Is anyone running Ubuntu 7.04 and Vista on a network

Hi Joe,

In my view, this is FLAWED and should be fixed.

Anyway, it's nice to know I can remotely enum all the "hidden" shares of
Windows boxes with a simple browse request

Joe Richards [MVP] wrote:
> You missed the part where I said this was never designed to be a
> security feature but instead is used for housekeeping/display. Say, and
> this is a real life example, I have a file server with 5000 home folder
> shares on it called user1$ through user2$ and I have 10 project shares
> on the server called proj1 through proj10. Some random user connects to
> the server by \\servername to get a list of the project shares, if MSFT
> didn't have the hidden mechanism the user would get a listing of 5010
> shares instead of 10.
>
> Your understanding or wish of what the $ concept is just needs to be
> readjusted. It isn't about hiding it from the browse request, it is a
> quick way to indicate to the client that the shares have been marked
> hidden which is a guideline and a guideline only, to not display. If
> MSFT intended for that to be a security feature, you can rest assured
> they wouldn't be sending those share names when requested. It is simpler
> not to send them than to not display them when they have been sent.
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> Author of O'Reilly Active Directory Third Edition
> www.joeware.net
>
>
> ---O'Reilly Active Directory Third Edition now available---
>
> http://www.joeware.net/win/ad3e.htm
>
>
> Gerry Hickman wrote:
>> Joe Richards [MVP] wrote:
>>
>>> hidden. The OS still sends the share in the list of shares for the
>>> share enumeration request.
>>
>> In that case, it's very silly! If the enum is done by by a local
>> process with a connection over DCOM then it's fair enough, it's
>> listing shares that it's exposing.
>>
>> If it's showing up in a network browser, it defeats the whole point of
>> the $ concept, which is to hide it from the browse request. Remember,
>> it's not just C drives, it could be vast listings of a file server.
>> You'd still have NTFS to get through, but it still defeats the whole
>> point of them being "hidden".
>>


--
Gerry Hickman (London UK)

"mirdragon" <mirdragon@discussions.microsoft.com> wrote in message
news:88442B8E-6858-476D-A2AD-524A0768C802@microsoft.com...
> sorry i do think this is a security breach
>
> a hidden share is a hidden share and should not be viewable within network
> browsing, that is why they are called hidden for extra security

Nope. They're not hidden "for extra security". They're hidden to keep the
list of shares you see on a "typical" OS (aka manufactured by Microsoft)
tidy.

> try connecting exactly the same way with exactly the same details from a
> windows xp machine, and you'll find that this DOES NOT list these hidden
> shares

Well. Yes. What's your point?

> do it from a linux box running ubuntu 7 and you'll get everything this
> only
> happens when connecting via linux

Yes because the implementation of SAMBA used on Ubuntu 7 obviously doesn't
follow the conventions of Microsoft networking. This isn't some l33t hax0r
trick, it's something getting the same list of shares that is sent to all
the computers on your network and choosing to do something different to what
you expected with it.

> as for uac, if you leave this active even though you are an administrator
> of
> the system, you might as well be a limited user, as it prevents a lot of
> stuff running properly

Can't say I've seen this myself. I'm running with UAC enabled and I see a
UAC prompt maybe a couple of times a week, usually when I install software
or update something or use a system utility.

In either case, UAC is a part of enforcing security on the very thing you're
worried about, and you chose to turn it off. Turning off security features
then complaining that something protected by them isn't very secure any more
is hardly news.

The feature cannot be flawed since it was never designed to do what it is you
seem to want it to do. If you do really believe in security by obscurity as a
meaningful way to protect your shares (I do not) then you should make a
suggestion to create a non-advertising share for the next version of Windows.

Alternatively, you can turn off the announcement of the shares in Windows
Vista (or any prior version) and achieve the same effect. The Network
Discovery setting in the Network Sharing Center does exactly what you want,
except it operates on all shares, not just some.

