Thursday, June 19, 2014

How to Hide Folders Inside a Share that the User Does Not Have Access To

The issue I was dealing with is being able to see a hidden share.  With Windows 7, Microsoft added this new feature called Document Library. They thought this was a great idea but what I ran into yesterday made it a problem.  The document library was made so you can have multiple folders where your documents are stored but "Documents" would show them all in one place.  As you can see in the top arrow, once you click it you can see all the locations. 

This even shows hidden shares.  I had a folder share that was \\server\profiles$.  This was a share that was being used for folder redirection.  Even though the user only had access to his folder he could see ALL USERS ACCOUNTS by going to \\server\profiles$.  This would make it easier for a hacker since it gives them any username that has ever logged in.  Here is how I figured out how to lock it down.

This is assuming you already created the shared folder and have the Server Role of "File Services" installed.

Open server manager
Navigate to roles and go to file services
Next click share and storage management
Look for file server resources and locate your share
On the share, right click and select properties
Click the advanced button and check enable access based enumeration

Next thing you need to do is navigate to the shared folder (eg: c:\users\profiles$), right click and select properties.  Select the security tab, click the Advance button.  Click Change Permissions.  Locate the Authenticated Users line or whatever you made yours, and double click it.  Make sure that Apply to: is set to This folder only.  If it is not set like this, it won't work.

Now for the sub folders in c:\users\profiles$, each folder will only have rights to one user (eg: jsmith or jdoe).  By setting it up like this, if jsmith would figure out the folder share location of \\server\profile$, he is unable to see jdoe.  Regardless without setting this setting jsmith wouldn't have access to look into jdoe's folder, but a hacker would now know of a new username of jdoe.

For Windows Server 2012, the setting has moved.  Open Server Manager -> File and Storage Management -> Shares -> Right click the share and select Properties.  Click Settings and check the Enable access-based enumeration.  This is the same setting as mentioned above.

Source:  Link