Questions

Windows 7 Bug HELP!!!! Administrative Shares wide open?

Tags:
+
0 Votes
Locked

Windows 7 Bug HELP!!!! Administrative Shares wide open?

mendez164
Im having a huge issue on my corporate network with Windows 7 hidden default shares (i.e, c$ d$). My regular user's are able to browse the contents of any Windows 7 computer on the network using the local computers administrative share (\\computername\c$). These users have no admin rights and are just regular users. They are not on the local computers administrator group neither. My google searches have turned up nothing. I found a post about creating a registry key to prevent access to the administrative shares but it doesnt work. Is anyone experiencing this issue as well? Is this a MS bug or is there a fix? I know I can block access to administrative shares using group policy preferences however I would prefer not to because certain applications depend on these default admin shares to work. I just want to restrict these default admin shares to administrators only like Windows XP did. When I disjoin a machine from the network and try to access the admin shares on that disjoined machine then Im asked for admin credentials which is the way it should always work.

By the way im my Server os is Server 2003 and Im running active directory. Any help would be much appreciated as I am at a road block right now with no direct access to MS Support.
  • +
    1 Votes
    pjboyles

    You can have a couple of issues
    1. A group embedded some place that is giving more access than you intended.
    2. Rights have been assigned to a group or security principle that give people access.

    Item 1 is a common problem while item 2 is rare.

    For item 1 I suggest starting off on a problem workstation by looking at the workstation's local administrators group. Take each group within the the local administrators group and tracing the members in the group as well as any nested groups.

    I suspect that one of several groups has been added at some point into a group you have in the local administrators group. Look for these:
    Domain User
    Authenticated User
    Interactive / Interactive User
    Everyone
    Guest (You have it disable right?)

    Due to the potential unintended consequences I replace instances of Authenticated User and Interactive / Interactive User with explicit permissions such as the local Users group, the Domain Users group or both. Further, removing Everyone from any access and replacing with explicit group(s) to grant access further tightens up your access and lessons the chance of unintended consequences.

    A last item to check is to ensure no one has given Anonymous rights equal to Everyone.

    For item 2, turn on security logging with special attention to rights. Enabling monitoring of success and failure for "Privilege Use" and "Object Access." Test the system and turn off logging to prevent collecting a huge amount of data and potentially overwriting important clues. Check your security event logs to find clues as to what rights or privileges were used to access the systems.

    Another type of privilege escalation is a group (ID) that is given act as system, debug user or backup user. Finding these can be tricky as well. This kind of issue can be very difficult to find and rare to happen.

    +
    0 Votes
    mendez164

    Peconet,

    Thanks for your response and answer, you are defenetly right. I wish you would of responded sooner as I was going crazy for two days. Turned out that some admin within my group gave admin access to a specific group that is placed on the local admin group of every computer on the network!! so basically every user had admin access and could do anything they wish. I went to the Domain Admininstrator for assistance and he swore that all the permissions were correct. it wasnt until I digged through every group that I found the vulnerbility.

    Many Thanks Again Brother or Sister

    Tony

  • +
    1 Votes
    pjboyles

    You can have a couple of issues
    1. A group embedded some place that is giving more access than you intended.
    2. Rights have been assigned to a group or security principle that give people access.

    Item 1 is a common problem while item 2 is rare.

    For item 1 I suggest starting off on a problem workstation by looking at the workstation's local administrators group. Take each group within the the local administrators group and tracing the members in the group as well as any nested groups.

    I suspect that one of several groups has been added at some point into a group you have in the local administrators group. Look for these:
    Domain User
    Authenticated User
    Interactive / Interactive User
    Everyone
    Guest (You have it disable right?)

    Due to the potential unintended consequences I replace instances of Authenticated User and Interactive / Interactive User with explicit permissions such as the local Users group, the Domain Users group or both. Further, removing Everyone from any access and replacing with explicit group(s) to grant access further tightens up your access and lessons the chance of unintended consequences.

    A last item to check is to ensure no one has given Anonymous rights equal to Everyone.

    For item 2, turn on security logging with special attention to rights. Enabling monitoring of success and failure for "Privilege Use" and "Object Access." Test the system and turn off logging to prevent collecting a huge amount of data and potentially overwriting important clues. Check your security event logs to find clues as to what rights or privileges were used to access the systems.

    Another type of privilege escalation is a group (ID) that is given act as system, debug user or backup user. Finding these can be tricky as well. This kind of issue can be very difficult to find and rare to happen.

    +
    0 Votes
    mendez164

    Peconet,

    Thanks for your response and answer, you are defenetly right. I wish you would of responded sooner as I was going crazy for two days. Turned out that some admin within my group gave admin access to a specific group that is placed on the local admin group of every computer on the network!! so basically every user had admin access and could do anything they wish. I went to the Domain Admininstrator for assistance and he swore that all the permissions were correct. it wasnt until I digged through every group that I found the vulnerbility.

    Many Thanks Again Brother or Sister

    Tony