File security rights confusing

[Paul]

Hi,

I have a folder on my server called "shared" and I have set full permissions
to the domain/administrator and domain/sharedusers.

The strange thing is that any notebook in my company can access this folder
by simply browsing the network, as long as the notebook users have logged in
as notebook/administrator i.e. local notebook administrator can browse the
folders on the server.

To test, if I delete the domain/administrator permissions on the network
folder, the notebook users lose their ability to browse the folders on the
server.

I had always thought that Windows 2000 server distinguishes between local
computer admin on the notebooks, and local computer admin on the server?

 

[Pegasus \(MVP\)]

Hi,

I have a folder on my server called "shared" and I have set full permissions
to the domain/administrator and domain/sharedusers.

The strange thing is that any notebook in my company can access this folder
by simply browsing the network, as long as the notebook users have logged in
as notebook/administrator i.e. local notebook administrator can browse the
folders on the server.

To test, if I delete the domain/administrator permissions on the network
folder, the notebook users lose their ability to browse the folders on the
server.

I had always thought that Windows 2000 server distinguishes between local
computer admin on the notebooks, and local computer admin on the server?

Windows does not care if a resource is being accessed by a
local or by a domain user. If the user presents a valid account/
password combination then he/she is given appropriate access.

 

[Paul]

Surely the notebook\administrator has a different SID than
server\administrator ?

Why does the server allow notebook\administrator browse files and folders
that have permissions set exclusively for server\administrator ?

 

[Pegasus \(MVP\)]

As I said before, only account names / passwords
matter. SIDs don't.

 

[Paul]

The passwords are different though, that's why I can't understand how the
notebook/administrator can browse folders on server under
server/administrator. Not only can they see the shared folders, but they can
browse and see all the system folders that have shares as well.

Is this a virus?

 

[Pegasus \(MVP\)]

No, this is not caused by a virus but by an oversight on
your part. To track it down you must create a precise
report of your permission structure. Here is how you can
do it.

On the server:
- Open a Command Prompt.
- Navigate to the parent of the "Shared" folder.
- Type this command:
cacls Shared > c:\test.txt
- Paste the contents of this file into your reply.

On a workstation:
- Log on as a local administrator.
- Open a Command Prompt.
- Type the following commands:
set > c:\test.txt
net user "%UserName%" >> c:\test.txt
net user "%UserName%" 26January >> c:\test.txt
(This will change to password to "26 January".)
- Log off, then log on again as a local administrator and
open a Command Prompt, then type these commands:
net user "%UserName%" >> c:\test.txt
dir \\YourServer\Shared 1>>c:\test.txt 2>>&1
- Paste the contents of this file into your reply.

 

[Paul]

The notebook user is on a biz trip. Will check when he gets back to office
and upload.

Thanks.

 

[Paul]

On the server:

cacls "Company Shared Folders" > c:\test.txt

F:\Company Shared Folders CRAYFISH\administratorOI)(CI)F
CRAYFISH\BackOffice Folder OperatorsOI)(CI)C


On the workstation:

set > c:\test.txt

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Sales777\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=IBM-0CA410C7F30
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Sales777
IBMSHARE=C:\IBMSHARE
LOGONSERVER=\\IBM-0CA410C7F30
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=c:\valueadd\sapdb-all-win-32bit-i386-7_4_3_32\sapdb-all-win-32bit-i386-
7_4_3_32\y\bin;c:\valueadd\sapdb-all-win-32bit-i386-7_4_3_32\sapdb-all-win-3
2bit-i386-7_4_3_32\y\pgm;C:\Program
Files\ThinkPad\Utilities;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\
Wbem;C:\Program Files\Intel\Wireless\Bin\;C:\Program Files\ATI
Technologies\ATI Control Panel;C:\WINDOWS\Downloaded Program
Files;C:\IBMTOOLS\Python22;C:\Program Files\PC-Doctor for
Windows\services;C:\AppServ\Apache2.2\bin;C:\AppServ\php5;C:\AppServ\MySQL\b
in
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.pyo;.pyc;.py;.pyw
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
PYTHONCASEOK=1
PYTHONPATH=C:\IBMTOOLS\utils\support;C:\IBMTOOLS\utils\logger
RRU=C:\Program Files\IBM\IBM Rapid Restore Ultra\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TCL_LIBRARY=C:\IBMTOOLS\Python22\tcl\tcl8.4
TEMP=C:\DOCUME~1\Sales777\LOCALS~1\Temp
TK_LIBRARY=C:\IBMTOOLS\Python22\tcl\tk8.4
TMP=C:\DOCUME~1\Sales777\LOCALS~1\Temp
USERDOMAIN=IBM-0CA410C7F30
USERNAME=Sales777
USERPROFILE=C:\Documents and Settings\Sales777
windir=C:\WINDOWS


