Accessing c$ from user -> user machines

[Cstorms]

Hello, I brought this up before but I didnt really explain it well I think was the case. So here goes..

So I can log onto a machine using a proprietary user account that has limited access within AD. However, they can navigate to other user machines and access the administrative share by just entering in the machine name and \c$ I know this is terribly bad, and as a stopgap we have just enabled the firewall service, I know that when we disable file and print sharing (which we should have done anyway) it goes away. What I am wondering is since I cannot get this implemented (not the decision maker) what (or if) is the security setting that would be set to disable this horrible security flaw.

I have looked up and down in local users and groups and cannot find a set of users that should possibly have access to this feature. Maybe I am just way off. Thanks in advance fellers

 

[tfg13]

I don't think I've ever found it in group policy. I had to go to the registry and edit 2 entries to lock it down.

System\CurrentControlSet\Services\Lanmanserver\Parameters
ValueName = "AutoShareServer"
Dword Value of "0"

and

ValueName = "AutoShareWks"
Dword Value of "0"

I could have sworn I had a good website for additional settings in the registry you should look at, but can't find the site, I did however, copy the info into a word doc:

I havn't seen much on Registry Security so i took the time out to put something together:
Important! Learn the registry-settings, before enabling/disabling them. 
These registry tweaks are for Windows NT4, Windows 2000 and Windows XP. 

disabling IP Forwarding


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"IPENABLEROUTER"=DWORD:00000000


disallow fragmented IP


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]
"ENABLEFRAGMENTCHECKING"=DWORD:00000001


disabling ICMP-Redirect


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"ENABLEICMPREDIRECTS"=DWORD:00000000


enabling TCP/IP-Filtering


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"ENABLESECURITYFILTERS"=DWORD:00000001


disallow forward of fragmented IP-Pakets


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]
"DEFAULTFORWARDFRAGMENTS"=DWORD:00000000


restart if Evenlog fails


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"CRASHONAUDITFAIL"=DWORD:00000001


Winsock Protection


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\AFD\PARAMETERS]
"ENABLEDYNAMICBACKLOG"=DWORD:00000020
"MAXIMUMDYNAMICBACKLOG"=DWORD:00020000
"DYNAMICBACKLOGGROWTHDELTA"=DWORD:00000010


Denial-of-Service Protection


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"SYNATTACKPROTECT"=DWORD:00000002
"TCPMAXDATARETRANSMISSIONS"=DWORD:00000003
"TCPMAXHALFOPEN"=DWORD:00000064
"TCPMAXHALFOPENRETRIED"=DWORD:00000050
"TCPMAXPORTSEXHAUSTED"=DWORD:00000001
"TCPMAXCONNECTRESPONERETRANSMISSIONS"=DWORD:00000002
"ENABLEDEADGWDETECT"=DWORD:00000000
"ENABLEPMTUDISCOVERY"=DWORD:00000000
"KEEPALIVETIME"=DWORD:00300000
"ALLOWUNQUALIFIEDQUERY"=DWORD:00000000
"DISABLEDYNAMICUPDATE"=DWORD:00000001


Disable Router-Discovery


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES]
"PERFORMROUTERDISCOVERY"=DWORD:00000000


Disabling DomainMaster


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\BROWSER\PARAMETERS]
"MAINTAINSERVERLIST"="No"
"ISDOMAINMASTER"="False"


Disable Netbios-Name exposing


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NETBT\PARAMETERS]
"NONAMERELEASEONDEMAND"=DWORD:00000001


Fix for MS DNS Compatibility with BIND versions earlier than 4.9.4


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DNS\PARAMETERS]
"BINDSECONDARIES"=DWORD:00000001


disabling Caching of Logon-Credentials (possible also with USRMGR.EXE)


CODE 
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"CACHEDLOGONCOUNT"=DWORD:00000001


disabling IP-Source-Routing


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"DISABLEIPSOURCEROUTING"=DWORD:0000001


allow only MS CHAP v2.0 for VPN connections


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]
"SECUREVPN"=DWORD:00000001


disabling caching of RAS-Passwords


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS]
"DISABLESAVEPASSWORD"=DWORD:00000001


