G-Stress Posted January 21, 2010 Share Posted January 21, 2010 Wondering if someone can help me understand something here. I have 2 internet connections, 2 separate networks, 1 a basic home workgroup and the other 3-4 machines on a domain provided via server 2k3. Still learning 2k3 and AD which was the purpose for the domain. My concern is one machine I use frequently my laptop is a member of the domain it's running windows 7 ultimate. I use it on the domain and off the domain. Now when off the domain for example if I connect it to the workgroup and logon to the machine with a local account and then I view my workgroup machines I see it has the "users" folder shared and I can access basically anything on this lap-top. Kinda freaked me out at first, because I've not set any policies yet besides changing the password policy. I guess my question is, would this be a setting on the DC or somewhere in GP that did this? Quote Link to comment Share on other sites More sharing options...
Sparda Posted January 21, 2010 Share Posted January 21, 2010 The firewall, block file sharing. Quote Link to comment Share on other sites More sharing options...
RogueSpear Posted January 22, 2010 Share Posted January 22, 2010 My personal rule of thumb for domain member workstations is to never use or allow local user accounts on those workstations. Quote Link to comment Share on other sites More sharing options...
G-Stress Posted January 22, 2010 Author Share Posted January 22, 2010 Ok what's confusing is how exactly did that directory become shared? I never set or allow any shares on that machine? Quote Link to comment Share on other sites More sharing options...
digip Posted January 22, 2010 Share Posted January 22, 2010 If you are logging in locally as the administrator, or at admin level on the local machine itself, you can take ownership of any folders and shares on the machine. Just because you can open it locally, does not mean others trying to connect through workgroups can open it (although windows may have it set to everyone with no password required by default - XP has a default share that everyone can see, its just not called Users). You can also right click any folders and set the sharing permissions and even set it so they have to supply a password to open it via the sharing tab and folder settings, even if they can see the folder as shared, they wont be able to open it without authenticating if you set it so. Domain level shares work pretty much the same way, unless you are not a local administrator to the machine, and are only logging into the domain, you get whatever policy is applied from the domain. If when logged in locally and you dont want people to be able to connect to that folder, you can do 1 of a few things. 1 change the share permissions and select which users are allowed to open it, or 2, disable the services used to enable access to it, which include file and printer sharing under your nic settings, as well as the services for "Computer Browser", "Server", and "ICS/Firewall" (Not sure if these are still the same names in WIndows 7). These are located in services.msc. The other option, block the ports on your local firewall software(dont rely on built in windows firewall) for ports 136-139 and port 445 as well as disable netbios over tcp/ip under your nic and in services.msc. If you set a policy to block these while logged in locally, the next time you reconnect to the domain, you may have issues, as policies applied closest to the machine itself will take effect first. I was always told it works like this: LSD - Local, Site, Domain in that order or priority. So if you login as admin on the machine locally, and not on the domain and make a policy change, it should override the domians policy if it conflicts with it and override the domains settings. I've never actually tested that in practice, but thats what I was taught. Quote Link to comment Share on other sites More sharing options...
Sparda Posted January 22, 2010 Share Posted January 22, 2010 Ok what's confusing is how exactly did that directory become shared? I never set or allow any shares on that machine? 7 shares them by default. Quote Link to comment Share on other sites More sharing options...
G-Stress Posted January 25, 2010 Author Share Posted January 25, 2010 @ digip, I'm aware of how to configure file sharing in windows, thanks though. My concern was that I had folders shared when I never set any shares, but I believe it's like Sparda said their shared by default, because I just installed another system with 7 and checked and those folders were shared. This seems to me like it would be a big security risk. I'm still new to 7, but imagine your average joe not knowing about LAN security and going to a coffee shop hopping on and setting the AP as "Home" network. Haven't tested yet, but if that's all it takes then there goes all his files open to the public. Quote Link to comment Share on other sites More sharing options...
digip Posted January 25, 2010 Share Posted January 25, 2010 If you go to my computer in XP, you will see a folder for "Shared Documents". I beleive this is the same thing in 7, just a different naming convention. If you join a workgroup in XP, this "Shared Documents" folder is always there by default. Quote Link to comment Share on other sites More sharing options...
lopez1364 Posted January 25, 2010 Share Posted January 25, 2010 You should turn off file sharing in Windows 7. Windows 7 Follow these steps to disable File Sharing on Windows 7: Click the Windows Logo button. Type file sharing in the search results window, and then touch Enter. Under "File and Printer Sharing", check to be sure that Turn off file and printer sharing is selected. Under "Public Folder Sharing", check to be sure that Turn off public folder sharing is selected. Click Save Changes. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted April 3, 2010 Share Posted April 3, 2010 You should turn off file sharing in Windows 7. Windows 7 Follow these steps to disable File Sharing on Windows 7: Click the Windows Logo button. Type file sharing in the search results window, and then touch Enter. Under "File and Printer Sharing", check to be sure that Turn off file and printer sharing is selected. Under "Public Folder Sharing", check to be sure that Turn off public folder sharing is selected. Click Save Changes. Or perhaps use a firewall, so that way no one can see or access anything from your computer. Quote Link to comment Share on other sites More sharing options...
G-Stress Posted April 3, 2010 Author Share Posted April 3, 2010 Yes, I'm aware of configuring file sharing and user permission's with windows, it just freaked me out being new to windows 7 only for a couple days to see file's were shared I didn't know about. Apparently when joining a wireless/wired network it prompts you what file's and folder's you want to share with HomeGroup and if you leave the defaults checked it will basically share your entire "User's" folder. Basically everything except root. Quote Link to comment Share on other sites More sharing options...
Charles Posted April 3, 2010 Share Posted April 3, 2010 That's strange, when I was setting up Win7 it asked me to set up a homegroup, but I clicked "skip" or "cancel" cannot remember which, but all I have shared now is ADMIN$, C$ and IPC$. *shrugs* I'll check on my W7 machine at home and see if there is anything shared. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.