Top five vulnerabilities and how to avoid them: Shares

July 9, 2021 Claranet Limited

Shaun Webber
Penetration Tester at Claranet

Network shares are a veritable treasure trove for internal attackers looking to cause mischief. Shares are normally readable by all authenticated domain users and provide access to configuration files, documents, spreadsheets, databases, and scripts which very often contain credentials, keys, certificates, and other sensitive and possibly business-critical information. This information can be used to gain access to internal systems, elevate privileges and spread laterally throughout the network. 

As well as internal systems, credentials disclosed in shares will often grant access to external services including Wireless Networks, third party services and even Social Media accounts, resulting in much wider impact and potential damage to the reputation of the business. 

What to do 

Null Sessions / Anonymous Access 

Disable Null Sessions and Anonymous Access on all Domain Controllers and File Servers by setting the following registry and group policy settings: 

  • Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Default) 
  • Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled 
  • Network Access: Restrict anonymous access to Named Pipes and Shares: Enabled 

Set: 

  • HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=1 
  • HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess=1 

Remove BROWSER from: 

  • HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes 

Guest Access 

Unless used as a shared PC or in a kiosk scenario, the "Guest" account should be disabled estate wide.  

Least Privilege 

Implement a robust access management schema that enforces the principle of least privilege and only gives users access to shares that they require. Define permissions explicitly in Security Groups and avoid the use of the "Everyone" and "Authenticated Users" identifiers. Management of groups can be devolved out to teams and Information Asset Owners to reduce the support overhead. 

Encryption 

Add an additional layer of protection to sensitive information by encrypting it at rest. Rather than clear text spreadsheets and text files use a secure encrypted password manager to store account information. Consider using strong key based authentication like GPG to secure archived sensitive documents. 

Audits 

Perform regular audits to identify and locate sensitive and business-critical data stored on shares. Ensure that data is minimised and can only be accessed by those that require it. As people move around the organisation and get promoted, they will often accumulate access to systems, services and files that they no longer need. Ensure that access to shares is revoked as people change role or leave the organisation.  

Previous Article
Top five vulnerabilities and how to avoid them: Passwords
Top five vulnerabilities and how to avoid them: Passwords

Once the Top Five are addressed, testers will be able to dedicate more time during engagements to identifyi...

Next Article
Top five vulnerabilities and how to avoid them: Spoofing
Top five vulnerabilities and how to avoid them: Spoofing

Once the Top Five are addressed, testers will be able to dedicate more time during engagements to identifyi...