[Gllug] Securing XP

Liam Smit liam.smit at gmail.com
Thu Apr 14 00:46:32 UTC 2005


> >>> Nope. I added a Linux/Samba box to my Windows 2000 Server network. I
> >>>saw
> >>> the C$ share on the domain controller and opened it just like any
> >>>other.
> >>> This is a bit of a problem because that share is required for a number
> >>> of purposes, it's pretty much impossible to work without it.
> >>
> >> If the contents of that share can be viewed from the network by J.
> >> Random User, then that system is misconfigured.
> >
> >I believe that by default all shares with a $ appended to the name
> >become invisible as far as browsing is concerned - it should only be
> >full administrators that can access the share.
> 
> That could be it. IIRC the account I used for Samba was an
> administrator.
> 
> Yup! I can see the contents of C$ from Windows, when logged in as an administrator.

I keep my hair short, this has prevented me pulling it out when
dealing with Samba & Windows permissions.

The request was to have only a part of a username / password protected
samba share visible to one person, with everything else visible to
various people. I.e. allow the guest / intern to view one folder on
the share and everyone else could put things there for them on an as
needed basis.

Unfortunately the sever had been originally configured to show
everything except that which was locked down to specific users or
groups only. i.e. be default everything is available once you' ve
authenticated yourself. Working on live servers when you are changing
what people are allowed to see is not always fun. Rather stressful
every time a user complains that they can't see certain files on the
share.<f>

Depending on which version of windows (2000 or XP in this case) was in
use would change the behaviour of what was visible. I tried plenty of
combinations of unix file permissions, groups and samba users and
permissions.

As a temporary solution I mapped a subset of the share as windows
network drive while the person was in the office for a few weeks.

I think the easiest method would have been to create a new share.

Moral of the story, cut your hair short.

Regards
Liam
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list