RE: Prevent use of Open Share

["Roger A. Grimes" <roger () banneretcs com>]

Easy, don't allow your users to be admins or power users. Only
Administrators and Power Users can create shares. If your end-users are
in either of these two groups, open shares is the least of your issues.
There is no easy way to prevent admin users from creating shares. 

There is a withdrawn registry edit that used to allow you to control
what permissions were given automatically with new shares, but that has
been withdrawn. 

Roger

************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Consultant 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, CHFI, TICSA
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****

 

-----Original Message-----
From: Alex Harasic Gil [mailto:alharasic () mi cl] 
Sent: Wednesday, August 24, 2005 2:56 PM
To: security-basics () securityfocus com
Subject: Prevent use of Open Share

Hi, the company I'm working for has over 8,000 PCs connected to the
corporate LAN. We need to find a way to prevent users from creating Open
Shares with full-access permissions on the Windows 2000 network.

Basic users, don't know how to apply control access to the shares
they're sharing. So, there's also an education process we need to carry
on.

But for a first instance, how can I do to lock the use of public open
shares on the windows 2000 Domain? Domain Policy, GPO?, is there any way
to detect the use of them other than scanning for open shares?.

Regards

Alex S. Harasic
alharasic () mi cl