RE: Any way to remove ADMIN$ only?

From: Chris Alliey (calliey@bellatlantic.net)
Date: 11/07/02 

From: "Chris Alliey" <calliey@bellatlantic.net>
To: "Evan Mann" <emann@questinc.org>, <focus-ms@securityfocus.com>
Date: Thu, 7 Nov 2002 12:35:27 -0500

I'll take the first crack at this ....

From an NT/2000 point of view, Zack is right.
Mixing the share permissions and the NTFS permissions generally cause
problems for Administrators down the road. This is especially true in a
large environment. Personally, I find it a better practice to have less
share points, which means more groups/people access the same shares. An
example of this would be group data - would you prefer 100 different shares
(1 per group), or 1 share (with 100 group folders under it) and locking down
the NTFS permissions? From a system point of view - the more shares, the
more resources are used. NTFS rights are checked when you attempt to use
the resource.

If you don't restrict access by NTFS, and rely on share level security - you
are asking for trouble. The first thought that comes to mind is you have a
share set (D:\dept_folders\Private\Finance) for the finance people to use.
Along comes another admin that creates a share at a higher level in the
directory tree (D:\Dept_Folders). That other administrator failed to set
the share permissions (default everyone). Now if you didn't use NTFS -
EVERYONE would have access to the Private\Finance data.
In the same scenario - if you blocked all inheritance at the PRIVATE
directory, nobody will have access - unless specifically given. Only the
Finance people would have access in the Finance folder, because everyone
else is blocked - and only their group is given access to it. This would be
true at whatever level you created the SHARE.

The bottom line is share access is good for down level (95/98/ME) clients
sharing things, but they don't have access control over their file systems.
NTFS is much more secure then share level security.

Another thought to consider, is when an administrator is confused about
security - they tend to make mistakes.
The KISS method should be used. Without the NTFS permissions - your not
doing anything. Share level security can be mistakenly given at another
level in the directory tree - that gives more access then you actually
thought the user had.

A couple rules I think we should all live by:
        1. Never anything off your SYSTEM partition (I also recommend removing all
admin shares: C$, admin$)
        2. Right after formatting a partition - the first thing you should do is
remove the EVERYONE from the root.

The bottom line is NTFS permissions are much more granular the Share
permissions - and harder to screw up.
NTFS is also the final check before allowing you access to a resource.
Share permissions should be used only on FAT systems (don't tell me we still
use those - do we?).

just my 0.02¢

Chris

-----Original Message-----
From: Evan Mann [mailto:emann@questinc.org]
Sent: Wednesday, November 06, 2002 8:09 AM
To: focus-ms@securityfocus.com
Subject: RE: Any way to remove ADMIN$ only?

Could this be elaborated more on the list by others? I do not recall any
conversations about the practice of which is the "best practice" or "ideal"
method of setting permissions between share level and file level within the
past year and a half or so that I've begun monitoring the list. Perhaps its
a good time to bring the subject up?

-----Original Message-----
From: Zack Berkovitz [mailto:zberkovitz@pga-inc.com]
Sent: Tuesday, November 05, 2002 2:27 PM
To: Jim Harrison (SPG); Eric; Palumbo, Dave (Factiva);
focus-ms@securityfocus.com
Subject: RE: Any way to remove ADMIN$ only?

The best practice is in fact to use default (Everyone=Full) share
permissions and to set NTFS security on all drives (with inheritance for
2K and newer systems running NTFS 5 or greater). Share permissions
should really only be used when absolutely necessary, such as on FAT
volumes where ACE's cannot be applied. Conflicts between share and NTFS
perms always cause headaches down the road, and NTFS perms secure the
files and directories for locally logged on users as well.

If you are sharing C and D, of which one is the system drive, how will
removing the admin$ share (winnt) make the system any more secure, if
the drive it resides on is shared out? NTFS permissions seem like a
more comprehensive solution. The presence of any of the administrative
shares is a security hole, regardless.

- Zack

-----Original Message-----
From: Jim Harrison (SPG) [mailto:jmharr@microsoft.com]
Sent: Tuesday, November 05, 2002 9:59 AM
To: Eric; Palumbo, Dave (Factiva); focus-ms@securityfocus.com
Subject: RE: Any way to remove ADMIN$ only?

 The only problem with using "net share" to create shares is that it
 applies default permissions to those shares it creates. These include
 "Everyone=Full"; obviously not an ideal scenario, especially given the
 default security of Windows drives (Everyone=Full). I've written a
 script that will create shares that only allow those accounts listed
 in the local server's administrator's group to have access to the
 share you choose to create.

http://isatools.org/createshare.zip

* Jim Harrison
MCP(NT4/2K), A+, Network+
Services Platform Division

The burden of proof is not satisfied by a lack of evidence to the
contrary..

-----Original Message-----
From: Eric [mailto:ews@tellurian.net]
Sent: Monday, November 04, 2002 11:55 AM
To: Palumbo, Dave (Factiva); 'focus-ms@securityfocus.com'
Subject: Re: Any way to remove ADMIN$ only?

write a script that will launch each time upon machine bootup that
'unshares' that share.

'net share admin$ /delete'

I don't know of any registry setting that will remove only that share
and
leave the others.

Understand also that anyone with admin privileges to that machine can
recreate that share at any time.

At 01:11 PM 11/4/2002 -0500, Palumbo, Dave (Factiva) wrote:
>Hello,
>
>I have a scenario in which I'd like to remove the ADMIN$ share from a
>Windows 2000 server, but keep the other default shares (c$, d$)
>available for an application...is there any documented/undocumented way

>to accomplish this? If this is documented, please forgive me....but I
>sure can't find it. I am aware of the
>HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShar
>eServ
>er=0 registry key...but this disables all the default shares (save
IPC$).
>Again, I'm just looking to remove ADMIN$.
>
>Any ideas?
>
>Thanks,
>
>Dave Palumbo
>http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x41F746F8

Relevant Pages

  • RE: Any way to remove ADMIN$ only?
    ... 2K and newer systems running NTFS 5 or greater). ... Share permissions ... Any way to remove ADMIN$ only? ... default security of Windows drives. ...
    (Focus-Microsoft)
  • Re: MS Knowledgebase Article 298345-Cant delete file...
    ... Logging in as admin is not that important with NTFS. ... What is important is the the NTFS permissions have ... no grant to Administrators and the owner is also not ...
    (microsoft.public.windowsxp.security_admin)
  • Re: FTP control
    ... > I would like to use NTFS security settings to control who ... I would suggest getting a third party FTP server, ... if you set quota and these permissions for that group you can ... Information Server (IIS) Web site, ...
    (microsoft.public.win2000.security)
  • RE: Any way to remove ADMIN$ only?
    ... every section had a bit devoted to "best practices". ... Any way to remove ADMIN$ only? ... 2K and newer systems running NTFS 5 or greater). ... applies default permissions to those shares it creates. ...
    (Focus-Microsoft)
  • Re: W2k and Front Page Security
    ... >> up now using subweb and setting permissions throgh ... >> with NTFS permissions contolling folders.When I set ... >FrontPage managed content areas you do really need to ... >authorship of every groupX subweb in addition ...
    (microsoft.public.win2000.security)