Security Risk Advisors

Top 5 Simple Ways I Became Domain Administrator on your Internal Network and How to Prevent them from Happening (Part 4 of 5)

May 19, 2011 | Posted in Red Teams by Chris Salerno

4. Your network shares are sharing way too much information…to EVERYONE

Network shares are designed to do just that, share information with those who need it.  The problem is too many folders are being shared to everyone in the company and that general administrator accounts have access to highly sensitive directories such as HR, finance or R&D. Too often networks shares contain extraordinary amounts of unstructured sensitive data such as PII, user passwords, and corporate confidential information in Excel, Word, Access, text, and log files.  Users often export the sensitive information stored within business applications to these unstructured formats, but these files do not have the same types of protections making them an easy target.

How the attack works:

  1. Run a program or script to troll through all available servers and workstations to identify the permissions set on network shares.
  2. Identify shares that have permissions open to everyone or all authenticated users on the network and then perform targeted searches for key information such as SSN’s, passwords, credit card information, etc.
  3. Use this information to gain further access to network resources and sensitive information.

Sample of open source tools used:

Shareenum, Nmap, MBSA

How to mitigate it:

  1. Perform a data risk assessment to identify what the most valued information is to the company.  Once classified, begin to work with business owners to identify how that sensitive information flows throughout the network and pinpoint where information is stored insecurely on the network.
  2. Run a scan to identify all network shares that are open to the “Everyone” Windows group.  Shares open to this group are accessible to anyone authenticated to the network.  Work with the owners of these shares to identify the proper personnel that should have access to the information within those shares.  Consider creating separate file server administrator accounts and explicitly deny access to other privileged accounts.
  3. Data Loss Prevention (DLP) solutions offer the ability to detect sensitive and proprietary information on shares and throughout the network on USB drives, email, and workstations. Performing a discovery scan to sweep the network can help to identify these types of confidential data.