Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Win 7 Pro file server with network shares - is this method secure?

06 Jun 2014   #1
tv69

Windows 7 Pro 64bit
 
 
Win 7 Pro file server with network shares - is this method secure?

Hello all,

We have a Windows 7 Pro computer in an unsecure room acting as a file server to 10 other computers on the network.

My issue is with creating and securing network shared folders so that prying eyes can not access info not meant for them.

We currently have 3 folders to share with different departments. These folders are 'Accounting', 'Design', and 'Production'.

As mentioned there are 10 other computers on the network and user accounts have been created on the file server to match the user accounts on each of the 10 computers. For these 10 user accounts on the file server, we did however set up the users with passwords that are different than the password used on their own computer. This was done to prevent anyone from logging into the file server and messing with it.

The method I am considering for sharing the 'Accounting', 'Design', and 'Production' folders is to share each folder on the file server and to add 'Everyone' as a user, granting access to all 10 users on the network. To limit access to any particular user, via the 'Security' tab on the shared folder, I press the edit button and add the user. Then all their permissions are set to deny. I would add more users I wish to deny access in the same way.

It seems to work fine. Mapping a network drive to the file server is allowed only by users not denied for the particular share and a password is not required to map to the share.

Is there any security risk to doing it this way or any downside I may encounter?

Thanks for any help.

TV


My System SpecsSystem Spec
.
07 Jun 2014   #2
TanyaC

Linux Mint 17 Cinnamon | Win 7 Ult x64
 
 

Hi there,

This is not an optimal solution. What you've done, if I understand your explanation properly is open up access (everyone), then put band-aids over it.

One better approach is to (a). Create groups for each department (b). Create the shares with permissions specific to each group (Accounting users can access the accounting share), then grant specific Allow permissions only to that group for that folder and sub-folders. You could add deny permissions for others, but it simply adds complexity that you don't need.

A good security model starts from a deny-all point and adds allow permissions as required. You are working the other way.. Allow all then deny as required. It may well work, but you risk missing something one day and then someone gets access to something they shouldn't.

It's better to have a user complain that can't access something (that you then fix), than have someone with access to something they shouldn't and they don't tell you about it.

Where possible you should always stay away from Everyone permissions.

Also, full control, unless specifically needed, should only be granted to administrators.

As a general rule of thumb, you open it up only as much as you need to to let the people who should have access gain access.

It may be that the credentials required to access the share are stored in your credential manager (see control panel). Password protected shares are a good thing, as long as you don't have to enter the password every time. Worked in one company that was a little naive in this regard. We had to login to every share every morning because they were so paranoid.
My System SpecsSystem Spec
08 Jun 2014   #3
chev65

Windows 7 Ult, Windows 8.1 Pro,
 
 

Yes as Tanya says it's safer if you can remove the Everyone share. The directions for adding users to groups and removing the Everyone share is explained in the following link.

This link has the best explanation for NTFS file sharing that I've found.
Share Permissions and NTFS Permissions Folder Access Control & Folder Permissions - AD and Exchange Quantum Singularity
My System SpecsSystem Spec
.

08 Jun 2014   #4
tv69

Windows 7 Pro 64bit
 
 

Thank you Tanya for the in depth explanation. I had a feeling my approach was not ideal.

Thank you Chev for the link.

I came about the proposed solution because I had trouble mapping shared drives. As mentioned 10 users were set up on the Win 7 Pro file server that matched the 10 user names of the other 10 computers on the network. Since the file server is not in a secure location, it was decided to use different passwords for the 10 accounts on the file server than the passwords being used on to log on at each of the 10 computers, thus preventing any of the 10 users access to the file server.

Although I have mapped network drives many times before, I was not able to map a network drive in this case. Many combinations were tried but none worked.

Is it that I did not get the right combination of credentials/password or is it that the different password for users on the file server did not allow for it to work? I tried a similar approach with a Linux file server and it worked fine and I'm guessing I'm entering the credentials/password incorrectly on this Windows file server.

The windows file server is called 'SERVER' and has an 'ADMIN' account + the 10 other accounts on it, let's say user1, user2,... , user10.

After browsing the share, what would be the correct credentials to use to map the network drive? Would I need to 'Connect using different credentials'? Please note that I did allow permissions for the particular user under the security tab for the share.

Thank you once again for your help.

