Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

Controlling Access to Shares

Shares are connection points that provide access to data stored on Windows computers. Shares can be created at the root of a drive or on any folder or subfolder on the drive. Once a connection is established to the share, access may be provided to the contents of the drive that exist within the underlying folders, files, and subfolders. The ability to connect to the share is managed by access controls set on the share; access to data is managed by permissions set on folders and files in combination with the share permissions. While shares are created to provide authorized access, they must be protected to prevent unauthorized access and to manage authorized access.

The default permission, Everyone Read, as shown in Figure 5-19 and described in Table 5-3, may not be appropriate. It may be necessary to lock it down further by applying specific permissions to the share for unique Windows groups, or it may be necessary to modify the Everyone permission.

Figure 5-19. Default share permissions may not be correct for all situations.

Table 5-3. Share Permissions
Permission	Description
Full Control	All access is granted or denied.
Change	Grants or denies the ability to read, write, and delete files; list folders and files.
Read	Only grants or denies read and list permissions.

Manage access control of shares according to the following:

Shares should not be set at the root of drives or volumes.

Permissions should be set on shares to prevent unauthorized access and manage authorized access to the computer.

Permissions should be set on the underlying shared folder or drive to prevent unauthorized access and manage authorized access to the data.

NOTE: Historical Hysteria

Prior to Windows NT, access to Windows shares was limited by placing a password on the share. Knowledge of the password was the only barrier to connecting to the computer and accessing data. The FAT file systems used on these early Windows computers could not be permissioned; therefore the simple connection to the share provided carte blanche access to all of the data. Many of these early systems are still in use, and many of them have open shares. Open shares are shares with no passwords at all. All NT-based systems, when the NTFS file system is properly used, can provide solid security for files and folders and the ability to use this same user-based approach to shares.

Develop a strategy for share management of Windows Server 2003 networks by considering the available share permissions, the File and Printer sharing mode, default shares, simple file sharing for Windows XP, and the impact of combining share and folder permissions.

Share Permissions

File and Printer Sharing Mode

The default installation of Windows Server 2003 automatically enables File and Printer Sharing. Unless the server will be a domain controller, print server, or file server, this capability should either be disabled immediately after installation, or where possible, a custom installation script should ensure that File and Printer Sharing is not enabled during installation.

To disable File and Printer Sharing after installation:

Open the Control Panel and double-click Network Connections.

Click the Properties button.

Click to deselect the File and Printer Sharing for Microsoft Networks check box, as shown in Figure 5-20.

Figure 5-20. Disable File and Printer Sharing.

Click OK.

Default Shares

Default shares are created during the installation of Windows Server 2003 systems and may also be created when server applications are installed. If File and Printer sharing is left enabled, access to the server via these shares is enabled by default. Access to these shares may be restricted to members of the local Administrators group, and the shares are not browsablethat is, they cannot be viewed when using Windows network browsing tools. Nevertheless, the share names are well known. Access to these shares should be curtailed by disabling the shares unless there is a reason for their existence on the specific computer. Determine the need for each share based on the security policy, risk picture, and access needs for computer roles. Weigh the risk of the shares' presence against their benefit; for example, many default shares are used for many remote administration tasks, are required on domain controllers, and are necessary when scanning for patching requirements with tools such as Microsoft Baseline Security Analyzer. The shares on the computer can be viewed by opening the Computer Management console, expanding the Shared Folders container, and then selecting Shares, as shown in Figure 5-21. Table 5-4 lists and describes the default shares.

Figure 5-21. Default shares can be viewed in the Computer Management, Shared Folders, Shares container.

