|
In daily life of office application, for convenience, we are used to share some documentation, directories on our computers, and then others could use them.
However, usually, we may forget to close the sharing of the folders after using them. In this case, other guys on the network that have ulterior motives may damage our shared folders. For this situation, we can protect our shared contents in virtue of group policy.
1. Forbid sharing null password
In Windows by default, remote users are allowed to use null-user connection to get a list of sharing resources of a computer on network and all account names. With this function open, it’s quite easy for others use null password or other methods to crack the sharing password, finally to invade the shared directory.
For this situation, first we close SAM account and shared anonymous enumeration function. Open “Run” dialog from start menu, and type “gpedit.msc” to start Group Policy Editor, on the left side, follow the steps next: Computer Configuration—Windows Settings—Security Configuration—Local Policies—Security options, double click the option “Network access: SAM account and Shared anonymous enumeration are not allowed” on the right side pane, on the prompt window, select the “Disabled” option, and then click “OK“button to save the setting. After the configuration, invalid users could not get the sharing information and account list directly.
2. Disable anonymity SID/name conversion
Previously, we’ve disabled invalid users to get account list, but they still could get the real name of the default administrator by administrator account’s SID. For this, we need to make the following operations in group policy: click Computer Configuration—Windows Settings—Security Configuration—Local Policies—Security options and then changes option “Network access: SAM account and Shared anonymous enumeration are not allowed” as “Disabled”. However, this may cause the situation that users of low version on the network have problems when accessing shared resources. Therefore, if there’re several versions of system on the network, we’d be more cautious to use this configuration.
3. Modify anonymous accessing objects
For the security and practice, many default settings of Windows XP don’t accord with user’s requirements. And anonymous accessing settings for network access include sharing, naming pipeline and registry path etc..
Therefore, we’d have to enter group policy editor, go to Computer Configuration—Windows Settings—Security Configuration—Local Policies—Security options, and double click “Network accessing: anonymous accessing sharing”, delete all options on the opened window, and then according to your own needs, add in some folders which are really needed for all users for a long period of time. Notice: when adding these sharing folders, you’d have to set up NTFS operation authorities in advance. When configure authorities, you have to obey authority minimized principle, which asks you not to authorize unwanted authorities to the account, neither to authorize to excrescent accounts.
Similarly, after modifying anonymous accessing share, we need continue to double click “Network accessing: anonymous naming pipeline” and “Network accessing: telnet to the registry path”, and delete all other unwanted options
4. Disable unauthorized accessing
To accord with the minimized authority principle, we could make strict limitation to the account network accesses. In the opened Group policy editor, take turns to choose Computer Configuration—Windows Configuration—Windows Settings—Security Confituation—Local policies—User authority assignment, on the right pane double click “Access the computer from network”, and then add some accounts which have to use network accessing, and then delete the accounts like Everyone, Guest. If administrator doesn’t need telnet, similarly, you could delete it, and only preserve the authorized accounts for shared directory accessing. And then open “Refuse to access this computer from network”, and make the same operation, to add in the authorized accounts for shared directory accessing and delete all other users.
5. Set correct accessing mode
For accessing to shared files, Windows XP provides classic and Only Guest modes. To achieve convenience, many people choose the “Only Guest” mode, for all login would auto use Guest account to access shared directory, namely, everyone could access freely, which could not provide accurate accessing control for the shared resource.
Therefore, we suggest you to double click “Network accessing: local account’s share and safe mode” on the right side of the list “Security options”, and set it the option “Classic-validate local users with users’ identities”. But you should notice that to use the classic mode, although you can access only knowing the name of the local account, many user accounts haven’t set password. So this is still not safe, we’d set password to protect local accounts.
6. Prevent authority extension for Everyone group.
Many people think that anonymous user’s authorities are same with Everyone group’s, actually, this point of view is extremely wrong. Although parts of them are the same, they’re not completely same. By default, Everyone group’s authority is bigger than anonymous user. But in Windows XP, Everyone group authority is allowed to apply to anonymous users. And we have to stop this, in group policy, open “Security options”, and then on the right side, double click “Network accessing: apply everyone authority to anonymous users”, set it “Disabled”. However, although we’ve set it “Disabled”, we still not suggest users to authorize overfull authorities directly to Everyone group, for it doesn’t accord to the minimized principle of authority authorization.
7. Disable not null password interactive login
To avoid the situation that administrator forgets setting password when adding accounts, and authorize accessing to the local accounts without password, we could use the measure that disable local accounts with blank password the authority of interactive login and shared directory accessing.
Double click the option “Account: local accounts using blank password are only allowed console login” under “Security options”, and set it “Enabled”. Meanwhile, to prevent administrator setting too simple password, we’d have to choose Account policy—Password policy under the option “Security configuration” in group policy editor, and then configure the options “Minimum length of password” and “Password should accord with the complexity requirements”.
8. Accessing record job
With log, we could record visit and operations all accounts done to the shared directory. However, to let log record, Auditing object accessing option must be started. Open group policy editor, choose “Audit policy” in “Local policies”, and then double click “Audit object accessing” on the right side, and on the opened window, choose the options “Success” and “Failure”.
Next open the property window of the shared directory, in the label “Security”, click “Advance“ button to switch to “Audit” label, and then click “Add” button, add in all accounts which have authority to access the shared directory and save the setup.
After the configuration, we could enter “Control Panel”—Management tools folder, double click the “Event viewer”, and find out the events with ID 560,562 and 564, then we would know accessing details.
As a matter of fact, security problem is not complex as we imagined, as long as we’ve made enough preparation and take full advantage of the defend measures system provided, then we could keep most inbreak and damage activities away.
|
A Security Tip: ensure the safety of shared directories by group policy