsoft.com]
Sent: Tuesday, November 05, 2002 9:59 AM
To: Eric; Palumbo, Dave (Factiva); focus-ms@securityfocus.com
Subject: RE: Any way to remove ADMIN$ only?
The only problem with using "net share" to create shares is that it
applies default permissions to those shares it creates. These include
"Everyone=Full"; obviously not an ideal scenario, especially given the
default security of Windows drives (Everyone=Full). I've written a
script that will create shares that only allow those accounts listed
in the local server's administrator's group to have access to the
share you choose to create.
http://isatools.org/createshare.zip
* Jim Harrison
MCP(NT4/2K), A+, Network+
Services Platform Division
The burden of proof is not satisfied by a lack of evidence to the
contrary..
-----Original Message-----
From: Eric [mailto:ews@tellurian.net]
Sent: Monday, November 04, 2002 11:55 AM
To: Palumbo, Dave (Factiva); 'focus-ms@securityfocus.com'
Subject: Re: Any way to remove ADMIN$ only?
write a script that will launch each time upon machine bootup that
'unshares' that share.
'net share admin$ /delete'
I don't know of any registry setting that will remove only that share
and
leave the others.
Understand also that anyone with admin privileges to that machine can
recreate that share at any time.
At 01:11 PM 11/4/2002 -0500, Palumbo, Dave (Factiva) wrote:
>Hello,
>
>I have a scenario in which I'd like to remove the ADMIN$ share from a
>Windows 2000 server, but keep the other default shares (c$, d$)
>available for an application...is there any documented/undocumented way
>to accomplish this? If this is documented, please forgive me....but I
>sure can't find it. I am aware of the
>HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShar
>eServ
>er=0 registry key...but this disables all the default shares (save
IPC$).
>Again, I'm just looking to remove ADMIN$.
>
>Any ideas?
>
>Thanks,
>
>Dave Palumbo
>http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x41F746F8
- Previous message: Evan Mann: "RE: Any way to remove ADMIN$ only?"
- Maybe in reply to: Palumbo, Dave (Factiva): "Any way to remove ADMIN$ only?"
- Next in thread: Aaron Milis: "RE: Any way to remove ADMIN$ only?"
- Next in thread: Deus, Attonbitus: "RE: Any way to remove ADMIN$ only?"
- Reply: Aaron Milis: "RE: Any way to remove ADMIN$ only?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