TV
My System SpecsSystem Spec
09 Jun 2014   #5
tv69

Windows 7 Pro 64bit
 
 

Well it turns out that the file server did not have 'Turn on password protected sharing' switched on and that was the problem. Everything works fine now.

When user1 is granted access to two shares from the file server, typing in the credentials once gives access to both shares. Is this normal behaviour or is there a way to force credentials to be entered for each network mapped drive even if they originate from the same file server?

Thanks,

TV
My System SpecsSystem Spec
09 Jun 2014   #6
Alejandro85

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by tv69 View Post
We have a Windows 7 Pro computer in an unsecure room acting as a file server
That's all I need to read to see that you're against an impossible challenge. Physical security is number one priority in securing any server, because "the bad guys" can do literally anything to it when having physical access (which is FAR more powerful than administrator access).
The very first thing you need to do is to find a safe place to put it, under a lock at the very least. If anyone can walk in and use its keyboard/mouse/screen, they can login directly there, put disks and copy data, remove backup devices with all their data, or simply reboot with an external OS and bypass any security you can come with. A good reading on the matter is this:
Ten Immutable Laws Of Security (Version 2.0)
"Law 3" specifically.



Quote   Quote: Originally Posted by tv69 View Post
it was decided to use different passwords for the 10 accounts on the file server than the passwords being used on to log on at each of the 10 computers, thus preventing any of the 10 users access to the file server.
I will have to say no again . This is actually counterproductive. Because of the way Windows shares work, a valid login for the share is also a valid login to the computer it's stored in. By using a different credentials, you only prevent them from using the very same password as they use on their computers, but they can still use the alternative one to login into the server, as they're doing to access the shares.

A better solution is to have the same password on both places. This is easier for the users to remember and more practical (less post-it's with passwords is also more secure) and straightforward to use. But to actually prevent any login into the server from the users, you can use a gpedit policy, located in:
Computer Configuration => Windows Settings => Security Settings => Local Policies => User Rights Assignment => Deny logon locally. Add your 10 users there, so they can't use their credentials to login as a normal user. Also, keep them out of the Terminal Server group, so they can't even use remote desktop to it. This still allows to use the shares though the network.

For everything else, I just agree with TanyaC and chev65. Grant the bare minimum permissions to get the job done, when in doubt, deny until someone complains.
One more thing. Since you have an insecure location, make sure you encrypt the backups, so when someone steals them, they'll have a hard time getting any data out of them.
My System SpecsSystem Spec
09 Jun 2014   #7
TanyaC

Linux Mint 17 Cinnamon | Win 7 Ult x64
 
 

Quote   Quote: Originally Posted by tv69 View Post

When user1 is granted access to two shares from the file server, typing in the credentials once gives access to both shares. Is this normal behavior or is there a way to force credentials to be entered for each network mapped drive even if they originate from the same file server?
TV
Yes, the permissions you give are based on the user (or more specifically, the SID associated with the user). Remember, the password is associated with the user account, not with the share.

So, once a user logs in and is authenticated, they will get access to anything you have given them explicit access to.

To grant permissions to a specific user grant that user permissions to the share (Don't use everyone or the "users" group). Then grant specific allow permissions for what you want to do with the data managed by that share (Files and folders).

So, if you have two shares: "Accounts" and "Sales". Fred is a member of accounts, and sue is a member of sales, then you would grant fred access to the accounts share and not to sales, and Sue would be the reverse.

As to the second part of your question; As I said, the credentials apply to the user. They do not apply to the objects on the server. This is managed by the security, or what we call "Access Control Lists".

As long as you get your security correct it shouldn't be a problem.

If users share PCs you will need to have stringent log out policies and potentially automate some of that.

hth
tanya
My System SpecsSystem Spec
09 Jun 2014   #8
tv69

Windows 7 Pro 64bit
 
 

Alejandro85,

I really appreciate the response and your point of view. I have raised the point of the unsecure room to the owners and it will eventually be taken care of. There is probably one person in the building that may have the technical know how to cause some damage. It's not justification for an unsecure room but I agree that it is a bigger problem than passwords and user names.

Thank you also for the link to the 10 Immutable laws.

I don't quite understand you explanation of why it is bad to have user accounts on the server with different passwords than what are used by the users to log in to their own computers?

Each user logs into their user account on their computer with their local password. Network shares with different user credentials are going to be set up by admin only, not the users themselves.

I will look at the gpedit you suggested and the locking out of terminal services as well.

