Vulnarex | Elite Cybersecurity Learning Platform

#Your SMB Share Is Not a Public Drop Box—Lock It Down#link

Ransomware operators love open SMB shares. The 2017 NotPetya outbreak propagated via EternalBlue, but also through admin shares with weak credentials. Even with patched systems, a misconfigured share can give attackers a foothold. This lesson focuses on securely sharing folders across Windows, Linux (Samba/NFS), and macOS, including protocol-level hardening and enumeration protection.

Windows SMB Share Security: Beyond Everyone: Full Control

When sharing a folder on Windows, the default permission often includes 'Everyone' with Read. While NTFS still restricts access, an SMB share level with Everyone: Full Control lets anyone connect and attempt to access files if NTFS is misconfigured. Set share permissions to a specific security group (e.g., 'Finance-RW') with Change access. Disable SMBv1 entirely via Windows Features or PowerShell (Set-SmbServerConfiguration -EnableSMB1Protocol $false). Use SMB encryption for sensitive shares.

Disable SMBv1 and list current share permissions

root@vulnarex:~#Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol Get-SmbShare | Select Name, Path, ShareState Get-SmbShareAccess -Name "Finance"

The output shows the share Finance with appropriate access rights for two groups. No Everyone entry is present.

Linux Samba Shares: Configuration Hardening

When deploying Samba, the smb.conf file must lock down authentication, protocol version, and share definitions. Set server min protocol = SMB2_02 (or higher) to disable SMB1. Restrict share access with valid users = @groupname and force group = +groupname. Use hosts allow/deny to limit IP ranges. For high-security, enable SMB encryption (smb encrypt = required) and disable guest access (map to guest = never).

ini

# smb.conf snippet for hardened share
[SecureShare]
path = /srv/samba/secure
valid users = @finance
force group = finance
read only = no
browsable = yes
create mask = 0640
directory mask = 0750
hosts allow = 192.168.10.0/24
smb encrypt = required
server min protocol = SMB3_11

info

💡 Use smb encrypt = desired on clients to force encryption only if the server supports it, but for sensitive data, require it server-side.

NFS Security on Linux

NFS exports should always use root_squash (maps root to nobody) or all_squash for untrusted clients. Never export to the world without subnet restriction. Use NFSv4 with Kerberos authentication (sec=krb5p) for integrity and privacy. Without Kerberos, NFS relies on UID matching, which is trivial to spoof. Export options like no_subtree_check (for reliability) and sync are essential.

▪Replace Everyone/guest share permissions with explicit group ACEs.
▪Disable SMBv1 on all Windows and Samba servers; enforce SMB3 if possible.
▪Enable SMB encryption for sensitive shares; enforce with GPO or smb.conf.
▪Restrict share access by IP subnet using firewall rules or hosts allow.
▪For NFS, use Kerberos (sec=krb5p) and always enable root_squash.

STRICT SECURE AUDIT RULE

⚠️ The Windows administrative shares (C$, ADMIN$) are hidden but exposed. Ensure only domain admins can access them, and disable them via registry if your policy allows.

quiz BLOCK (★ 50 XP)

You notice an SMB share with Share permission 'Everyone: Read' and NTFS permission 'Finance-RW: Modify'. What is the effective access for a user in the Finance-RW group?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

Share Hardening Lab