none
HomeGroup = major security flaw in Windows 7 RRS feed

Yanıtlar

  • The problem has existed since Vista. It's not specific to Homegroups. In Vista and Windows 7 if you share any folder in a user's profile the whole user tree is shared. Yes, I agree, it's a serious security flaw. The folders are somewhat locked down with the default ACLs but many people don't use passwords and have very relaxed security. For small businesses this can be a big problem. Many accounting programs store data files in the user's profile, as they should by default. If a different user on the computer shares a folder suddenly the accounting data may be available to anyone on the network. When I bugged this I was told it was by design and would not be changed.

    Kerry Brown MS-MVP - Windows Desktop Experience
    • Yanıt Olarak İşaretleyen Novak Wu 28 Ekim 2009 Çarşamba 02:45
    27 Ekim 2009 Salı 13:54

Tüm Yanıtlar

  • The problem has existed since Vista. It's not specific to Homegroups. In Vista and Windows 7 if you share any folder in a user's profile the whole user tree is shared. Yes, I agree, it's a serious security flaw. The folders are somewhat locked down with the default ACLs but many people don't use passwords and have very relaxed security. For small businesses this can be a big problem. Many accounting programs store data files in the user's profile, as they should by default. If a different user on the computer shares a folder suddenly the accounting data may be available to anyone on the network. When I bugged this I was told it was by design and would not be changed.

    Kerry Brown MS-MVP - Windows Desktop Experience
    • Yanıt Olarak İşaretleyen Novak Wu 28 Ekim 2009 Çarşamba 02:45
    27 Ekim 2009 Salı 13:54
  • As Kerry said, the symptom was by default since Windows Vista. To avoid the security factor, you can create a password on each profile on Windows 7 machine or share the pictures on another folder.

    Thanks,
    Novak
    28 Ekim 2009 Çarşamba 02:45
  • YOu have to remember that Share Permissions and NTFS Permissions combine to give you the effective permission.  So if "Everyone" has full access to share C:/Users it doesn't really mean that they have full control permission on all files in Users directory, the local ACL/NFTS permissions further restrict access to files/folders same way as if you were accessing locally. 

    When joining a Homegroup, Windows 7 automatically gives "Everyone" user group full control (read and write) ACL to share C:\Users but your files are still protected by local NFTS ACL permissions that you find under "Security" tab.

    "Therefore due to the Most Restrictive evaluation, the easiest way to set permissions is to provide the Users (preferably by Groups), Full Control on the Share side, but lock it down on the NTFS side (Security Tab). It works nicely, all the time, and is easier to document and keep track."

    Source: http://msmvps.com/blogs/acefekay/archive/2011/02/04/share-permissions-and-ntfs-permissions-folder-access-control-amp-folder-permissions.aspx


    13 Temmuz 2011 Çarşamba 20:25
  • Yes, except that there are no standard tools for working with ACLs.  And certainly none that even a power user can understand.  And even for the advanced user you need third party tools to find that deep in a folder hierarchy some ACL is wrong.

    Shares used to be a crude but effective way to see at most what is shared.  You could see all the shares on a system.  But now with everything shared, that is gone. 

    (And why is Users, and C$ shared?!  If you realy want to rely on ACLS just share C$ everyone.  The important files are in Users anyway.)

    I have not been able to find a concise article that explains what HomeGroups really are (other than good ...) and how they interact with other windows sharing modes, ACLs etc.  And that is because under the thin veneer of UI it looks like it is a mess.

    I mainly rely on my routers firewall for security.  Its crude, but I have confidence in what it does.

    Anthony


    Anthony
    17 Aralık 2011 Cumartesi 10:23