Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Map network drives, config options and alternatives?


  • Please log in to reply
15 replies to this topic

#1 littleroot

littleroot

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 PM

Posted 17 December 2014 - 04:13 PM

Dear fellow bleeping-users,

 

On a corporate network with Windows PC’s and servers, for security purposes I’m hoping we can get away from using mapped drives and instead have Network Locations or just use the Favorites. But with a lot of hyperlinked documents and who-nows-what other gotchas it may be impossible. Any other suggestions?

 

One query from a team member was wishing there was a way that the mapped drives would not actually be connected/active until a user, interactively, initiated a connection to the network resource. All I can think of is having a batch file the user launches interactively to map the drives.

 

Any suggestions here, too?

 

Thank you.

 



BC AdBot (Login to Remove)

 


m

#2 gavinseabrook

gavinseabrook

  • Members
  • 773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:El Paso
  • Local time:03:10 PM

Posted 18 December 2014 - 02:31 AM

I would suggest a NAS (Network Attached Storage) drive. Specifically QNAP products. They have a great product that allows for you configure it almost like a server. You can even join it to a domain controller so that your usernames/passwords for network computers can work to access the files on it. This way you have protection against outside users, viruses (like cryptolocker viruses) from attacking your files over mapped network drives and even granting access from outside the network to smart phones or home computers. It will also solve your problems about users not connecting to it unless necessary.


Gavin Seabrook

 


#3 Ezzah

Ezzah

  • Members
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:08:10 AM

Posted 18 December 2014 - 02:35 AM

Yes, gavin has the general idea here. If you're trying to share information/files then NAS storage of some sort would suit your needs best. Perhaps your company could invest in hosting your own servers for data storage with something like ownCloud (which has a free community version).


mYIGVc5.png


#4 littleroot

littleroot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 PM

Posted 18 December 2014 - 02:51 AM

What difference would that make? Users would still map a drive to it or UNC path. Our environment is VMware using an EMC SAN with hundreds of servers, over 1000 users.

I have used QNAP too but as iscsi target for small VMware server.

#5 Ezzah

Ezzah

  • Members
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:08:10 AM

Posted 18 December 2014 - 06:35 AM

ownCloud is wonderful for storage, if that's what you're solely looking for. It has a web GUI and a sync client, and it is possible to share folders and files between people:

 

http://owncloud.org/


mYIGVc5.png


#6 littleroot

littleroot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 PM

Posted 18 December 2014 - 10:42 AM

I am not looking for storage solutions I am looking for connection options to existing storage.


Edited by littleroot, 18 December 2014 - 10:42 AM.


#7 littleroot

littleroot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 PM

Posted 18 December 2014 - 10:44 AM

I would suggest a NAS (Network Attached Storage) drive. Specifically QNAP products. They have a great product that allows for you configure it almost like a server. You can even join it to a domain controller so that your usernames/passwords for network computers can work to access the files on it. This way you have protection against outside users, viruses (like cryptolocker viruses) from attacking your files over mapped network drives and even granting access from outside the network to smart phones or home computers. It will also solve your problems about users not connecting to it unless necessary.

Thanks for the reply. Gavin please tell me how this would protect mapped network drives better than other storage solutions for example a Windows server?



#8 gavinseabrook

gavinseabrook

  • Members
  • 773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:El Paso
  • Local time:03:10 PM

Posted 19 December 2014 - 01:18 AM

The reason it would protect better than mapped network drives is because Ransomware viruses (one that encrypt your data files) look in all drives of the computers for places to attack. If you are using a mapped network drive, the virus sees that drive as if it is locally installed. 

 

EXAMPLE:

 

Say you have 3 Drives, 2 local and 1 mapped. A user gets the CryptoLocker virus on their computer. Not only will any documents, PDF files, Images (or the other 20+ file types it encrypts) on their local drives will be affected, but the virus will ALSO attack the mapped network drive. This means the entire mapped drive's files will get encrypted as well!

 

With the QNAP solution, you can setup access to it via an FTP shortcut that requires them to input their username and password each time they want to access the directory. This prevents these encryption viruses from ruining all your files on that drive. Though if you have that many machines/users connecting to this device, you may want to look into investing in something bigger and better such as a seagate NAS drive as it has the capability of storing up to 16TB. 


Gavin Seabrook

 


#9 littleroot

littleroot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 PM

Posted 30 December 2014 - 11:33 AM

So to summarize, your suggestion is put the files on a system which uses an different authentication system?

 

For that I should not have to use need to use FTP. I could see it as an inexpensive solution but not for the corporate environments I support.

