Network sharing

anything I don't mind · 22 Sep 2011 at 11:41

I have recently been moved to a new site which has very sensitive information on it. They have an internal network not connected to the internet and an external one connected to the internet.

The IT person before me apparently was not very good and has rolled out 15 windows 7 machines with a poor image.

He has not done permissions correctly on a folder where files required updating. He has also disabled file and print sharing and network discovery on the clients.

Question: To make it easier and less disruptive i wanted to enable file and print sharing on the clients so that i could change permissions on folders remotely without having to physically go on to every machine.

In the past I have always enabled file and print sharing ability for clients as I did not see it as such a security risk. But as this is a high security place. I was wondering if you had any input on it?

Also do you know of a way to remotely change the advanced network settings on clients?

I can not even icmp the clients from the domain controller...

anything I don't mind · 22 Sep 2011 at 14:01

It is the first time i have worked in a high security environment.

Apparently the guy might not have set up the clients in such a way on purpose and it was suggested that i should make them accessible for administration. I am just trying to find a way to do it remotely because i want to avoid going around to each pc. But I can't seem to find a way to enabled it remotely.

There is no chance of combing the two networks.

anything I don't mind · 22 Sep 2011 at 15:16

Thanks, will use xcalcls to modify permissions.

What do you think about the pcs not being pingable? is that normal when network discovery and file and print sharing is disabled?

anything I don't mind · 22 Sep 2011 at 16:11

No the pcs do not even show up in windows "network" search.

The one PC that i was trying to connect to, to modify the permissions, was not reachable from the DC at all.

anything I don't mind · 26 Sep 2011 at 12:58

I spoke to the previous IT guy today and he said that he disabled file sharing on purpose for security. Which is ok. I won't have to change that, ill just change the permissions with a login script as advised by ev0.

It is just me with 40 users, i hope i am not out of my depth

anything I don't mind · 26 Sep 2011 at 15:38

I do have more technical people within the company that i work for to fall back on, but this is the sort of thing that they won't be able to help me with. I work for managed services company, so there is a lot of engineers and more senior people. But my boss is not very good security wise.

OK so ill setup a start script through group policy that will change the permissions. thanks again.

anything I don't mind · 26 Sep 2011 at 16:00

It is a bit of a mess but I just started there last week. So i have to learn the network and everything and fix problems. The new windows 7 machines that are half rolled out, the users can not even change passwords. It comes up with complexity requirements are not met but the group policy does not specify for complexity requirements. The group policy and AD are very unorganized and the windows 7 machines were just cloned with no new sid or sysprep

.

The reason i want to change permissions is because i want to update the office templates and the guy who made the image did not give domain users write access to the folder. I guess another way would have been to point the templates to a server location. But i think it is best to have templates on the local machine due to the way word works.

anything I don't mind · 26 Sep 2011 at 16:05

Sorry i can't discuss any more as i would have to kill you... just joking

anything I don't mind · 26 Sep 2011 at 18:20

The backup procedure is already in place and there are no problems with security. I have just never come across this sort of network. So i was unsure on best practice.

They did not want to use full disk encryption. I will definitely try and bring that up again if i have to rebuild the windows 7 image due to the none sysprep image causing problems with password changing. But the first time i mentioned it to the office manager he did not think it was required and would cause a hassle. They have a bios boot password and have policy on shutting down the pcs and the building is pretty secure.

anything I don't mind · 27 Sep 2011 at 09:15

I tried adding the template update script to the group policy start up scripts but it still did not work with normal domain users.

Running the script as administrator works ok. I am going to have to change the permissions on the folder it seems.

anything I don't mind · 28 Sep 2011 at 10:24

I have tried to use group policy startup scripts to change permissions but that does not work, comes up with access denied.

I thought that group policy start up scripts were meant to be running from elevated user context?

It seems like the start up scripts are running from the user context.

anything I don't mind · 28 Sep 2011 at 12:21

Never mind i found the group policy to change permissions on a folder. sorted.