Printerinstallation only by Admins/Print Operators

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\PRINT\PROVIDERS\LANMAN
PRINT SERVICES\SERVERS]
"ADDPRINTDRIVERS"=DWORD:00000001

disabling Administrative Shares NT4.0 Server ($c, $d, $e etc)


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]
"AUTOSHARESERVER"=DWORD:00000000


disabling Administrative Shares NT4.0 Workstation ($c, $d, $e etc)


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]
"AUTOSHAREWKS"=DWORD:00000000


allow only authenicated PPP Clients


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]
"FORCEENCRYPTEDPASSWORD"=DWORD:00000002


enabling RAS-Logging


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS]
"LOGGING"=DWORD:00000001


disabling NTFS 8.3 Namegeneration


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\FILESYSTEM]
"NTFSDISABLE8DOT3NAMEGENERATION"=DWORD:00000001


disallow anonymous IPC-Connections


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"RESTRICTANONYMOUS"=DWORD:00000001


enabling SMB Signatures (Server)


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]
"REQUIRESECURITYSIGNATURE"=DWORD:00000001


enabling SMB Signatures (Client)


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RDR\PARAMETERS]
"REQUIRESECURITYSIGNATURE"=DWORD:00000001


NT LSA DoS (Phantom) Vulnerability


CODE 
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG]
"AUTO"="0"


MDAC runs in secured [1] / unsecured [0] Mode


CODE 
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\DATAFACTORY\HANDLERINFO]
"HANDLERREQUIRED"=DWORD:00000001


disable Lan Manager authentication


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"LMCOMPATIBILITYLEVEL"=DWORD:00000002
Level 0 - Send LM response and NTLM response; never use NTLMv2
Level 1 - Use NTLMv2 session security if negotiated
Level 2 - Send NTLM response only
Level 3 - Send NTLMv2 response only
Level 4 - DC refuses LM responses
Level 5 - DC refuses LM and NTLM responses (accepts only NTLMv2)


disabling DCOM (possible also with DCOMCNFG.EXE)


CODE 
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\OLE]
"ENABLEDCOM"="N"


restrict Null-User-/Guest-Access to Eventlog 


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION]
"RESTRICTGUESTACCESS=DWORD:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SECURITY]
"RESTRICTGUESTACCESS=DWORD:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SYSTEM]
"RESTRICTGUESTACCESS=DWORD:00000001


disable displaying last logged in user


CODE 
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"DONTDISPLAYLASTUERNAME"="0"


restrict Floppy-/CD-ROM-access to the current logged on user


CODE 
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"ALLOCATEFLOPPIES"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"ALLOCATECDROMS"="1"


no Autorun for CD-Rom (1=enabled 0=disabled)


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\CDROM]
"AUTORUN"=DWORD:00000000


clear pagefile on shutdown


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\MEMORY
MANAGEMENT]
"CLEARPAGEFILEATSHUTDOWN"=DWORD:00000001


enabling Screensaver Lockout


CODE 
[HKEY_USERS\.DEFAULT\CONTROLPANNEL\DESKTOP]
"SCREENSAVEACTIVE"="1"


disabling OS/2 Subsystem (if not needed)


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS]
NAME: OS2


disabling POSIX Subsystem (if not needed)


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS]
NAME: POSIX


run IIS CGI with context of "IUSR_computername"


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]
"CreateProcessAsUser"=dword:00000001


Security Message (Logon)


CODE 
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"Welcome"="   Unauthorized Access is prohibited "


Policies (1=enabled 0=disabled)


CODE 
[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS]
[HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS]
[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM]


enable logging of successful http requests


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]
"LogSuccessfulRequests"=dword:00000001


disable IIS FTP bounce attack (IIS 2/3)


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\MSFTPSVC\PARAMETERS]
"EnablePortAttack"=dword:00000000


enable logging of bad http requests


CODE 
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]
"LogErrorRequests"=dword:00000001


After you make your registry tweaks do a Start/Run regedt32/Security/Permissions.
Go to the hives you made the changes and set permissions to each key so they can't be changed.

I took the time out to individually make these 43 registry tweaks seperatly with there titles into one zip file...Enjoy..

Feel free to add to this thread if you have others not listed here.

