Hidden share $

[Steve]

Hi

From My Network Places I am able to navigate to any workstation on the LAN
and get to their C$ share. Is this a security risk ? What can be done to
prevent this ?

Thanks
Steve

 

[Steven L Umbach]

Can you actually access data in the shares? If not then it would not be a concerns.
If you can, then either you are logged on with an account that is in the
administrators group on those computers or they have the guest account enabled. The
guest account should always be disabled unless you do not want network access to be
authenticated, possibly even from the internet if there is no firewall. --- Steve

 

[Steve]

Yes, I can access any file, create, save, modify, delete, etc....on the root
of the C drive.

The guest account is disabled on that local PC.

The Administrators Group on that PC has Everyone in that group.

Steve

 

[Steven L Umbach]

Well that is the problem, remove everyone from the administrators group. By default
only the administrator is a member of that group and then it is up to the
administrator to add just the necessary users that he wants to have administrator
access to the computer. ---Steve

 

[Austin M. Horst]

Also, if Everyone is a member of the Administrators group,
you basically have NO security. There is nothing
restricted from anyone.
Check all of your other PC's group configurations too.
Give regular users only as much access as they need. No
more, no less either.

Austin M. Horst

 

[Robert Moir]

Steve wrote:

The Administrators Group on that PC has Everyone in that group.

Well that would be your security risk then...

 

[Oli Restorick [MVP]]

That is really bad.

If you really have to give admin rights like that, consider changing
"everyone" to "builtin\interactive", which will only give admin rights to
people logged on at the console (or via Terminal Services).

Better still, rather than putting people in the administrators group, put
them in power users. That way, users can't access each other's profiles.
Better still, just give the rights and permissions people need to run their
programs.

If your users have half an idea what they're doing, they probably have admin
rights to all your servers by now.

Regards

Oli

 

[Steve]

Thank you all for your helpful replies.

The 'everyone' was added to that PC when the user needed to install her PDA
software.

Oli wrote: Better still, just give the rights and permissions people need to
run their programs.

How do I know what rights/permissions besides the admin and power users ?

Thanks again
Steve

 

[Steven L Umbach]

That can be difficult to determine as far as ntfs and registry permissions go - you
could try giving a user modify ntfs permissions to the folder of a particular
application they may have trouble running or sometimes a software publisher can
provide instructions on what to modify. I would suggest that if that situation
arises again and you can not determine proper permissions for a regular user then add
that particular user to first the power users group and if that is not sufficient
them the local administrators group to accomplish the needed task. Remove a user from
the administrators group when they no longer need those powers. -- Steve

 

[Oli Restorick [MVP]]

As Steven says, it can be tricky. A couple of tools from
www.sysinternals.com, called RegMon and FileMon can save the day, though.

Registry permissions are altered using regedt32.exe.

Sometimes it can be a pain to get stuff right. Often the files that need
changing reside in the Program Files directory relating to the product.
Similarly, registry keys under HKEY_LOCAL_MACHINE\Software often need
changing.

It really depends on the environment. Sometimes giving Power User rights is
OK. It depends how much control you want to give.

At the end of the day, software writers should be writing code that runs
under Windows 2000. If they're not, choosing another product that does work
properly is the best move. I appreciate that's not always possible, in
which case voicing your complaint to the vendor in question is probably the
best you can do.

Regards

Oli

 

[Steve]

Thank you all very much for the advices.
Steve

Thank you all for your helpful replies.

The 'everyone' was added to that PC when the user needed to install her PDA
software.

Oli wrote: Better still, just give the rights and permissions people need to
run their programs.

How do I know what rights/permissions besides the admin and power users ?

Thanks again
Steve

be