Network shares are a veritable treasure trove for internal attackers looking to cause mischief. Shares are normally readable by all authenticated domain users and provide access to configuration files, documents, spreadsheets, databases, and scripts which very often contain credentials, keys, certificates, and other sensitive and possibly business-critical information. This information can be used to gain access to internal systems, elevate privileges and spread laterally throughout the network.
As well as internal systems, credentials disclosed in shares will often grant access to external services including Wireless Networks, third party services and even Social Media accounts, resulting in much wider impact and potential damage to the reputation of the business.
What to do
Null Sessions / Anonymous Access
Disable Null Sessions and Anonymous Access on all Domain Controllers and File Servers by setting the following registry and group policy settings:
- Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Default)
- Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
- Network Access: Restrict anonymous access to Named Pipes and Shares: Enabled
Remove BROWSER from:
Unless used as a shared PC or in a kiosk scenario, the "Guest" account should be disabled estate wide.
Implement a robust access management schema that enforces the principle of least privilege and only gives users access to shares that they require. Define permissions explicitly in Security Groups and avoid the use of the "Everyone" and "Authenticated Users" identifiers. Management of groups can be devolved out to teams and Information Asset Owners to reduce the support overhead.
Add an additional layer of protection to sensitive information by encrypting it at rest. Rather than clear text spreadsheets and text files use a secure encrypted password manager to store account information. Consider using strong key based authentication like GPG to secure archived sensitive documents.
Perform regular audits to identify and locate sensitive and business-critical data stored on shares. Ensure that data is minimised and can only be accessed by those that require it. As people move around the organisation and get promoted, they will often accumulate access to systems, services and files that they no longer need. Ensure that access to shares is revoked as people change role or leave the organisation.