Shared Drive Security

  • Thread starter Thread starter Shayne Huston
  • Start date Start date
Anywhere from next to zero to a major, hugh catastrophe.
It is situational based on what is shared with what permissions,
and the network environment where this is being done.
I am at a major American university, larger than many
US cities, and shares are used extensively. It can be done
safely. It also can be done in ways leading to disaster.
 
On Sat, 21 Feb 2004 09:15:02 -0600, "Shayne Huston"
How big a risk is a shared drive on an XP PC?
Click to expand...

It depends on:
- what network it is shared to
- what is in that subtree

The risks are:
- unathorised reading of data
- unathorised changes to data
- launching of malware

Read-only shares expose on the first risk.

Some locations allow malware to be dropped and integrated in such a
way that it runs automatically, and *that* is the big risk:
- any directory, if "View As Web Page" is enabled (desktop.ini)
- any \ (root), if Autorun.inf processing is not suppressed
- C:\ and the OS subtree (system startup axis)
- "C:\Documents and Settings" and profiles (user startup axis)
- various application startup axes

Malware files can be dropped in ways that don't autorun, i.e. acting
as "landmines" for whoever gets curious and clicks them. So it's best
not to write-share any part of the user's UI (desktop, Start Menu,
QuickLaunch, Send To etc.).

It's also good to have a policy that raw code is to be kept OUT of the
data subtree (in contrast to MS's idea of having MS Messenger dumping
incoming files in "My Received Files", IE dumping downloads in the
data set, and deliberately storing .exe files in the data set to stop
System Restore fiddling with them).

That way, if the user suddenly sees a "MyPicture.EXE" in the "My
Documents" subtree, they are less likely to click it open - assuming
they can see the .EXE extension, which the duhfault setting of "hide
file name extensions" makes impossible.


If you mess up with network share management, then the old struggle
slogan "an injury to one is an injury to all" applies. If any one PC
on your LAN gets hit, then likely *everyone* gets hit.

So - best practice:
- kill "View As Web Page" or write-share nothing at all
- kill HD Autorun.inf or write-share no HD volumes from root
- never write-share C:\ or the OS subtree
- never write-share any StartUp groups or application startups

However, XP has permanent "hidden" administrative shares that do
*exactly* the above, write-sharing every HD volume from root. Duh.

-- Risk Management is the clue that asks:
Click to expand...
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Save data from Notebook: copying to the USB stick using Linux and the command line 0
VNC Viewer help. 3
Is there any client for Google Drive based on Linux? 2
Windows 10 Will Windows 10 be able to run on my PC? 3
Windows 7 Force Setting of Sharing and Security codes on Backup Drive 1
File Sharing Security 1
Show me your highest mileage HDD? 0
Setting up TrueNAS frustration 4

Back
Top