This even shows hidden shares. I had a folder share that was \\server\profiles$. This was a share that was being used for folder redirection. Even though the user only had access to his folder he could see ALL USERS ACCOUNTS by going to \\server\profiles$. This would make it easier for a hacker since it gives them any username that has ever logged in. Here is how I figured out how to lock it down.
This is assuming you already created the shared folder and have the Server Role of "File Services" installed.
Open server manager
Navigate to roles and go to file services
Next click share and storage management
Look for file server resources and locate your share
On the share, right click and select properties
Click the advanced button and check enable access based enumeration
Next thing you need to do is navigate to the shared folder (eg: c:\users\profiles$), right click and select properties. Select the security tab, click the Advance button. Click Change Permissions. Locate the Authenticated Users line or whatever you made yours, and double click it. Make sure that Apply to: is set to This folder only. If it is not set like this, it won't work.
Now for the sub folders in c:\users\profiles$, each folder will only have rights to one user (eg: jsmith or jdoe). By setting it up like this, if jsmith would figure out the folder share location of \\server\profile$, he is unable to see jdoe. Regardless without setting this setting jsmith wouldn't have access to look into jdoe's folder, but a hacker would now know of a new username of jdoe.
For Windows Server 2012, the setting has moved. Open Server Manager -> File and Storage Management -> Shares -> Right click the share and select Properties. Click Settings and check the Enable access-based enumeration. This is the same setting as mentioned above.
Source: Link
No comments:
Post a Comment