Windows end point security – part 3

Welcome Everyone,

It is the 3rd Part of Blog in our Series of Windows Endpoint Security, Today we will discuss about Securing the Windows Share in Active Directory.

Assigning unwanted permissions for a user in a shared directory will guide the attacker to carry out numerous ways of accessing the shares.

It is our responsibility to secure the Active Directory Shares by restricting the Permission.

Lets do it.

Here I have an Active Directory Controller set up with a Domain ready.

Open Server Manager

Click on File and Storage Services

Click on Shares in the Left pan

You can see shares if you have one already, otherwise we will create one.

Click on Tasks–> New Share.

Click on SMB Share-Quick option and click Next

Select the Server name and the Volume that you want to share here am selecting D.

Give a share Name, here it is FinanceData and click Next.

Enable access based Enumeration in the configure share settings window.

Click on Customize permissions button

In the Advanced Security Settings for Finance Data wind

ow. Click Disable Inheritance.

Here we are disabling the Inheritance that came with administrator permission on folders and subfolders and we will give explicit permissions.

Click on Convert Inherited Permissions into Explicit permissions on this Object.
The purpose of this option is to apply explicit permission for the share.

You can see that CND\Users has permissions to read,write and Special permissions. Will remove it by selecting them.

Click on Apply and Ok

Click Next and Click on Create.

Share has been created successfully, click on Close.

Go to Tools Menu from main menu, then select Active Directory Users and Computers.

Select Finance OU –> FinanceUsers and Right Click on it and Select New –> Group.

Assign the Name : Finance Data
Group Scope : Global
Group Type : Security

We have successfully added the FinanceData Security Group\

Next we will add the users to the security group

Click on Users, Right Click on Each user and Add to a Group

Enter the Object names to Select field, and click on Check Names, then click on Ok.

Users got successfully added.

I have added one more user named JOHN also to the Group.

Right Click on the Finance Data share under DomainControll Main Page. Select properties by Right Clicking on it.

Select Permission Section, Click Customize Permissions.

In the Advanced Security Settings for FinanceData Window Click on Add Button

Select a principal Option

Type FinanceData in Enter the Object name to select filed and click on Check on names button then Click OK.

Now the other fields are editable, select this folder only option in the dropdown in the Applies to option.

Click on Show advanced permissions.

This is where you can set various permissions to list, read, write, traverse, create.

Click on apply and click on Ok

Now login in to Finance DEPT Machine.

Add that machine to the workgroup

After restarting, try to login with the user which we allowed in the AD.

try to access the domain controller through RUN by using the command \\DOMAINCONTROLL

Yesss!!! We can see the shared Drives. And its Accessible too.

Lets try with another user, let me login with another user and martin.

No we are not allowed to access the Share.

So this is how you Restrict users in Share in Active Directory. This is a way to add explicit permissions to the share in the Active Directory.

As a Network Defender you should know how to secure the Devices properly.

Successfully we have seen how to secure windows End point in the series.

If you interested in Watching a Video you can Watch in our you tube channel as well through this.

Thank you So much for Listening.

See you again in Next Blog

Until then Bye from Sam

Author:

Sam Nivethan V J
Security Analyst & InfoSec Trainer