News & Events
Windows end point security – part 3
It is the 3rd Part of Blog in our Series of Windows Endpoint Security, Today we will discuss about Securing the Windows Share in Active Directory.
Assigning unwanted permissions for a user in a shared directory will guide the attacker to carry out numerous ways of accessing the shares.
It is our responsibility to secure the Active Directory Shares by restricting the Permission.
Lets do it.
Here I have an Active Directory Controller set up with a Domain ready.
Open Server Manager
Click on File and Storage Services
Click on Shares in the Left pan
You can see shares if you have one already, otherwise we will create one.
Click on Tasks–> New Share.
Click on SMB Share-Quick option and click Next
Select the Server name and the Volume that you want to share here am selecting D.
Give a share Name, here it is FinanceData and click Next.
Enable access based Enumeration in the configure share settings window.
Click on Customize permissions button
In the Advanced Security Settings for Finance Data wind
ow. Click Disable Inheritance.
Here we are disabling the Inheritance that came with administrator permission on folders and subfolders and we will give explicit permissions.
Click on Convert Inherited Permissions into Explicit permissions on this Object.
The purpose of this option is to apply explicit permission for the share.
You can see that CND\Users has permissions to read,write and Special permissions. Will remove it by selecting them.
Click on Apply and Ok
Click Next and Click on Create.
Share has been created successfully, click on Close.
Go to Tools Menu from main menu, then select Active Directory Users and Computers.
Select Finance OU –> FinanceUsers and Right Click on it and Select New –> Group.
Assign the Name : Finance Data
Group Scope : Global
Group Type : Security
We have successfully added the FinanceData Security Group\
Next we will add the users to the security group
Click on Users, Right Click on Each user and Add to a Group
Enter the Object names to Select field, and click on Check Names, then click on Ok.
Users got successfully added.
I have added one more user named JOHN also to the Group.
Right Click on the Finance Data share under DomainControll Main Page. Select properties by Right Clicking on it.
Select Permission Section, Click Customize Permissions.
In the Advanced Security Settings for FinanceData Window Click on Add Button
Select a principal Option
Type FinanceData in Enter the Object name to select filed and click on Check on names button then Click OK.
Now the other fields are editable, select this folder only option in the dropdown in the Applies to option.
Click on Show advanced permissions.
This is where you can set various permissions to list, read, write, traverse, create.
Click on apply and click on Ok
Now login in to Finance DEPT Machine.
Add that machine to the workgroup
After restarting, try to login with the user which we allowed in the AD.
try to access the domain controller through RUN by using the command \\DOMAINCONTROLL
Yesss!!! We can see the shared Drives. And its Accessible too.
Lets try with another user, let me login with another user and martin.
No we are not allowed to access the Share.
So this is how you Restrict users in Share in Active Directory. This is a way to add explicit permissions to the share in the Active Directory.
As a Network Defender you should know how to secure the Devices properly.
Successfully we have seen how to secure windows End point in the series.
If you interested in Watching a Video you can Watch in our you tube channel as well through this.
Thank you So much for Listening.
See you again in Next Blog
Until then Bye from Sam
Sam Nivethan V J
Security Analyst & InfoSec Trainer