I'm still curious about this from my previous post.
When user1 is granted access to two shares from the file server, typing in the credentials once gives access to both shares. Is this normal behaviour or is there a way to force credentials to be entered for each network mapped drive even if they originate from the same file server?

Thank you for your input, much appreciated.

TV
My System SpecsSystem Spec
09 Jun 2014   #9
tv69

Windows 7 Pro 64bit
 
 

Quote   Quote: Originally Posted by TanyaC View Post
Quote   Quote: Originally Posted by tv69 View Post

When user1 is granted access to two shares from the file server, typing in the credentials once gives access to both shares. Is this normal behavior or is there a way to force credentials to be entered for each network mapped drive even if they originate from the same file server?
TV
Yes, the permissions you give are based on the user (or more specifically, the SID associated with the user). Remember, the password is associated with the user account, not with the share.

So, once a user logs in and is authenticated, they will get access to anything you have given them explicit access to.

To grant permissions to a specific user grant that user permissions to the share (Don't use everyone or the "users" group). Then grant specific allow permissions for what you want to do with the data managed by that share (Files and folders).

So, if you have two shares: "Accounts" and "Sales". Fred is a member of accounts, and sue is a member of sales, then you would grant fred access to the accounts share and not to sales, and Sue would be the reverse.

As to the second part of your question; As I said, the credentials apply to the user. They do not apply to the objects on the server. This is managed by the security, or what we call "Access Control Lists".

As long as you get your security correct it shouldn't be a problem.

If users share PCs you will need to have stringent log out policies and potentially automate some of that.

hth
tanya
Ah thank you Tanya. I was typing my post to Alejandro as you were typing your response. I took your good advice, tested it out and it all seems to work fine. Don't use 'Everyone' and only grant access to those needing it. Next I will sort out some user groups to simplify the process of sharing.

All of you have been most helpful.

Cheers,

TV
My System SpecsSystem Spec
09 Jun 2014   #10
TanyaC

Linux Mint 17 Cinnamon | Win 7 Ult x64
 
 

While I think of it, having just read your response to Alejandro...

He has raised some good points. Another one is the automatic expiring of passwords. This helps mitigate problems with passwords being known by the wrong people.

In such a case, synching the password on the client and the server is by far the easiest solution. Having different passwords, whilst not a bad idea, will add more complexity and will drive users bananas if you expire passwords.

If you use different passwords that sort of leaves you potentially with passwords never changing, simply for the sanity of your users.

As to the encryption of backups - you should NEVER store backups of business data on site any way. If you must, make sure they are as far away from the server as possible. Not only do you have the theft issue that Alejandro mentioned, you have fire and damage concerns. If the area where the server is located burns down, you don't want your backups going with it.

Too often when working at client sites have I seen backups sitting on the table right beside the server..
My System SpecsSystem Spec
Reply

 Win 7 Pro file server with network shares - is this method secure?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Method to optimize remote desktop performance and reduce server load.
Hi guys, I would take a minute to write our current network configuration: We have several PCs in the company and those are distributed on 3 physically separate locations. 2 retails stores and 3rd location is our HQ office. In each store we have a PC that runs windows XP SP3 x86. In...
Performance & Maintenance
How do I create a home network with my laptop as the main file server?
Hi, I tried to explore today the possibilities of creating a "stand alone" home network that does not require an internet. This is what I intend to do: 1. create a home network where my laptop serves as the access point emitting an SSIS ie. "share-it". 2. When a another laptop tun on his...
Network & Sharing
Copy shares and permissions on file x to file z? Is this possible?
I have a user for whom shares and permissions on the server are working just fine. I have another user for whom something is screwed up somewhere. I've taken a directory that is shared and I've looked up the share and permissions for both. Identical. But do this for 3,000 files/directories in...
Network & Sharing
BSOD when accessing network or network shares via Wireless
Hi everyone We have purchased 2 new HP Elitebooks and both are getting these bluescreens when accessing the network over wireless. I am assuming it has to do with the wireless cards or their drivers but this has now occured even when using just the 3G modem and VPN client I have attached...
BSOD Help and Support
Have a weird issue. Win7, Windows 2003 Server, some shares missing
At our office, we have a Windows 2003 File server (one of them), and Windows 7 workstations. The workstations can use Explorer fine to view all the folders on the share. But for whatever reason when you go to a command prompt and do a DIR on that share, it is missing about 60% of the folders. ...
Network & Sharing


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 13:35.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App