Re: Share Permissions

["Roger A. Grimes" <rogerg () cox net>]

I don't know of a specific exploit against the scenario you propose, and
what you propose below is a very, very common way to configure a Windows
box.

But in theory, it exposes more information that it needs to...and to that
end if you are concerned about security, you should not do it.  There is a
large school of thought that says you should make learning information about
your system as hard as possible.  The more information you give away, the
easier it is for said hacker to gather intelligence and then use it to
attack your system.

At the very least, considered changing EVERYONE on shares to AUTHENTICATED
USERS.  That way you get rid of anonymous accounts, etc.

Also, this goes against the security-in-depth principal.  If you get in a
habit of setting security on both the shares and the folders/files, if you
miss one the other might catch it.  If you always have everyone on the
share, if  you accidentally forget to remove everyone on the drive
persmissions then it's an open hole; and vice-versa.  Although this doesn't
seem like it would catch much, people often incorrectly change inherited
rights, causing unintended permissive permissions.

But since there are no specific exploits that would be avoided (that I know
of) if you correctly handled file permissions 100% of the time, it's
basically a risk/speed trade off.

Just my one-half cent.

Roger

****************************************************************************
****
*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE (NT/2000), CNE (3/4), A+
*email: rogerg () cox net
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode
****************************************************************************
*************

----- Original Message ----- 
From: "Benjamin Meade" <ben () lanwest com au>
To: "'Security-Basics'" <security-basics () securityfocus com>
Sent: Monday, June 09, 2003 3:09 AM
Subject: Share Permissions


> Hey all,
>
> Just wondering in Win2K server, when I share a folder, I set the share
> permissions to full access for everybody, and then control access using
> the file permissions. (Basically cos it cuts down on administration, and
> I'm lazy.) Are there any security issues running this way, or is it much
> of a muchness?
>
> Thanks,
>
> Benjamin Meade
> System Administrator
> LanWest Pty Ltd
> Ph:  (08) 9440 3033
> Fax: (08) 9440 3370
>
>
>
> --------------------------------------------------------------------------
-
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>
> Find out why, and see how you can get plug-n-play secure remote access in
> about an hour, with no client, server changes, or ongoing maintenance.
>
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------