Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Win7 shares possible huge security hole

05 Jul 2011   #1

win7
 
 
Win7 shares possible huge security hole

Potentialy due to all problems with connecting XP to Windows 7 people
are already glad to be able to connect to Windows 7, but there seems to be
a huge scurity hole in the process:


Note   Note

As I examin shares on Windows 7 (controll panel shares)
ACL's require a full grant on Everyone// it's unclear what read and change and full mean...
As previous inter connections connections are made effects are less clear restriction seem to be less strickt
what makes the shares ACL tricky to handle and test for security problems!!!!!



The ACL Everyone: FULL seems to be required for all shares to work ???!!!!

Note   Note



but everyone is rather LARGE:


"The Everyone group encompasses":
well everyone. That is, it includes all the built it users and groups that
come with Windows XP/Windows 7 as well as any administrator defined users and groups.
It also includes the service and system accounts that are created and any anonymous
accounts that connect to the computer without providing any login credentials.
Lastly, it includes the Guest account.




As an acl GROUP grant is placed on the share ( a group of users(NOT individual users,but this is unmanagable)) the statement seems to be ignored !!

Note   Note

The requirement of an EVERYONE:FULL is IMPLICITELY A SECURITY BREACH....
Relying on the file security restriction is a different matter.
The SHARED security is the first security protection setting it: The need to use EVERYONE:FULL is killing the security purpose





User/password all username passwords are synced by batch process and used on ALL machines
files access to the files is granted by group but for the sake of the exercise a grant to authenticated users is added
to ensure the file's protection is not the problem (implicit security breach but this is a test)

what is a problem is the need to reboot.... since(clear credentials) all gets confused by first opening another share by that user
then the state of the share switches virtually to authenticated user instead of everyone (first refused/then allowed(once logged in guest plays less in the game) UGLY to reproduce

Basical settings and tests:

share files: authenticated user : full except special permissions (just for tests to avoid file protection issues)
group full permissions
system full permissions (came from inheritance)
admin(local) full permissions (test side effect but can not harm,user has admin privileged as well)
users r/e/list (came from inheritance)
no deny

Test user is member of group group defined on both sides (all machines)
behavior identical on all machines

Share permissions basic setting (common for all tests):
group full permission
no deny



Share permission tests:
everyone: full all works
everyone : change can write
everyone : read no write access
everyone : none (gets deleted ) windows can not access
annonymous login read no access
change no access
full no access

Conclusion: everyone:full is essential but is heavy security breach really everyone can get at badly protected files
(file system protection!!!!!!!!=assumed out of control due to possible future errors anyhow is not reliable this way !!!)
an explict User Name: Read/full can write/can read But this is completely un-maintainable what does NOT help the security!


PS: takes a long time (multiple seconds to translate SID in group name
during this time no permissions shown (controll pannel server)
CPU i7 12 Gig 10 terrabyte Windows 7 sp1 ultimate (both machines) fresh generated
gigabit ethernet link



the issue has nothing to do with passwords or patches.... BUT WITH The assumed way of working

as it was working in XP and is NOT WORKING in windows 7.(has NEVER WORKED SP0/SP1!)

Due to this fact the manufacturing (intentionally? since test seem to be done badly on basic functions)
supports hackers and blocks users to really secure their system.


Quote:
Basic Understanding of Share and NTFS Permissions
To understand Sharing and NTFS permissions (Security Tab), when connecting to a Shared Resource (folder, printer, etc), the NTFS permissions are combined with the Share permissions to provide the Most Restrictive.

This means that if a user has Full Control on the Share permissions, and only Read on the NTFS permissions (Security Tab), the Effective (resulting) permissions is the user will only have Read. That's why we can set higher Share permissions at the parent for the initial access, then control the resulting or Effective permissions with NTFS. No passwords are needed other than the user being successfully logged on to the domain. When a user is logged on successfully to a domain/workgroup, an access token is given the user account. The access token is compared to the ACL (Access Control List) in the Share and NTFS (security tab) permissions to determine access. That's why no passwords are required, and is much easier than trying to deal with multiple passwords. The system simply uses the AD/workgroup user account for access enumeration.

Therefore due to the Most Restrictive evaluation, the easiest way to set permissions is to provide the Users (preferrably by Groups), Full Control on the Share side, but lock it down on the NTFS side (Security Tab). It SHOULD works nicely, all the time, and is easier to document and keep track.
MY claim is the above DOES NOT WORK IN Windows 7!!!!!!!
Yes it works for users !!!!! BUT THAT IS NOT PREFERABLE AND UN-MAINTAINABILITY!!!!

IT SEEMS NOT TO WORK FOR GROUP's (Correctly defined in control panel and working correctly for file access permissions[non share])
THIS BUG ????!!!! FORCES HUGE SECURITY RISKS on a OS that is supposed/mentioned state of the art.

(Sorry for shouting, is intended but not intended to anyone personally)
My cry is a CRY for help, is the above really as I state, or am I missing Something
that is the reason I pledge the world for help

Any help link or info is welcome
Where can I find more on this, links to more professional security setup please.-

My System SpecsSystem Spec
.

10 Jul 2011   #2

win7
 
 

CAN ANYONE CONFIRM ???

add user to share full rights / files full rights
add user to an acl group

test access and read write permisson on second machine

replace share user access by the group acl same full rights
nothing works anymore !!!!


please I can not be the onlyone with the same problem on multiple machines !!!!



we can generalize what we want, and declare "it works just fine"
Quote:
as functions as groups ={user 1,user2,user3, userN} (suppose only 10 users)
connecting to a share

share1: allow user1:full
share1: allow user2:full
share1: allow user3:full
share1: allow user4:full
,,,
share1: allow usern:full




for 10 shares, this becomes 100 operations 100 test 100 verifications 100 times more management (forgetting about all possible interactions with other shares and files) then
share1: group:full

this last sentence does not work independently if its home work or .....
independently of any firewall

for files it seems to be working correct you can say file/directory group: full access and more ...
for shares the descriptions state that it is possible but in reality YOU DO NOT GET ANY PERMISSION!!!


All I ask is to CONFIRM not saying "all works well" it is not trough.
as far as I know there are and should not be any policy, settings, ..... definitions restrictions
except eventually the XP home version, But here I'm running on a WINDOWS7 ULTIMATE with all the patches in place





Share privileges that do work :
UserName (unmanagable)
NETWORK( but then all security is gone)
EVERYONE(but then all security is GONE)

What DOES Not work :
A GROUP name Group={User1,user2,user3....}
ADMINISTRATORS (you can not allow administrators to open shares ...)
Or I am doing something incredibly wrong ,
OR there is a HUGE BUG in WIndows 7 killing all possible security
My System SpecsSystem Spec
Reply

 Win7 shares possible huge security hole




Thread Tools



Similar help and support threads for2: Win7 shares possible huge security hole
Thread Forum
Solved Wi-Fi Protected Setup security hole discovered. Network & Sharing
BB Code Security hole in PHPBB 3! Browsers & Mail
PDF security hole opens can of worms. Security News
Strange hole in security General Discussion
Vbootkit security hole System Security
Zero Day Security Hole In Windows 7? System Security
Security hole in UAC News

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 09:01 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33