net user "%UserName%" >> c:\test.txt

User name Sales777
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 1/20/2006 4:02 AM
Password expires Never
Password changeable 1/20/2006 4:02 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/1/2007 1:36 PM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.

The command completed successfully.


net user "%UserName%" 26January >> c:\test.txt

User name Sales777
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 2/1/2007 1:41 PM
Password expires Never
Password changeable 2/1/2007 1:41 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/1/2007 1:43 PM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.

net user "%UserName%" >> c:\test.txt

Z:\ <Account Domain not found>(OI)(CI)F
<Account Domain not found>(OI)(CI)C


dir \\YourServer\Shared 1>>c:\test.txt 2>>&1


Volume in drive \\CRAYFISH\Shared is data
Volume Serial Number is 008D-AA54

Directory of \\CRAYFISH\Shared

02/01/2007 01:41 PM <DIR> .
02/01/2007 01:41 PM <DIR> ..
11/10/2006 09:35 AM <DIR> 01 - HR & ADMIN
02/01/2007 08:56 AM <DIR> 02 - SALES
11/22/2005 10:31 AM <DIR> 03 - ACCOUNTS
01/26/2007 01:33 PM 477 50 - SOFTWARE.lnk
12/20/2006 12:57 PM <DIR> 99 - OTHER
02/01/2007 01:41 PM 851 net_user.txt
2 File(s) 1,328 bytes
6 Dir(s) 29,774,835,712 bytes free


Note: the &1 file handle variable returned a file locked error, so it was
ommitted.

 

[Paul]

The notebook user can browse all system folders, including exchange folders,
sysvol, and anything, just like the SYSTEM account on the server.

This is worrying because he can potentially change and delete system files
as well.

The notebook user is using WindowsXP. The Server is W2Ksp4.

 

[Paul]

Other things I find:

The notebook is not even in our company domain. It exists in its own
workgroup. It may have been part of the domain previously however as we
rotate h/w among staff.

The notebook can browse all the servers published shares and can access them
with full rights. This includes all system shares setup by Exchange, ISA, AD
upon installation etc. There are even shares I have never seen before as
domain administrator.

The funny thing is if I log in as (e-mail address removed), the notebook
can no longer browse shares that do not have administrator rights, and meets
all security policies of the domain. So as long as the notebook is outside
the domain, it completely ignores security policies.

 

[Pegasus \(MVP\)]

Well, everything turns out the way you said. Fascinating stuff!

Two observations:
a) I failed to ask you to run a command which shows
that the share "Shared" does indeed point at
?:\Company Shared Folders.
I suggest you run this command on the server to prove it
to everyone's satisfaction:
net share Shared
b) If the share details are correct there then we must assume a
malfunction within Windows. In this case I would do this on
the server:
1. Using My Computer, give my own account full access to
this folder and all subfolders.
2. Knock out all other accounts, including those whose name
cannot be resolved. Remember to include subfolders.
3. Seize ownership of this folder.
4. Give these accounts appropriate permissions:
System: F
Domain Admins: F
Backoffice Operators: C
again including the subfolders.

If this does not help then I would do this:
1. Create another Administrator account on the notebook and
check if the problem persists.
2. If it does not, delete and recreate the rogue account, then
copy the profile across.
3. If it does, ring Microsoft. It will cost you a certain fee if the
problem is self-inflicted, and nothing if you have found a bug.
Since your time is valuable, your company should have no
problem in justifying the expense.

I would be most interested in the result.

 

[Paul]

net share Shared

Share name shared
Path F:\Company Shared Folders
Remark Company Shared Folders
Maximum users No limit
Users Steve.T Morgan.N
The command completed successfully.