[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    RE: Any way to remove ADMIN$ only?
From:       "Aaron Milis" <aaronmillis () glacierbancorp ! com>
Date:       2002-11-07 20:04:14
[Download RAW message or body]

David is right in that Microsoft will tell you to do one thing and SANS
or (insert any security group here) will tell you to do things another
way. The best piece of advice I can give is to do something and stick to
it. The different recommendations or best practices are pretty much just
different ways of accomplishing the same goal, which is securing the
server.

 You will find however that the different "authorities" agree most of
the time in the basics of setting up security. Anyone will tell you that
NTFS permissions are where you do the real work, and that is why many
security guides state that you can use Everyone=Full Control share
permissions followed immediately by something like, "If you do this you
better be damn sure your ACL's are configured properly." 

Personally I use shares sparingly and when I do use them I remove the
Everyone group and assign a specific group or groups with permissions to
the share. This is more administrative work, but it gives me that warm
comfy feeling and helps me sleep at night.

Another way I've seen share permissions setup rather than using the
Everyone=Full Control share is to remove Everyone and add Authenticated
Users=Full Control. Like David said, every administrator has to find his
own way so the real best practices are the ones that keep you hired and
help you sleep at night. :)

Regards,
 
Aaron Millis  -  Software Analyst/Administrator
A+, Network+, Server+, MCP, MCSA, CNA
Glacier Bancorp, Inc.  -  IT Department
2601 Garfield, Missoula, MT   59801
Office: 406-549-1681  -  Cell: 406-360-0912
Fax: 406-549-1689  -  Helpdesk: 877-611-0556
Email: aaronmillis@glacierbancorp.com

-----Original Message-----
From: David Vincent [mailto:david.vincent@mightyoaks.com] 
Sent: Thursday, November 07, 2002 9:51 AM
To: 'Evan Mann'; focus-ms@securityfocus.com
Subject: RE: Any way to remove ADMIN$ only?

zack is talking about microsoft's "best practices".  check out this
URL...

http://www.google.ca/search?q=site%3Amicrosoft.com+best+practices&ie=UTF
-8&o
e=UTF-8&hl=en&meta=

..for a quick jaunt through google.

speaking as a graduate of microsoft's mcse program and having read more
than
my share of their corproate propaganda, let me tell you there was page
after
page after page, every section had a bit devoted to "best practices".

a lot of it was quit good stuff to know (esp. if you were a newbie) like
the
wisdom of setting up a DMZ on your network.  but they also had page
after
page of best practices for setting up their services (DNS, SMTP, etc.),
often you'll find they want you to do it one way and someone like the
NSA
want you do to it another way for security.  eventually the admin has to
decide for themselves what they want and what is the best way to get
there.

that's my $0.02

-d



-----Original Message-----
From: Evan Mann [mailto:emann@questinc.org]
Sent: November 6, 2002 5:09 AM
To: focus-ms@securityfocus.com
Subject: RE: Any way to remove ADMIN$ only?


Could this be elaborated more on the list by others?  I do not recall
any
conversations about the practice of which is the "best practice" or
"ideal"
method of setting permissions between share level and file level within
the
past year and a half or so that I've begun monitoring the list.  Perhaps
its
a good time to bring the subject up?

-----Original Message-----
From: Zack Berkovitz [mailto:zberkovitz@pga-inc.com]
Sent: Tuesday, November 05, 2002 2:27 PM
To: Jim Harrison (SPG); Eric; Palumbo, Dave (Factiva);
focus-ms@securityfocus.com
Subject: RE: Any way to remove ADMIN$ only?


The best practice is in fact to use default (Everyone=Full) share
permissions and to set NTFS security on all drives (with inheritance for
2K and newer systems running NTFS 5 or greater).  Share permissions
should really only be used when absolutely necessary, such as on FAT
volumes where ACE's cannot be applied.  Conflicts between share and NTFS
perms always cause headaches down the road, and NTFS perms secure the
files and directories for locally logged on users as well.

If you are sharing C and D, of which one is the system drive, how will
removing the admin$ share (winnt) make the system any more secure, if
the drive it resides on is shared out?  NTFS permissions seem like a
more comprehensive solution.  The presence of any of the administrative
shares is a security hole, regardless.

- Zack 



-----Original Message-----
From: Jim Harrison (SPG) [mailto:jmharr@microsoft.com] 
Sent: Tuesday, November 05, 2002 9:59 AM
To: Eric; Palumbo, Dave (Factiva); focus-ms@securityfocus.com
Subject: RE: Any way to remove ADMIN$ only?


 The only problem with using "net share" to create shares is that it 
 applies default permissions to those shares it creates. These include 
 "Everyone=Full"; obviously not an ideal scenario, especially given the 
 default security of Windows drives (Everyone=Full). I've written a 
 script that will create shares that only allow those accounts listed 
 in the local server's administrator's group to have access to the 
 share you choose to create.

http://isatools.org/createshare.zip

* Jim Harrison 
MCP(NT4/2K), A+, Network+
Services Platform Division

The burden of proof is not satisfied by a lack of evidence to the
contrary..



-----Original Message-----
From: Eric [mailto:ews@tellurian.net] 
Sent: Monday, November 04, 2002 11:55 AM
To: Palumbo, Dave (Factiva); 'focus-ms@securityfocus.com'
Subject: Re: Any way to remove ADMIN$ only?


write a script that will launch each time upon machine bootup that 
'unshares' that share.

'net share admin$ /delete'

I don't know of any registry setting that will remove only that share
and 
leave the others.

Understand also that anyone with admin privileges to that machine can 
recreate that share at any time.


At 01:11 PM 11/4/2002 -0500, Palumbo, Dave (Factiva) wrote:
>Hello,
>
>I have a scenario in which I'd like to remove the ADMIN$ share from a
>Windows 2000 server, but keep the other default shares (c$, d$) 
>available for an application...is there any documented/undocumented way

>to accomplish this?  If this is documented, please forgive me....but I
>sure can't find it. I am aware of the 
>HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShar
>eServ
>er=0 registry key...but this disables all the default shares (save
IPC$).
>Again, I'm just looking to remove ADMIN$.
>
>Any ideas?
>
>Thanks,
>
>Dave Palumbo
>http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x41F746F8


[prev in list] [next in list] [prev in thread] [next in thread]