We have a W2K3 Server, with certain directories shared on a couple of different drives. Both drives (C and D) have the default admin shares in place.
When any domain user is logged in, that user can Start->Run->server_ip and view a list of all shared folders.
Can I keep this from happening?
I'd like only domain admins to see this.
This probably reveals that I've got many other things wrong already, but it's my start point.
Advice?
-
You're looking for Access Based Enumeration. Download from Microsoft for Server 2003 SP1 or R2.
Once installed you can either globally enable it; or enable it on the Properties of individual shared folders.
Ducain : I suppose I have a deeper problem, though this will definitely help. In our case, I can't get the access perms to work. I have edited a share, first removing all access groups. Then I added Domain Admins to the group. I then logged in as an AD user belonging only to Domain Users, and could access the folder. Gah!Chris S : "Then I added Domain Admins to the group." - ?? Is this share permissions or NTFS permissions? They're separate and both have to be configured correctly.Ducain : Sorry - I'm an app developer being forced to check out server management stuff (don't get me started). To clarify, I removed all groups from the share permissions, and then added the Domain Admin group. Should this not limit access to this folder to only users signed in that belong to the group Domain Admins?Ducain : I'm marking this as the answer because technically this would address the exact question I asked. I have other issues going on, but not regarding this question it seems.Izzy : @Duncain - as Chris S mentioned, there are Share permissions, and then Security permissions - different tabs on the folder. Usually, you need to set Share permissions to Everyone [Full Access], and then set who can access it in the Security permissions tabChris S : @Ducain, sounds like you've got it correct. Izzy has the 'normal' procedure, but in your case you want Share Permissions set to Domain Admins = FA, and nothing else. If user who is not a member of Domain Admins can still see the folder (with ABE turned on) you've got something else going on. If they can actually access the contents of the folder then something is seriously f---ed up (like "Everyone" is a member of the Domain Admin group); if this is the case, double/triple check the members of the Domain Admins group.From Chris S -
This probably reveals that I've got many other things wrong already, but it's my start point.
Actually, it doesn't. Without Access-based Enumeration, all authenticated users will see a list of all shares when looking at
\\fileserver. That's the way it works. Whether or not they can open a shared folder and view any of the contents depends on the ACLs that you set - but everyone should be able to see all the non-hidden shares. That's why they make hidden shares (\\fileserver\$Sharename) - in case you want to hide them.Ducain : Thanks, cleared that up for me.Tubs : Yes, to "hide" a share, you needs a sharename with a $ at the end. The admin shares are C$ and D$ so thats why they can't see them.From mfinni
0 comments:
Post a Comment