 

One thing we are looking at is two-factor authentication, which I don't think Windows servers have built-in at this time. A poor-mans way of doing that could be to simply have another domain with a secondary set of credentials and have the system prompt the user when they needed access to the map drive.



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 30 December 2014 - 12:01 PM

So you want to access files via UNC in stead of mapped drives?

But you think that this will break many of the links in your MS Office documents, because these links contain a drive letter?

 

Is that your problem?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 littleroot

littleroot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 PM

Posted 30 December 2014 - 12:15 PM

So you want to access files via UNC in stead of mapped drives?

But you think that this will break many of the links in your MS Office documents, because these links contain a drive letter?

 

Is that your problem?

What I should have said from the outset is we are looking at a solution to stop malware from attacking network network resources, be they mapped drives or UNC path such as network places or shortcuts. A colleague asked me to post question, which is the last paragraph of my original post, is there a way to keep a mapped drive from actually being connected to the resource until a user initiates a connection? My thought today is, I am thinking/wondering how I can implement a secondary authentication scheme, like "two-factor" authentication which times out after a short period? Or maybe a dialog box which pops-up like User Access Control, and asks the user, "are you sure you want to make this connection?", and then times out after a while.

 

Yes, we do have lots of hyperlinked documents so prefer a method to keep UNC paths and driver letters the same.

 

Thanks


Edited by littleroot, 30 December 2014 - 12:16 PM.


#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 30 December 2014 - 12:38 PM

Yeah, that's what I thought, that you wanted to protect your network resources from malware like ransomware.

 

Do you have a clear view of all applications that access network resources? For example, is it only MS Office applications, or do you have a lot of other applications?

What version of Windows do you have on your workstations and servers?

 

I don't think an extra layer of authentication is the solution. Because your users would also be presented with a credentials dialog when malware tries to access network resources, and then users might be tempted to type their credentials because they don't understand malware is involved.

 

BTW, I suppose you make regular backups of your network resources and that restoring all corrupted files in case of an incident is considered too costly/time-consuming?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 littleroot

littleroot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 PM

Posted 30 December 2014 - 12:58 PM

Yeah, that's what I thought, that you wanted to protect your network resources from malware like ransomware.

 

Do you have a clear view of all applications that access network resources? For example, is it only MS Office applications, or do you have a lot of other applications?

What version of Windows do you have on your workstations and servers?

 

I don't think an extra layer of authentication is the solution. Because your users would also be presented with a credentials dialog when malware tries to access network resources, and then users might be tempted to type their credentials because they don't understand malware is involved.

 

BTW, I suppose you make regular backups of your network resources and that restoring all corrupted files in case of an incident is considered too costly/time-consuming?

 

Yes there are some applications using the network resources besides simple MS-Office.

 

It is easy to say nightly backups are good enough. However some file servers (Win 2012) are quite large with thousands of sub-folders and users 24/7 which can make the restore quite complex. Management may not want to invest in the technology for faster restores (like disk staging or advanced file systems like NetApp) which may get used only a few times a year. Typically the approach has been to make the IT systems less complex with less requirements for admins. I'm starting to think a system like NetApp which stores recent versions would be nice: make the users restore their own files via the ~snapshot folder, as I've seen in other corporations.

 

Good point about the secondary authentication but that comes down to training users to notice whether or not they initiated the access.



#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 30 December 2014 - 01:08 PM

I know backing up huge file servers is not easy, and then restoring can be even more difficult.

 

There are 2 directions I would look to for a potential solution:

 

1) have you looked at shadow copies? http://en.wikipedia.org/wiki/Shadow_Copy

2) do you know the Integrity Mechanism that was introduced into the kernel since Windows Vista? http://en.wikipedia.org/wiki/Mandatory_Integrity_Control

 

OK for training, but you will have many cases were it is not clear that the user initiated the access. For example, looking at Recent Items in the Start Menu. If there are network resources in your Recent Items, then this will trigger this credentials dialog.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 littleroot

littleroot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 PM

Posted 30 December 2014 - 01:21 PM

I know backing up huge file servers is not easy, and then restoring can be even more difficult.

 

There are 2 directions I would look to for a potential solution:

 

1) have you looked at shadow copies? http://en.wikipedia.org/wiki/Shadow_Copy

2) do you know the Integrity Mechanism that was introduced into the kernel since Windows Vista? http://en.wikipedia.org/wiki/Mandatory_Integrity_Control

 

OK for training, but you will have many cases were it is not clear that the user initiated the access. For example, looking at Recent Items in the Start Menu. If there are network resources in your Recent Items, then this will trigger this credentials dialog.

Good ideas, Mr. Stevens. Our team is meeting soon and we will review both of these. Thank you






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users