Networking

Protect your network servers by hiding them from users

Networks tend to have users who like to poke around in places where they shouldn't go. Even if these users aren't malicious, they can damage your servers. Help safeguard your Windows servers by keeping them from showing on the network browse list.


Just about every office I've ever worked in has had trouble with curious users. In a Windows network, the biggest problem is that any user can open the Network Neighborhood or My Network Places and see a complete listing of all of the machines that are currently on the same network—including servers. In and of itself, this isn’t really a problem, assuming that your servers are secure and you don’t have malicious users. However, many companies have visible servers that aren't completely secure—and a few malicious users, to boot. Let's take a closer look at this problem and what you can do to mitigate it.

Those pesky users
Some users are just naturally curious. They'll double-click on machines in the network browse list to see whether any shares show up and just to take a look at what's available on the network. In fact, I once caught an employee systematically going through every machine to see what share points existed on them. When I asked her what she was doing, she told me that she was trying to familiarize herself with the network by seeing exactly what data directories and what application folders she had rights to.

In that particular situation, I honestly believe that the user was telling me the truth and that her actions were harmless. Of course, her actions might not have been harmless if I hadn't done my job properly. Suppose that I had accidentally overlooked a share point that should have been tightly secured. The user's innocent actions could then have jeopardized a server.

The other problem with having visible servers is that they're tempting targets for hackers within your company. Countless reports suggest that most security breaches on corporate networks come from within the company, and I have seen real-world examples of this time and time again.

At the risk of embarrassing myself, one such example involves me directly. When I got my first network administration job, I was 18 years old and had just graduated from high school. My programming skills were excellent, but I knew very little about networking (comparatively speaking).

My boss understood that I was a trainee and that I already had some basic networking knowledge. She gave me limited access to the network rather than just giving me administrative access on my first day. She then suggested that I use my access to start familiarizing myself with the network. I started looking around and eventually, curiosity got the best of me. I launched an elevation of privileges attack against the network and by my third day on the job, I had created a user account with administrative privileges.

Another case in which the ability to see the server's browse list allowed an internal attack occurred at the same company about two years after I was hired. One of the departments had hired a guy to answer the phones. However, the phones didn’t ring much, and he started getting bored, so he turned his attention to the network. He had downloaded some hacker utilities from AOL and started using them against the corporate network.

Although he never gained administrative access, he did manage to derive a considerable amount of information about the network. Fortunately for the IT staff, the guy loved to show off his exploits to his friends and one of them ratted him out.

Hiding your servers
As you can see, if a server is visible in the browse list, it’s only a matter of time before someone who’s either curious or malicious tries to break into it. Fortunately, there are a couple of ways to hide your servers from the Windows network browse list. First, though, I should point out that our first technique involves editing the registry on your servers. Editing the registry is dangerous, and an incorrect edit can destroy Windows and/or your applications. Therefore, I strongly recommend that you make a full system backup before making any registry changes.

With that said, go to a machine that you want to make invisible and open the Registry Editor via the REGEDIT command. When the Registry Editor opens, navigate through the registry tree to this key.

Next, right-click on the Parameters container and select New and then DWORD Value from the resulting shortcut menu. The Registry Editor will create the value, label it New Value #1, and highlight the label for editing. To change the label, just type Hidden. (This value is case sensitive.)

Now, double-click on the Hidden key to open the Edit DWORD Value dialog box, where you can set the key’s data. By default, the key is set to 0, which means that the key is disabled. You can enable the key by setting the data value to 1 and clicking OK. If you ever need to make the server visible, just set the data value back to 0 or delete the Hidden key altogether.

You can also make a server visible or invisible by using the Net Config command instead of the Registry Editor. To make a server invisible, go to the server you want to hide, open a Command Prompt window, and enter this command:
 
NET CONFIG SERVER /HIDDEN:YES

If you want to make the server visible again, use this command:
 
NET CONFIG SERVER /HIDDEN:NO

Whether you choose to modify the registry or use the Net Config command, you must either reboot the machine or stop and restart the Server service for the change to take effect. Even after rebooting or stopping and restarting the service, it could take up to 51 minutes for the server to disappear from or reappear on the browse list. This is due to the browse list’s expiration policies.

Is it worth it?
Obviously, this is a simple change if you want to hide a server or two, but it can be a lot of work if you have a lot of servers to hide. So in that case, the obvious question is whether the measure is effective enough to be worth the effort. After all, the change will merely prevent users from accessing the server through the browse list. They can still access it through the UNC path (\\servername\share) or by the server’s IP address, if they know either of those identifiers. And of course, hiding a server isn't going to keep an experienced hacker from finding it, either.

What it will do is stop someone from accidentally accessing it—or accessing it out of security—through the browse list. It may also prevent newbie hackers from discovering the server, depending on what tools they are using.

Hiding a server is just one of thousands of security techniques, and no one technique is going to protect your network. It can be a good precautionary security measure, but it definitely shouldn’t be the only security mechanism that you use to protect network servers.

Editor's Picks

Free Newsletters, In your Inbox