Domain Security Issue

[G-Stress]

Wondering if someone can help me understand something here. I have 2 internet connections, 2 separate networks, 1 a basic home workgroup and the other 3-4 machines on a domain provided via server 2k3. Still learning 2k3 and AD which was the purpose for the domain.

My concern is one machine I use frequently my laptop is a member of the domain it's running windows 7 ultimate. I use it on the domain and off the domain. Now when off the domain for example if I connect it to the workgroup and logon to the machine with a local account and then I view my workgroup machines I see it has the "users" folder shared and I can access basically anything on this lap-top.

Kinda freaked me out at first, because I've not set any policies yet besides changing the password policy. I guess my question is, would this be a setting on the DC or somewhere in GP that did this?

[Sparda]

The firewall, block file sharing.

[RogueSpear]

My personal rule of thumb for domain member workstations is to never use or allow local user accounts on those workstations.

[G-Stress]

Ok what's confusing is how exactly did that directory become shared? I never set or allow any shares on that machine?

[digip]

If you are logging in locally as the administrator, or at admin level on the local machine itself, you can take ownership of any folders and shares on the machine. Just because you can open it locally, does not mean others trying to connect through workgroups can open it (although windows may have it set to everyone with no password required by default - XP has a default share that everyone can see, its just not called Users). You can also right click any folders and set the sharing permissions and even set it so they have to supply a password to open it via the sharing tab and folder settings, even if they can see the folder as shared, they wont be able to open it without authenticating if you set it so. Domain level shares work pretty much the same way, unless you are not a local administrator to the machine, and are only logging into the domain, you get whatever policy is applied from the domain.

If when logged in locally and you dont want people to be able to connect to that folder, you can do 1 of a few things. 1 change the share permissions and select which users are allowed to open it, or 2, disable the services used to enable access to it, which include file and printer sharing under your nic settings, as well as the services for "Computer Browser", "Server", and "ICS/Firewall" (Not sure if these are still the same names in WIndows 7). These are located in services.msc. The other option, block the ports on your local firewall software(dont rely on built in windows firewall) for ports 136-139 and port 445 as well as disable netbios over tcp/ip under your nic and in services.msc.

If you set a policy to block these while logged in locally, the next time you reconnect to the domain, you may have issues, as policies applied closest to the machine itself will take effect first. I was always told it works like this: LSD - Local, Site, Domain in that order or priority. So if you login as admin on the machine locally, and not on the domain and make a policy change, it should override the domians policy if it conflicts with it and override the domains settings. I've never actually tested that in practice, but thats what I was taught.

[Sparda]

Ok what's confusing is how exactly did that directory become shared? I never set or allow any shares on that machine?

7 shares them by default.

[G-Stress]

@ digip, I'm aware of how to configure file sharing in windows, thanks though. My concern was that I had folders shared when I never set any shares, but I believe it's like Sparda said their shared by default, because I just installed another system with 7 and checked and those folders were shared.

This seems to me like it would be a big security risk. I'm still new to 7, but imagine your average joe not knowing about LAN security and going to a coffee shop hopping on and setting the AP as "Home" network. Haven't tested yet, but if that's all it takes then there goes all his files open to the public.

[digip]

If you go to my computer in XP, you will see a folder for "Shared Documents". I beleive this is the same thing in 7, just a different naming convention. If you join a workgroup in XP, this "Shared Documents" folder is always there by default.

[lopez1364]

You should turn off file sharing in Windows 7.

Windows 7

Follow these steps to disable File Sharing on Windows 7:

Click the Windows Logo button.

Type file sharing in the search results window, and then touch Enter.

Under "File and Printer Sharing", check to be sure that Turn off file and printer sharing is selected.

Under "Public Folder Sharing", check to be sure that Turn off public folder sharing is selected.

Click Save Changes.

[Infiltrator]

You should turn off file sharing in Windows 7.

Windows 7

Follow these steps to disable File Sharing on Windows 7:

Click the Windows Logo button.

Type file sharing in the search results window, and then touch Enter.

Under "File and Printer Sharing", check to be sure that Turn off file and printer sharing is selected.

Under "Public Folder Sharing", check to be sure that Turn off public folder sharing is selected.

Click Save Changes.

Or perhaps use a firewall, so that way no one can see or access anything from your computer.

[G-Stress]

Yes, I'm aware of configuring file sharing and user permission's with windows, it just freaked me out being new to windows 7 only for a couple days to see file's were shared I didn't know about.

Apparently when joining a wireless/wired network it prompts you what file's and folder's you want to share with HomeGroup and if you leave the defaults checked it will basically share your entire "User's" folder. Basically everything except root.

[Charles]

That's strange, when I was setting up Win7 it asked me to set up a homegroup, but I clicked "skip" or "cancel" cannot remember which, but all I have shared now is ADMIN$, C$ and IPC$.

*shrugs*

I'll check on my W7 machine at home and see if there is anything shared.