[View full size image]

Table 5-4. Default Windows Server 2003 Shares
Share Name	Location	Description	When to Enable/Disable
ADMIN$		The system folder. Used during remote administration of the computer.	Disable if using other methods for remote administration or if remote administration is not required.
IPC$		Interprocess Communication. Supports Remote Procedure Call (RPC) connections between Windows computers. The Named pipes necessary for many communications between programs are shared here. This share cannot be disabled.	Cannot be disabled. Is required for normal communications.
Sysvol	Windows\Sysvol\Sysvol	This share should only be present on domain controllers. This share is required for Active Directory to function, for logon, and for the distribution of Group Policies and logon scripts.	Should not be present on non-domain controllers. Must be present on domain controllers.
Netlogon	windows\sysvol\Sysvol\scripts	This share is the authentication share and is the classic systems policies and downlevel logon scripts location.	Do not disable.
Print$	windows\system32\spool\drivers	Drivers for each printer installed on the server can be downloaded from this share.	Do not disable on print servers.
FxsSrvCp$	Documents and Settings\All Users\Application Data\Microsoft Windows NT\MsFax\Common Coverpages	Enabled when the fax service is installed and is the location of fax cover pages.
RemInstall		If the Remote Installation Service (RIS) is installed on the server, this share gives PXE (Preboot Execution Environment) clients access to installation files.	Remove if the server will not be used as an RIS server.
Driveletter$ (C$, D$, etc)		Each local root partition and volume is shared but hidden from view and only accessible to members of the local Administrators group.	Disable.

Simple File and Printer Sharing: A New Model for Windows XP

This book is about securing Windows Server 2003. However, Windows Server 2003 security may be impacted by the security status of clients on its network. Therefore, to manage security, the security policies of Windows XP clients must also be considered. The file sharing models available for XP Professional may surprise uninformed administrators. Standalone XP desktops do not have network sharing enabled by default; instead, they use the Simple File Sharing model. It is the only option on Windows XP Home, but it may be modified on Windows XP Professional standalone systems. If the Windows XP Professional computer is joined to a domain, the model is changed to network shares.

To determine or modify file sharing on Windows XP Professional, open the Windows Explorer, Tools, Folder Options, View tab to display the Simple File Sharing check box. Alternatively, examine the registry value ForceGuest at


HKEY-LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

When ForceGuest is set to 1 (the Simple File Sharing check box is checked), Simple File Sharing is used, and when it is set to 0 (the box is unchecked), the normal Windows NT model is used. When Simple File Sharing is set the following applies:

All access to the file share is through the Guest account. Every user who connects will only receive the permissions granted to the Guest account. Because the Guest account is disabled by default, there should be no accidental access to a shared folder.

The MyDocuments folder can be made completely private if NTFS is the file system. A "private" setting means NTFS permissions for each user's MyDocuments folder are set to the user and SYSTEM Full Control. Another alternative is Private with access by local Administrators, which adds the local Administrators group. The All Users Documents folder is shared, giving all users access.

Shares can be made available on the network by using the Sharing tab in folder properties and selecting Share this folder on the network. Checking or unchecking the Allow users to change my files option manages access to the share. If the setting is checked, permissions are set to Everyone Change, and if unchecked, permissions are set to Everyone Read.

Creating Shares

When a share is needed, it must be created using appropriate permissions. Both share permissions and underlying folder permissions should be carefully determined and applied. Share permissions are set to manage access to the computers. However, previous versions of Windows NT-based systems set the default share permission to Everyone Full Control, and this is the way most administrators left it. In doing so, they missed a valuable ally in controlling access. Windows Server 2003 shares are created with the default access permission Everyone Read to prevent accidental privileged access to the computer. A default access permission of Everyone Read can have the following impact:

Prevent accidental full access to data on the networked server. While access can be curtailed by setting permissions on underlying folders and files, if these permissions are not set correctly, unexpected access might be available.

Require administrators to think through the permission sets on shared folders. In the past, many administrators left the Full Control permission in place and controlled access to folders via NTFS permissions.

Create unnecessary troubleshooting efforts as administrators unfamiliar with the new permission settings attempt to determine why authorized users cannot manipulate data.

While many administrators will change the setting back to Everyone Full Control and only manage access via the underlying folder permissions, this is not a good practice. They do so to avoid the confusion that is sometimes caused by attempting to understand how share and folder permissions combine to restrict access to data. However, they miss an important tool for defense: if an intruder cannot gain access to the computer, the intruder cannot directly attack specific files and other resources. If there is no barrier to his access, the intruder's job is easier.

To create a share, follow these steps:

Right-click the folder in Windows Explorer and select Sharing and Security or Properties, as shown in Figure 5-22.

Figure 5-22. The Sharing property page is configured to create a share.

If necessary, select the Sharing tab.