 

[pgaliardo]

You'll probably have to remove the everyone group from the securtiy settings of the local drives on each machine. If I remember correctly, Windows 2000 default permissions on the C drive was Full Control for Everyone. I never understood this.

 

[nsantin]

Are these machines imaged from the same source? Did you change the SID when you re-imaged?

 

[porkchopexpress]

Something is very wrong here and it's likely to be what nsantin is suggesting or your users are logging on as local admins and they all have the same password but it sounds more like the first issue to me.

Take a look at the link below.

http://www.sysinternals.com/Utilities/NewSid.html

When you are the IT director, it's your job to make sure the IT works. If it does work they know already and if it doesn't, they don't want to hear your pathetic excuses.

 

[Cstorms]

When they you change the computer name and then join domain dont they receive a different SID automatically? And thank you much for the registry key idea.

 

[Cstorms]

woops noticed in that article that it DOES NOT get a new SID by just changing name and joining.

 

[Cstorms]

Hey pork, I quoted the following from that site and it gives conflicting advice. First it says it does not change the SID but then in the 3rd paragraph it states that it received a domain based SID. Can you please clear this up? Thank you!

-----------------------------------------------------------
Note that just changing the computer name or adding the computer to a different domain does not change the computer SID. Changing the name or domain only changes the domain SID if the computer was previously associated with a domain.

To understand the problem that cloning can cause, it is first necessary to understand how individual local accounts on a computer are assigned SIDs. The SIDs of local accounts consist of the computer's SID and an appended RID (Relative Identifier). The RID starts at a fixed value, and is increased by one for each account created. This means that the second account on one computer, for example, will be given the same RID as the second account on a clone. The result is that both accounts have the same SID.

Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a """Workgroup environment"""" security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well.
---------------------------------------------------------

 

[porkchopexpress]

The station ID remains the same and is appended with the domain ID. It might be worth testing NewSID on one PC to see if it solves the issue.

Did you say that the domain user account is just a basic domain user?

If you look in the local administrators group on a workstation what users and groups are listed?





When you are the IT director, it's your job to make sure the IT works. If it does work they know already and if it doesn't, they don't want to hear your pathetic excuses.

 

[Cstorms]

The only enabled user account is the admin which is a member of the obvious admin group and thats it. Also a vmware user that was used for testing vmserver on this machine but thats non-important, as far as groups, the standard when you install xp, but only appropriate users are members of these groups. I kind of doubt thats the issue but who knows. Thanks for your help

 

[porkchopexpress]

How many machines is this affecting?

Can any domain user browse to remote C: drives, if you create a new user can they do it?





When you are the IT director, it's your job to make sure the IT works. If it does work they know already and if it doesn't, they don't want to hear your pathetic excuses.

 

[Cstorms]

Well I was curious what would happen if I disable sharing on the c$ on this local machine, and it came up with what I think is standard about being created for "administrative purposes only" and about being restarted when the machine got restarted, well I figured something along the lines of maybe this will reset something... Just one of those gotta try it once, and lo and behold after I restarted it acted as if I hadnt changed anything but instead of letting users unfettered access to it, now it prompts for a login. So.. even though I dont know what it changed exactly, it ended up working.
Thanks for all your advice, its alway appreciated! (And if anyone knows what the heck doing this had direct affect on please reply)

 

[nsantin]

CStorm, I already posted a link at then end of your FIRST POSTING for you to get information on NEWSID and how to download it from sys-internals.

http://www.tek-tips.com/viewthread.cfm?qid=1288836&page=1

here is the link again:

http://www.sysinternals.com/utilities/newsid.html

On your 1st posting you said that these were imaged machines. Changing a domain does NOT change the SID.

BTW, if you're going to ignore someone's advice then don't repost the same question as a new thread, that's bad forum etiquette.

 

[Cstorms]

No no no, dont get the wrong idea, I had gone over your advice and I had come to the conclusion that the error was on my end because that originally did not help, and in this case I am not sure if it was coincidence or what because I ran that utility (on a different machine) and it did not change anything, so this time I ran it, restarted and nothing it seemed had on the surface changed, so I dinked around a bit more and bumped into something that made it work albeit not very understandably in my eyes.

Again I thought maybe it was the way I explained it that I would get a different response. Not trying to hound attention on the boards, sorry if any offense was taken.