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Gerry Hickman" wrote:

> Hi Joe,
>
> In my view, this is FLAWED and should be fixed.
>
> Anyway, it's nice to know I can remotely enum all the "hidden" shares of
> Windows boxes with a simple browse request
>
> Joe Richards [MVP] wrote:
> > You missed the part where I said this was never designed to be a
> > security feature but instead is used for housekeeping/display. Say, and
> > this is a real life example, I have a file server with 5000 home folder
> > shares on it called user1$ through user2$ and I have 10 project shares
> > on the server called proj1 through proj10. Some random user connects to
> > the server by \\servername to get a list of the project shares, if MSFT
> > didn't have the hidden mechanism the user would get a listing of 5010
> > shares instead of 10.
> >
> > Your understanding or wish of what the $ concept is just needs to be
> > readjusted. It isn't about hiding it from the browse request, it is a
> > quick way to indicate to the client that the shares have been marked
> > hidden which is a guideline and a guideline only, to not display. If
> > MSFT intended for that to be a security feature, you can rest assured
> > they wouldn't be sending those share names when requested. It is simpler
> > not to send them than to not display them when they have been sent.
> >
> >
> > --
> > Joe Richards Microsoft MVP Windows Server Directory Services
> > Author of O'Reilly Active Directory Third Edition
> > www.joeware.net
> >
> >
> > ---O'Reilly Active Directory Third Edition now available---
> >
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> > Gerry Hickman wrote:
> >> Joe Richards [MVP] wrote:
> >>
> >>> hidden. The OS still sends the share in the list of shares for the
> >>> share enumeration request.
> >>
> >> In that case, it's very silly! If the enum is done by by a local
> >> process with a connection over DCOM then it's fair enough, it's
> >> listing shares that it's exposing.
> >>
> >> If it's showing up in a network browser, it defeats the whole point of
> >> the $ concept, which is to hide it from the browse request. Remember,
> >> it's not just C drives, it could be vast listings of a file server.
> >> You'd still have NTFS to get through, but it still defeats the whole
> >> point of them being "hidden".
> >>
>
>
> --
> Gerry Hickman (London UK)
>

Agreed.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Jesper wrote:
> The feature cannot be flawed since it was never designed to do what it is you
> seem to want it to do. If you do really believe in security by obscurity as a
> meaningful way to protect your shares (I do not) then you should make a
> suggestion to create a non-advertising share for the next version of Windows.
>
> Alternatively, you can turn off the announcement of the shares in Windows
> Vista (or any prior version) and achieve the same effect. The Network
> Discovery setting in the Network Sharing Center does exactly what you want,
> except it operates on all shares, not just some.
>
> ---
> Your question may already be answered in Windows Vista Security:
> http://www.amazon.com/gp/product/047...otectyourwi-20
>
>
> "Gerry Hickman" wrote:
>
>> Hi Joe,
>>
>> In my view, this is FLAWED and should be fixed.
>>
>> Anyway, it's nice to know I can remotely enum all the "hidden" shares of
>> Windows boxes with a simple browse request
>>
>> Joe Richards [MVP] wrote:
>>> You missed the part where I said this was never designed to be a
>>> security feature but instead is used for housekeeping/display. Say, and
>>> this is a real life example, I have a file server with 5000 home folder
>>> shares on it called user1$ through user2$ and I have 10 project shares
>>> on the server called proj1 through proj10. Some random user connects to
>>> the server by \\servername to get a list of the project shares, if MSFT
>>> didn't have the hidden mechanism the user would get a listing of 5010
>>> shares instead of 10.
>>>
>>> Your understanding or wish of what the $ concept is just needs to be
>>> readjusted. It isn't about hiding it from the browse request, it is a
>>> quick way to indicate to the client that the shares have been marked
>>> hidden which is a guideline and a guideline only, to not display. If
>>> MSFT intended for that to be a security feature, you can rest assured
>>> they wouldn't be sending those share names when requested. It is simpler
>>> not to send them than to not display them when they have been sent.
>>>
>>>
>>> --
>>> Joe Richards Microsoft MVP Windows Server Directory Services
>>> Author of O'Reilly Active Directory Third Edition
>>> www.joeware.net
>>>
>>>
>>> ---O'Reilly Active Directory Third Edition now available---
>>>
>>> http://www.joeware.net/win/ad3e.htm
>>>
>>>
>>> Gerry Hickman wrote:
>>>> Joe Richards [MVP] wrote:
>>>>
>>>>> hidden. The OS still sends the share in the list of shares for the
>>>>> share enumeration request.
>>>> In that case, it's very silly! If the enum is done by by a local
>>>> process with a connection over DCOM then it's fair enough, it's
>>>> listing shares that it's exposing.
>>>>
>>>> If it's showing up in a network browser, it defeats the whole point of
>>>> the $ concept, which is to hide it from the browse request. Remember,
>>>> it's not just C drives, it could be vast listings of a file server.
>>>> You'd still have NTFS to get through, but it still defeats the whole
>>>> point of them being "hidden".
>>>>
>>
>> --
>> Gerry Hickman (London UK)
>>