Sync Center - Security Issues With NSA, ISACA, FFIEC, FDIC

    General discussion

  • Microsoft, please put in an option to kill the offline folder synchronization...  Really!

    Our auditors and examiners are already giving us a bad time about Vista's Sync Center insisting on staying installed and trying to synchronize users server home directories to local drives.  It is just one of the items they list as a single reason to not use the OS in our environment.  They are going to do it again with Windows 7 if I can't find a way to break it like I did in Vista.
       The bottom line is that sensitive and secure files are being meticulously replicated from secure server storage onto very insecure local and portable media.  Data theft is already bad enough, but this is a major circumvention.

    Does anyone else see the same issue, here?   Either way, reply on this thread and let Microsoft know.  Remember that your bank may be using this OS very soon.  How would you like to know that you personal information was compromised because a computer was stolen and a file with your information on it was unknowingly replicated off of a secure server by Sync Center?

    {Edited: Don't trust the spell checker ont his forum, yet.}

    Tuesday, January 20, 2009 9:34 PM

All replies

  • Do you have a domain?  Fire up Group policy management console, Set a group policy as follows:

    Computer Configuration -> Administrative Templates -> Network -> Offline Files -> there is a setting for Allow or Disallow use of the Offline Files feature.

    Determines whether the Offline Files feature is enabled.

    This setting also disables the "Enable Offline Files" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.

    Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network.

    If you enable this setting, Offline Files is enabled and users cannot disable it.

    If you disable this setting, Offline Files is disabled and users cannot enable it.

    By default, Offline Files is enabled on Windows 2000 Professional and Windows XP Professional and is disabled on Windows 2000 Server and also Windows Server 2003 family.

    Tip: To enable Offline Files without specifying a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "Enable Offline Files."

    Note: To make changes to this setting effective, you must restart Windows.

    You can also set a setting so that the user can't change the configuration

    Prevents users from enabling, disabling, or changing the configuration of Offline Files.

    This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box.

    This is a comprehensive setting that locks down the configuration you establish by using other settings in this folder.

    This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.

    Tip: This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder.

    BTW this is editable and configurable now.  My bank should have a domain that they can control this via group policy.

    Wednesday, January 21, 2009 4:50 AM
  • Well that's fine for Domain users but why does Windows 7 just automatically start making network shares available offline even when I havenot even selected to "Make Available Offline"


    This is a security breach in the making and a potential violation of privacy laws.  Just because I connected to the server to read one file does not mean that I gave Microsoft permission to copy all my servers contents to my local Laptop for me to take out of the house without even informing me.

    Seriously guys whoever made this automatic needs to go on a security training course...

    Urgent fix needed....



    Tuesday, September 07, 2010 9:42 PM
  • I'm on a windows 7 system in what should be a public lab with a netwrok storage of the documents folder. The sync center is in the notification area is saying it has had an error when I open it up I can double click on the offline files folder and then double click on the profiles folder located on the network. I should only have access to my profiles folder which is all that should be syncing. Oopsies I can see all the profile folders and open and view their files. Accidental hack. Looks like a hole needs to be plugged on this one.
    Wednesday, February 15, 2012 12:09 AM