none
Disable "Everyone" group in Advanced Share permissions

    Question

  • By default in windows servers 2008/2012 the "Everyone" group is being added to the advanced sharing option whenever a new share is created. The security department where I work has decided that this is worse than clubbing baby seals, and is freaking out about how shares are created.. They cannot grasp the fact that the NTFS permissions are still locked down when a share is created, and having "Everyone" in the Advanced Sharing section doesn't actual give everyone permission.. 

    Anyways, is there a way to prevent the Everyone group from being added by default? I've already attempted changing the "SrvsvcDefaultShareInfo" key, but that seems to only affect the Share/Security values and not the Advanced Sharing. 

    If that isn't an option, is there a way to setup a GPO to just continually remove this group from every share? 

    Thanks!

    Thursday, February 2, 2017 2:56 PM

Answers

  • Hi,

    >>Anyways, is there a way to prevent the Everyone group from being added by default?

    It seems that we have no way to change this default settings, even using GPO.

    >>If that isn't an option, is there a way to setup a GPO to just continually remove this group from every share? 

    You could try to create a startup script then deploy via gpo to achieve this purpose:

    The scripts could contains these lines:

    get-smbshare
    Revoke-SmbShareAccess -name <share name> -accountname <everyone>

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by guitarmaniak8 Friday, February 3, 2017 8:40 PM
    Friday, February 3, 2017 6:32 AM
    Moderator

All replies

  • Hi,

    >>Anyways, is there a way to prevent the Everyone group from being added by default?

    It seems that we have no way to change this default settings, even using GPO.

    >>If that isn't an option, is there a way to setup a GPO to just continually remove this group from every share? 

    You could try to create a startup script then deploy via gpo to achieve this purpose:

    The scripts could contains these lines:

    get-smbshare
    Revoke-SmbShareAccess -name <share name> -accountname <everyone>

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by guitarmaniak8 Friday, February 3, 2017 8:40 PM
    Friday, February 3, 2017 6:32 AM
    Moderator
  • > The security department where I work has decided that this is worse than clubbing baby seals, and is freaking out about how shares are created.. They cannot grasp the fact that the NTFS permissions are still locked down when a share is created, and having "Everyone" in the Advanced Sharing section doesn't actual give everyone permission..
     
    You might enlighten them.... As long as the guest account is disabled, "Everyone" is identical (!) to "Authenticated Users". In other words: Everyone in fact is NOT everyone :-)
     
     
    • Proposed as answer by Todd Heron Friday, February 3, 2017 1:15 PM
    Friday, February 3, 2017 10:53 AM
  • Thanks for the answer, Andy. Wouldn't this just remove the Everyone group if it was added to the share itself and not advanced sharing?
    Friday, February 3, 2017 2:25 PM
  • Thanks for the reply, Martin. I'll give that a shot.

    Friday, February 3, 2017 2:27 PM
  • u could try to create a startup script then deploy via gpo to achieve this purpose:

    The scripts could contains these lines:

    get-smbshare
    Revoke-SmbShareAccess -name <share name> -accountname <everyone>


    I ended up using this for 2012 servers. It doesn't work with 2008, though.. Since I didn't specify that in the question I'm giving you the answer.

    In case anyone else wants to run this on 2008/2012, you can use the script below. Add any shares you don't want to be remediated to the "excludedList" variable.

    ####################################################################
    ##                                                                ##
    ## This script will remove the "Everyone" group from any shares   ##
    ##   on the server not included in the exclude list.              ##
    ##                                                                ##
    ####################################################################
    
    
    ## List of drives that should not be checked for share permissions
    $excludeList = 'D$','C$','ADMIN$','F$','IPC$','print$'
    
    
    
    Get-WmiObject -Class Win32_LogicalShareSecuritySetting | foreach {
        $name = $_.name
        
        if ($excludeList -notcontains $name){
            $newDescriptor = $_.GetSecurityDescriptor().descriptor
            $newDescriptor.dacl = $_.GetSecurityDescriptor().Descriptor.Dacl | Where {$_.trustee.name -ne 'Everyone'}
            $_.SetSecurityDescriptor($newDescriptor)
    
            Write-host ($name + " has been validated/remediated.")
    
        } else {
            Write-host ($name + " has been excluded.")
        }
    }

    Friday, February 3, 2017 8:46 PM