Top 5 Simple Ways I Became Domain Administrator on your Internal Network and How to Prevent them from Happening (Part 4 of 5)

by | May 19, 2011

How to Become a Domain Administator on an Internal Network
4. Your network shares are sharing way too much information…to EVERYONE


Network shares are designed to do just that, share information with those who need it.  The problem is too many folders are being shared to everyone in the company and that general administrator accounts have access to highly sensitive directories such as HR, finance or R&D. Too often networks shares contain extraordinary amounts of unstructured sensitive data such as PII, user passwords, and corporate confidential information in Excel, Word, Access, text, and log files.  Users often export the sensitive information stored within business applications to these unstructured formats, but these files do not have the same types of protections making them an easy target.


How the attack works:

  1. Run a program or script to troll through all available servers and workstations to identify the permissions set on network shares.
  2. Identify shares that have permissions open to everyone or all authenticated users on the network and then perform targeted searches for key information such as SSN’s, passwords, credit card information, etc.
  3. Use this information to gain further access to network resources and sensitive information.


Sample of open source tools used:

Shareenum, Nmap, MBSA


How to mitigate it:

  1. Perform a data risk assessment to identify what the most valued information is to the company.  Once classified, begin to work with business owners to identify how that sensitive information flows throughout the network and pinpoint where information is stored insecurely on the network.
  2. Run a scan to identify all network shares that are open to the “Everyone” Windows group.  Shares open to this group are accessible to anyone authenticated to the network.  Work with the owners of these shares to identify the proper personnel that should have access to the information within those shares.  Consider creating separate file server administrator accounts and explicitly deny access to other privileged accounts.
  3. Data Loss Prevention (DLP) solutions offer the ability to detect sensitive and proprietary information on shares and throughout the network on USB drives, email, and workstations. Performing a discovery scan to sweep the network can help to identify these types of confidential data.
Chris Salerno
Managing Director | Archive

Chris leads SRA’s 24x7 CyberSOC services. His background is in cybersecurity strategy based on NIST CSF, red and purple teams, improving network defenses, technical penetration testing and web applications.

Prior to shifting his focus to defense and secops, he led hundreds of penetration tests and security assessments and brings that deep expertise to the blue team.

Chris has been a distinguished speaker at BlackHat Arsenal, RSA, B-Sides and SecureWorld.

Prior to Security Risk Advisors, Chris was the lead penetration tester for a Big4 security practice.