cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What security have users placed around the ManageSoftRET$ and mgsRET$ network shares ?

malderton
By Level 5 Flexeran
Level 5 Flexeran
Hi, We have heard that a number of companies security teams have added extra security around the network shares ManageSoftRET$ and mgsRET$ . We are not of the opinion that this is strictly necessary. In order to improve our understanding can I ask the user group, if you do add anything to the standard build, can you tell us what you do about these shares ?
(1) Solution
DAWN
By Level 5 Flexeran
Level 5 Flexeran
The "default" entry for this is "Everyone" AND "Anonymous Logon" with "Read-only". Since the typical use case is utilizing a Discovery and Inventory Task to target Remote Devices for Adoption or FlexNet Inventory utilized by Windows Machines - there are 2 common scenarios. 1) If this methodology isn't utilized, some customers remove the share 2) If it is utilized, it is common to change the security to remove Anonymous Logon at a minimum - and occasionally Everyone and only allow "Authenticated Users" - forcing that an actual Domain login occur.

View solution in original post

(3) Replies
DAWN
By Level 5 Flexeran
Level 5 Flexeran
The "default" entry for this is "Everyone" AND "Anonymous Logon" with "Read-only". Since the typical use case is utilizing a Discovery and Inventory Task to target Remote Devices for Adoption or FlexNet Inventory utilized by Windows Machines - there are 2 common scenarios. 1) If this methodology isn't utilized, some customers remove the share 2) If it is utilized, it is common to change the security to remove Anonymous Logon at a minimum - and occasionally Everyone and only allow "Authenticated Users" - forcing that an actual Domain login occur.

@DAWN - Do you have any insight into the type of threat or attack that people are trying to guard against by removing the shares or requiring authentication to access them?

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)
Typically, this is reducing the ability of a hacker to push some sort of executable file that could be accessed through any user login to elevate privs. Readonly is good - but you usually don't want to allow anonymous login to the Windows Shares unless absolutely necessary. This would be a multi-prong attack scenario - but you want to close every avenue of access that's not needed. Or at least reduce the users that can have any access to that share. It's a typical sysadmin hardening task to ensure least privs.