Stop access to file shares on other PCs

[Guest]

Environment:
AD on 2003
Multiple OUs
Of special note: All PCs in question are in same OU

*****
How can I prevent workstations from accessing peer shares (non-2003-server
shares) avalable and advertised on other PCs?
*****

I know that it is very possible to prevent PCs under my control from sharing
files, I just do not know how to prevent the PCs from accessing other PCs'
shares while no breaking share access to 2003 servers.

Please let me know your thoughts and suggestions.

Please be as specific as possible. I am not an AD or Group Pol expert. 3rd
parts solutions are fine

Thank you for your time,

 

[Guest]

Hi, have you looked into NTFS permissions and network share security? Here
are a couple of links to help you get started:

http://www.microsoft.com/kb/308418

http://www.microsoft.com/kb/308419

Both of these assume you have Simple File Sharing disabled, but if you are
on a Domain, and using a Server, (of course ou are if on a Domain) but if
needed go into Windows Explorer, Tools, Folder Options, click on the View tab
and then at the bottom of the list of options you can change uncheck the
radial button "use Simple File Shaing"---Reccomended. This will unleash the
full power of NTFS file security and permissions. Be carefull however, as you
could lock users out of shares and files they use normally if you make the
wrong setting. If you have group policy go into the GP Editor and then into
the section for the Network Connections and enable Only allow authenticated
users to access this computer setting. Then disable the Guest Account and
this will stop anyone from accessing the network via the unpassword protected
guest account. Simple File Sharing authenticates network logons with the
guest account, and while the logged on user is limited to the permissions of
the guest account, they do have access and it is a security hole. When you
disable Simple File Sharing and have only authenticated users logging onto
the network, they are authenticated via the account they are using to access
the network and with only those permissions that account grants them. This
way you are relatively assured only those users you grant access are actually
accessing your shares across the network. When you grant a share remove the
"Everyone" group and replace it with the "Authenticated users" group. That
finalizes the connection with the GPO and only those authenticated users
which you grant access will be able to actually access a particular share.
This grants granular permissions and is the best way to set up a share to be
accessed only by those users you allow to access it.

Good luck and have a nice day,

 

[Guest]

No. Don't go messing with NTFS permissions, or you will cause problems for
the local users of the computer. Remember these apply to the user at the
keyboard, as well as to network access.

Turn off Simple File Sharing, if it's on.

Then, change the _share_ permissions on any other shares to restrict access
to specified users or groups, instead of Everyone.

As a simpler, more drastic alternative if there is no need for peer-sharing
at all (all files are on the server or the user's own PC) then disable the
Server service on workstations. This will stop file-sharing AND browsing of
the LAN. (and is easily undone if the need arises)

Connections to the server's shares should then be established with a logon
script or policy.