file system and share permissions
I have always wondered what is more secure if you want to deny all network access to a folder/drive: -do nothing, leave it unshared OR -share it as a hidden share and deny access to EVERYONE. I also wonder this about FTP servers.
I have always wondered what is more secure if you want to deny all network access to a folder/drive:
-do nothing, leave it unshared
OR
-share it as a hidden share and deny access to EVERYONE.
I also wonder this about FTP servers.
btw, where is the password setting?
and whats up with the permissions anyway? they are BACKWARDS! Doesn't it make more sense for deny to take priority over allow?
(so i could allow 'bob' and 'smith' and deny 'everyone'? No, it couldn't be this easy could it, you have to allow 'everyone' then deny individual users)
This seems insecure as there are a lot of hidden users/groups/principles)
These are the ones I have found so far on a clean install:
ANONYMOUS LOGON
Authenticated Users
BATCH
DIALUP
Everyone
INTERACTIVE
NETWORK
SERVICE
SYSTEM
TERMINAL SERVER USER
SUPPORT_(numbers)
HelpAssistant
Guest
Administrator
LOCAL SERVICE
NETWORK SERVICE
I'm sure there are more.
I must be thinking the wrong way or something because this seems like a stupid design and noone else talks about this stuff
--insaNity >
-do nothing, leave it unshared
OR
-share it as a hidden share and deny access to EVERYONE.
I also wonder this about FTP servers.
btw, where is the password setting?
and whats up with the permissions anyway? they are BACKWARDS! Doesn't it make more sense for deny to take priority over allow?
(so i could allow 'bob' and 'smith' and deny 'everyone'? No, it couldn't be this easy could it, you have to allow 'everyone' then deny individual users)
This seems insecure as there are a lot of hidden users/groups/principles)
These are the ones I have found so far on a clean install:
ANONYMOUS LOGON
Authenticated Users
BATCH
DIALUP
Everyone
INTERACTIVE
NETWORK
SERVICE
SYSTEM
TERMINAL SERVER USER
SUPPORT_(numbers)
HelpAssistant
Guest
Administrator
LOCAL SERVICE
NETWORK SERVICE
I'm sure there are more.
I must be thinking the wrong way or something because this seems like a stupid design and noone else talks about this stuff
--insaNity >
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
Sorry I've been gone so long, I have read your replies AlecStaar and am STILL reading through your detailed guides!
I have been meaning to properly go through this and update my ghost image but it seems I never get time except when I'm over tired like now
(the questions WILL be coming)
Quote:Disable the Server Service... stalls it ALL! At one shot... Yes but I meant if you want to serve some files, but not others, and you arent using ntfs. (ie can only set permissions in the individual specific network services)EG: is it best to add your folder to the ftp server and DENY EVERYTHING, or to just not add it at all?
I think you have already answered this actually; It's best to not give any network apps anything to do with folders they shouldn't allow. correct?
Quote: locked myself outta my machine, there was no getting around it either... reformat! Alot of my work was lost in that fiasco of my own research!
It is indeed a nightmare that I hope I never experience. You would think that at least us professionals would never do this as 99.9% of the time when people format it was actually recoverable.
I know someone that did that the other day. They managed to recover it though, with the help of some tools purchased from sysinternals/winternals - reset all permissions and recovered some corruption!!!
He said it was the "Restorer 2000 program" not sure if that's exactly the right name though.
Regarding the users/groups/system accounts it is safe to deny, I found that my netbios-guest-readonly shares were not effected when I denied the following permissions to the shared folders:
NETWORK - Deny write
NETWORK SERVICES - Deny ALL
(plus others)
I guess that means SMB/netbios uses the network service but not the NETWORK SERVICES service, although I assume other network apps will use the other or both.
Anyway those 2 can't be dangerous to play around with.
I see the reason why the permissions are 'backwards'. It is because a user can be a member of more than 1 group, and therfore allow 'must' take priority over deny. Though I think everyone can see the potential dangers with this method also ('hidden' accounts could be overlooked, people might not have a full understanding of inheritance, priorities, if new accounts are made they would have full access), and it could be improved, but I guess what is done is done, and we should just cope with it
Quote:This should be a REALLY good thread, ask all the questions you want to, I will be glad to answer as best I can... this kind of thread needs doing here & I am glad you started it up! Don't say that! You Jinxed it! 8)
oh well, when it comes to "question time" I will start a new topic anyway because I took so long
You are right, it needs to be dicussed more.
Quote:We can get REALLY specific on your machine if you like, but DO read that document first! I'm working on it. Don't worry, It won't be too long as I will be the gateway for my LAN soon so I'm going to be forced into it
I have been meaning to properly go through this and update my ghost image but it seems I never get time except when I'm over tired like now
(the questions WILL be coming)
Quote:Disable the Server Service... stalls it ALL! At one shot... Yes but I meant if you want to serve some files, but not others, and you arent using ntfs. (ie can only set permissions in the individual specific network services)EG: is it best to add your folder to the ftp server and DENY EVERYTHING, or to just not add it at all?
I think you have already answered this actually; It's best to not give any network apps anything to do with folders they shouldn't allow. correct?
Quote: locked myself outta my machine, there was no getting around it either... reformat! Alot of my work was lost in that fiasco of my own research!
It is indeed a nightmare that I hope I never experience. You would think that at least us professionals would never do this as 99.9% of the time when people format it was actually recoverable.
I know someone that did that the other day. They managed to recover it though, with the help of some tools purchased from sysinternals/winternals - reset all permissions and recovered some corruption!!!
He said it was the "Restorer 2000 program" not sure if that's exactly the right name though.
Regarding the users/groups/system accounts it is safe to deny, I found that my netbios-guest-readonly shares were not effected when I denied the following permissions to the shared folders:
NETWORK - Deny write
NETWORK SERVICES - Deny ALL
(plus others)
I guess that means SMB/netbios uses the network service but not the NETWORK SERVICES service, although I assume other network apps will use the other or both.
Anyway those 2 can't be dangerous to play around with.
I see the reason why the permissions are 'backwards'. It is because a user can be a member of more than 1 group, and therfore allow 'must' take priority over deny. Though I think everyone can see the potential dangers with this method also ('hidden' accounts could be overlooked, people might not have a full understanding of inheritance, priorities, if new accounts are made they would have full access), and it could be improved, but I guess what is done is done, and we should just cope with it
Quote:This should be a REALLY good thread, ask all the questions you want to, I will be glad to answer as best I can... this kind of thread needs doing here & I am glad you started it up! Don't say that! You Jinxed it! 8)
oh well, when it comes to "question time" I will start a new topic anyway because I took so long
You are right, it needs to be dicussed more.
Quote:We can get REALLY specific on your machine if you like, but DO read that document first! I'm working on it. Don't worry, It won't be too long as I will be the gateway for my LAN soon so I'm going to be forced into it