Click the Share this folder radio button. This shares the folder with the share name equivalent of the folder name and the default permissions of Everyone Read.

Click the Permissions button to set the correct share permissions for the share.

Click to change the share name. A share name cannot be longer than 255 characters.

Click the radio button Allow this number of users and set the number in the adjacent text box to limit the number of simultaneous users who can connect to this share.

Click OK.

Alternative methods for creating shares are as follows:

A share can be created on a remote computer using the Computer Management console's Shared Folders, Shares container.

Shares can also be created at the command line.

The net share command is used to create shares at the command line. For example, to grant Everyone Read on a new share named "test," use the following command line:


Net share F:\test /grant:Everyone,Read

Impact of Combining Share and Folder/File Permissions

The combination of share and underlying folder permissions controls access to data. In every case, the most restrictive access will be allowed. For example, because the default share permission is Read, even if NTFS permissions on the folder are Full Control, the only network access allowed to the data will be Read. (Console-based access is not affected by share permissions.)

Determining actual access by examining share and folder access permissions can become difficult, though, when many permissions are set. However, the correct interpretation can always be determined by using the following process for each group or user:

Determine the permission granted on the share.

Determine the permission granted on the folder.

Select, from the two, the most restrictive permission, and that will be the access granted.

Table 5-5 describes permissions on a sample folder and its share.

Table 5-5. Folder and Share Permissions for the Folder Test
Folder Permissions	Share Permissions
JohnChange, Read and Execute, List Folder contents, Read, Write	JohnFull Control
AccountantsFull Control	AccountantsChange
UsersRead	UsersRead

A quick scan of the table shows that the most restrictive permission for John is Read. This permission is granted to him directly, and via his membership in the Users group. However, relying on this evaluation to determine John's access to the data in the test folder is incorrect. John actually has Read and Execute, List Folder Contents, and Read and Write permissions. This is because access is determined by looking at the share and folder permission sets separately to determine what access each would grant and then selecting the most restrictive of the two access options. If only the share permissions are considered, John has Full Control. If only the folder permissions are considered, John has Change, Read and Execute, List Folder Contents, and Read and Write. Of the two options, the folder permission set is more restrictive and thus is the access that John is granted.

Remote Administration of Shares

Remote administration of share permissions via Windows Explorer is not a good idea. When remote permissions are examined, only the permissions set on the folder is visible, not the permissions set for the share. Changing the folder permissions may or may not have the desired effect because changing folder permissions does not change share permissions, and users may not be given the correct access. Furthermore, when you change permissions this way, you remove the inherited permissions from the folder and by extension its subfolders. Manage shared folder permissions from the console. (Remotely changing the permissions of a subfolder of a shared folder will not affect inherited permissions.)

Best Practices for File and Printer Sharing

File and Printer Sharing is on by default; when should it be disabled or enabled, and how should shares be protected?

File and Printer Sharing is required on a domain controller. If you are going to use the server as a domain controller, do not turn off File and Printer Sharing.

File and Printer Sharing is not required on a server unless the following applies:

The server will be a file server.

A remote management or vulnerability scanning tool requires it.

Turn off File and Printer Sharing if you do not need it.

If remote management tools are used, a server that contains sensitive information or performs a critical service may be too important to risk leaving File and Printer Sharing enabled. You can monitor, manage, and scan this server at the console or use management tools that do not require File and Print services.

Bastion servers (servers with one network interface on an untrusted network, such as the Internet, and one network interface on a trusted network) should not have File and Print Services on the untrusted network interface.

Remove, disable, or replace shares that are not required.

Do not use Windows Explorer to delete default installation shares because they will reshared when the server service is stopped and then restarted. Instead, configure the AutoShareServer value at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ LanmanServer\Parameters. To permanently delete a default share, delete its value or set the value to 0 to remove the share, or 1 to replace shares, and then stop and restart the server service. This registry key has no effect on the IPC$ share.

Shares for CD-ROM, CD-R/RWS, DVD-ROM, and DVD-RAM drives are not created by default; however, if you change system-assigned drive letters for them, they are shared. Configure security options to prevent network sharing of these devices when an administrator is logged on, and remove shares created when drive letters are changed.