Network sharing

anything I don't mind

anything I don't mind

anything I don't mind

Permabanned
Joined
28 Dec 2009
Posts
13,052
Location
london
I have recently been moved to a new site which has very sensitive information on it. They have an internal network not connected to the internet and an external one connected to the internet.

The IT person before me apparently was not very good and has rolled out 15 windows 7 machines with a poor image.

He has not done permissions correctly on a folder where files required updating. He has also disabled file and print sharing and network discovery on the clients.

Question: To make it easier and less disruptive i wanted to enable file and print sharing on the clients so that i could change permissions on folders remotely without having to physically go on to every machine.

In the past I have always enabled file and print sharing ability for clients as I did not see it as such a security risk. But as this is a high security place. I was wondering if you had any input on it?

Also do you know of a way to remotely change the advanced network settings on clients?

I can not even icmp the clients from the domain controller...
 
Sounds confusing to me. Take occams razor (The real one) to heart. Flatten the network, one LAN, firewall on the edge, problem solved.
 
It is the first time i have worked in a high security environment.

Apparently the guy might not have set up the clients in such a way on purpose and it was suggested that i should make them accessible for administration. I am just trying to find a way to do it remotely because i want to avoid going around to each pc. But I can't seem to find a way to enabled it remotely.

There is no chance of combing the two networks.
 
SMN said:
Sounds confusing to me. Take occams razor (The real one) to heart. Flatten the network, one LAN, firewall on the edge, problem solved.
Click to expand...

Er not really, I'm guessing the 'air gap' network setup is there for a reason :)

Without knowing the company, what the data is etc you can't just say that. Is this in the financial sector?

If all you're needing to do is change permissions on some folders + files I'd go with a startup script that runs xcalcls or the like to set the permissions that you want.
 
Last edited:
Yup I wouldn't worry about not pingable, doesn't really matter unless something needs to be able to do so to function :p

As said probably just the firewall blocking it, no big deal.

If you need to be able to detect them on the network but not allow ping then look at using nmap with one of it's scan modes and no ping to see what's up.

If you get stuck with xcacls give me a shout, I used to do a lot of work with it in my software packaging days (but probably terribly rusty now!).
 
But if the pcs are still working (i.e. they still connect to the dc etc when logging on) then that doesn't really matter.

If file and print sharing is turned off then they won't be browsable, which I'm guessing is their point for switching it off.

From this point on just assume that when browsing to the machine anything windows share related is a no go.
 
SMN said:
Sounds confusing to me. Take occams razor (The real one) to heart. Flatten the network, one LAN, firewall on the edge, problem solved.
Click to expand...

Agree with Ev0 ... I've come across cases, not just in the financial sector, where there have been requirements to "air gap" networks away from each other, (i.e. complete separate physical network infrastructures not just different firewalled/vlan'ed networks) ...

Without knowing the detail of the situation, and if it is something that requires this sort of thing then it is doubtful it should be disclosed on a public forum anyway, it is impossible to say whether the current topology is correct or not. Although edge security as you suggest, instead of security in depth, is a bit old school now as it doesn't take into account threats on the internal network.

OP, if this is a secure environment then make sure you understand the requirements before considering changing any access/security settings ... if it means you have to visit each machine that needs the change then so be it. If you are going to make any other changes then make sure that your **** is covered.
 
Last edited:
J.B said:
ehhhh...what? Care to expand on that?
Click to expand...

Because the pc will more than likely be behind an enterprise firewall which will not allow it to connect to the net unless it being pushed through a proxy.

If there is enough security there is no call for the firewall to be enabled on the pc at all.

IMO of course.
 
It's all about defence in depth :)

What if the enterprise firewall is compromised some way?

What if the threat is already within your network?

Many reasons why you would want a firewall in place on a machine within a network.
 
Last edited:
To me it sounds like you are out of your depth. If its a true 'secure' environment (which could mean a million and one things) then the consequences of what you are doing could have far greater ramifications than playing on a small office network.

Do you have any technical guidance internally that you can draw on? Do you have an internal change process that will review your proposals?

As already said, it sounds like a startup script or group policy would be the best method to resolve this without visting each machine individually.
 
I as going to say if it's been setup like this then I'd assume you have at least some security staff to advise, or a security architect or something to talk to.
 
I spoke to the previous IT guy today and he said that he disabled file sharing on purpose for security. Which is ok. I won't have to change that, ill just change the permissions with a login script as advised by ev0.

It is just me with 40 users, i hope i am not out of my depth :D
 
You must log in or register to reply here.
Back
Top Bottom