Re: Share Permissions

From: Roger A. Grimes (rogerg_at_cox.net)
Date: 06/09/03

  • Next message: Christopher Ingram: "Re: Firewall and DMZ topology" 
    To: <ben@lanwest.com.au>, "'Security-Basics'" <security-basics@securityfocus.com>
Date: Mon, 9 Jun 2003 15:50:30 -0400

    I don't know of a specific exploit against the scenario you propose, and
    what you propose below is a very, very common way to configure a Windows
    box.

    But in theory, it exposes more information that it needs to...and to that
    end if you are concerned about security, you should not do it. There is a
    large school of thought that says you should make learning information about
    your system as hard as possible. The more information you give away, the
    easier it is for said hacker to gather intelligence and then use it to
    attack your system.

    At the very least, considered changing EVERYONE on shares to AUTHENTICATED
    USERS. That way you get rid of anonymous accounts, etc.

    Also, this goes against the security-in-depth principal. If you get in a
    habit of setting security on both the shares and the folders/files, if you
    miss one the other might catch it. If you always have everyone on the
    share, if you accidentally forget to remove everyone on the drive
    persmissions then it's an open hole; and vice-versa. Although this doesn't
    seem like it would catch much, people often incorrectly change inherited
    rights, causing unintended permissive permissions.

    But since there are no specific exploits that would be avoided (that I know
    of) if you correctly handled file permissions 100% of the time, it's
    basically a risk/speed trade off.

    Just my one-half cent.

    Roger

    ****************************************************************************
    ****
    *Roger A. Grimes, Computer Security Consultant
    *CPA, MCSE (NT/2000), CNE (3/4), A+
    *email: rogerg@cox.net
    *cell: 757-615-3355
    *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly
    *http://www.oreilly.com/catalog/malmobcode
    ****************************************************************************
    *************

    ----- Original Message -----
    From: "Benjamin Meade" <ben@lanwest.com.au>
    To: "'Security-Basics'" <security-basics@securityfocus.com>
    Sent: Monday, June 09, 2003 3:09 AM
    Subject: Share Permissions

    >
    > Hey all,
    >
    > Just wondering in Win2K server, when I share a folder, I set the share
    > permissions to full access for everybody, and then control access using
    > the file permissions. (Basically cos it cuts down on administration, and
    > I'm lazy.) Are there any security issues running this way, or is it much
    > of a muchness?
    >
    > Thanks,
    >
    > Benjamin Meade
    > System Administrator
    > LanWest Pty Ltd
    > Ph: (08) 9440 3033
    > Fax: (08) 9440 3370
    >
    >
    >
    > --------------------------------------------------------------------------
    -
    > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    > while InStat has confirmed Neoteris as the leader in marketshare.
    >
    > Find out why, and see how you can get plug-n-play secure remote access in
    > about an hour, with no client, server changes, or ongoing maintenance.
    >
    > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    > -------------------------------------------------------------------------- 

    --
>
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
  • Next message: Christopher Ingram: "Re: Firewall and DMZ topology"

    Relevant Pages

    • RE: What server hardening are you doing these days?
      ... permissions on their data, and Microsoft encourages ISVs to minimize ... I've been able to discuss ACLs and other security issues in Windows with ... Control or DAC (which is what you're referring to by the "stupid ...
      (Focus-Microsoft)
    • RE: NTFS Permissions (was Share Permissions)
      ... File-level security usually provides more efficient protection than ... NTFS Permissions ... The Gartner Group just put Neoteris in the top of its Magic ... and see how you can get plug-n-play secure remote access ...
      (Security-Basics)
    • RE: What server hardening are you doing these days?
      ... hardening in windows is that consulting within the financial sector as I ... permissions on servers in a granular fashion in order to get their ... applications to work without compromising the security of their ... "...Discretionary controls are not a replacement for mandatory controls. ...
      (Focus-Microsoft)
    • Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues
      ... --You sound like many Linux/Unix guys I know who think they know Windows ... You're still acting like Windows security is ... security permissions, acting like you've never heard of the Creator ... RAG> world, then going further to assume that a bonehead administrator ...
      (Full-Disclosure)
    • RE: Re[4]: Microsoft Windows Vista/2003/XP/2000 file management security issues
      ... --You sound like many Linux/Unix guys I know who think they know Windows ... You're still acting like Windows security is ... security permissions, acting like you've never heard of the Creator ... RAG> world, then going further to assume that a bonehead administrator ...
      (Bugtraq)