Win7/ntfs file share security breach ? or not existing

[dreuzel]

As I examin shares on win7 (controll panel shares)
ACL's require a full grant on Everyone// it's unclear what read and change mean...
as previous connections are made this resriction seem to be less strickt
what makes the shares ACL tricky to handle and test for security problems!!!!!

but everyone is rather LARGE:


"The Everyone group encompasses":
well everyone. That is, it includes all the built it users and groups that
come with Windows XP/win7 as well as any administrator defined users and groups.
It also includes the service and system accounts that are created and any anonymous
accounts that connect to the computer without providing any login credentials.
Lastly, it includes the Guest account.

as an acl grant is placed on a group of users(NOT individual users,but this is unmanagable) the statement seems ignored !!

Is the definition of an EVERYONE NOT IMPLICITELY SECURITY BREACH....
Relying on the file security restriction is an other matter.
The SHARED security is the first security protection setting it to everyone is killing the purpose



Where can I find more on this, links to more professional security setup please.

 

[clonazepam]

-> Administrative Tools -> Local Security Policy -> Here customize all of your security options. The detailed information for the various settings is pretty well done. I'd say adjust what you understand and google the rest.

Under Local Policies -> Security Options -> Network access: Let Everyone permissions apply to anonymous users - choices are "Enabled or Disabled" obviously select Disabled.

You'll want to go through every setting and read-up so you can customize it all to your needs.

 

[dreuzel]

This is not the issue !!!!!!

As I only can enter everyone full for shares a policy is not going to help ME !!!!!!!!!
if everyone is not anonymous the privilege is authorized user ....
but this privilege does NOT allow people to open a share (chicken and egg problem) NONE (except possibly if already logged in into the system but this can not be done since anonymous poses the initial request)

I'm already talking about the detailed settings !!!!!!
I have to enable the Guest account, since otherwise the sharable will not show
as long as I do not give him full rights the sharable stays closed even when I allow a group of users to access the sharable !( it never gets that far, anonymous is not in the group of coarse so the connection request is refused !)// even anonymous with only read access does NOT allow the sharable to be opened.
but then granting the group additionaly has no more added value since Guest is means the world....

Once it limits itself to a GROUP of users a policy can help to set default values,.... Otherwize ALL SYSTEMS IN THE WORLD ARE VUNERABLE TO VERRY SIMPLE ATTACS (ALL DOORS ARE OPEN WIDE!!!)
(as long as there is one file that is not protected in the directory tree .... all can be cracked
As I googled arround for this issue there is only the old RMTSHARE.exe helping little a bit but it a does not add any intelligence to the matter it does not change the fact that all shares have a need to be WIDE OPEN !!??
individual explaining policies does not change that.

I find no information on security setting of the shares, since homegroup was introduced everyone seems happy to leave the door wide open !

 

[sminlal]

I don't understand why you say you need to add an ACL for "Everyone". That should not be required.

 

[dreuzel]

Even worse EVERYONE: FULL seems to be required not everyone:read (everyone change is as bad as full) (with click and play it's auto added)
I used a GROUP name where all my privileged users are located in ..... but i'm never allowed any access (guest is not part of the group name )..... initial request refused.
Individual users i remember they might work ..... but this is completely unmanageable (specifying all users individual ....)

 

[sminlal]

Try this:

- Right-click on the folder you want to share and select "Properties"
- Click the "Sharing" tab
- Click the "Advanced Sharing..." button
- Click the "Permissions" button
- Add the group or username that you want to allow to access the folder
- Remove the "Everyone" group.

...does that work?

 

[dreuzel]

right , and then all is lost no more connection ,set it back as full(not read) and we have it again
same PW/same username /same ip same workgroup same homegroup......25 cm from each other
(PS your procedure would probably create a new share .... use control panel - manage -shared -properties!!!)
This is not your basic problem....

the question is not having a connection, but all systems force me to break every security rule in the book !!!!!

based on 5 machines in a network , one just fresh installed same reaction for all interconnections .
Group ACL's do not allow any shared connection without everyone :full
(fresh after reboot) since otherwise authorization is done once .... then its a different ball game .....
next reboot you are dead again wondering what the hell happened......
it is not ok to setup a link to server everyone:full first (how would I know/ what is first .....)



PS, would be happier with a command line , security and shares are not warranted while happily clicking aground !!!!

 

[sminlal]

Your writing isn't making a lot of sense to me. Why would it be a bad idea to create a new share? Don't you want to share a particular folder?

Is the client using a username/password that is authorized on the sharing machine? And do the folders themselves (the folders, not the share) permit access to that account or a group it it's a member of?

 

[dreuzel]

(Sideline as one restarts back from folder your more entiteled to creat an other share sharing the same thing multiple times would only add to confusion .... (not important in the context now )

User/password all username passwords are synced by batch process and used on ALL machines
files access to the files is granted by group but for the sake of the exercise a grant to authenticated users is added
to ensure the file's protection is not the problem (implicit security breach but this is a test)

what is a problem is the need to reboot.... since(clear credentials) all gets confused by first opening another share by that user
then the state of the share switches virtually to authenticated user instead of everyone (first refused/then allowed(once logged in guest plays less in the game) UGLY to reproduce

Basical settings and tests:

share files: authenticated user : full except special permissions (just for tests to avoid file protection issues)
group full permissions
system full permissions (came from inheritance)
admin(local) full permissions (test side effect but can not harm,user has admin privileged as well)
users r/e/list (came from inheritance)
no deny

Test user is member of group group defined on both sides (all machines)
behavior identical on all machines

Share permissions basic setting (common for all tests):
group full permission
no deny



Share permission tests:
everyone: full all works
everyone : change can write
everyone : read no write access
everyone : none (gets deleted ) windows can not access
annonymous login read no access
change no access
full no access

Conclusion: everyone:full is essential but is heavy security breach really everyone can get at badly protected files
(file system protection!!!!!!!!=assumed out of control due to possible future errors anyhow is not reliable this way !!!)


PS: takes a long time (multiple seconds to translate SID in group name
during this time no permissions shown (controll pannel server)
CPU i7 12 Gig 10 terrabyte win7 sp1 ultimate (both machines) fresh generated
gigabit ethernet link