USERS group has the ability to change security permissions???

[Guest]

hi all,

i've just learned today that if a user can get access to computer management
console, he/she can go to the "logical drives" and change the NTFS
permissions set on local hard disks. Besides remove permissions set on the
"compmgmt.msc" for users, power users, and everyone groups, is there any
other way that i can set or disable so that the user won't have the ability
to mess up with permissions again.

i am still really confused that the user can just have the ability to change
NTFS permissions like that. please help!!!

 

[Steven L Umbach]

Are the users local administrators?? If so you will not be able to
effectively stop them from changing permissions. Assuming they are not you
can modify permissions so that the user can not change permissions. A user
needs change permissions, full control, or be owner to change permissions.
You should check the permissions of an XP Pro or Windows 2003 Server
computer to get an idea of good default ntfs permissions where by default a
regular user can change permissions only on their profile folder. --- Steve

 

[Guest]

no, the users are not belong to any of the power users or administrators, AND
the NTFS permissions are set on local disks using those of Windows XP as the
followings:

- Administrators: Full Control
- Creator Owner: Full Control (Subfolders and Files)
- System: Full Control
- Users: Read & Execute (This Folder, Subfolders, and Files)
- Users: Create Folders / Append Date (This Folder and Subfolders)
- Users: Create Files / Write Data (Subfolders Only)
- Everyone: Read & Execute

I'll set up a clean machine tomorrow and test it against what I found today,
and will keep you posted. Thanks for checking this.

 

[Steven L Umbach]

I would be interested in the results on a clean machine. I would also verify
that the user is indeed not a local administrator which can be easily done
with the " net user username " command on the local computer. Another thing
I would consider doing on a computer where a user is doing such is enabling
auditing of object access and then auditing that folders in question for
just "change permission" to see if the user name that is changing the
permission is indeed who you think they are - IE not using other credentials
by viewing object access events in the security log though that is not a
real user friendly procedure the info is usually there. Users that have
physical access to a computer can easily use utilities to make themselves
local administrators if steps are not taken to disallow them to boot from
floppy, cdrom, etc. Often when confronted about how they are able to do
tasks that only administrators can do they act stupid rather than admit they
hacked the computer. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;301640

 

[Roger Abell]

Have you used the Advanced view in the NTFS permisssions
dialog to make sure that there are no grants you have been
overlooking due to only viewing the generic grants ?

Please open a cmd window, navigate (cd) to the root folder of
such a location as ones you say Users are able to do this, but
NTFS is showing that they should not, and then run
cacls
and post the output.

 

[Guest]

Okay, here are the steps:
- clean install of windows 2000 professional (standalone)
- reconfigure default everyone's permissions to those posted previously >
restart
- install all security updates through windows update
- create a user JohnDoe with password "password" and user JaneDoe without
password
- restart > login using both users
RESULTS: permissions work as they are supposed too! PHEW!!!

So, I setup another machine and load the image that is currently run on so
many computers here, just to see if it's something related to the image that
I might have missed, the RESULT: user level access can change NTFS
permissions when they right click on local hard disks > properties > security.

THIS IS HOW I CREATED THE IMAGE FOR MASS DEPLOYMENT
- Same steps as I wrote above with a user "Public" without password for
general access
- all required applications were installed and tested OK
- ran Sysprep, leaving every settings in Sysprep as default (meaning I just
clicked on Sysprep and let it go throught whatever processes that it needed
to go through, and then the computer is automatically shut down).
- booted system with Norton Ghost 2003 to create an image
- when done, rolled the image out to the other computers, went through
simple initial setup steps (i.e. Name, company, computer name, etc.)
- login with user "Public" and this user is able to change the NTFS
permissions.

I don't know where I got it wrong, if anyone has done the image with Norton
Ghost 2003 and had everything works fine, could you please show the way?
thanks!

 

[Roger Abell]

Please use the Advance view in the NTFS permissions dialog to
see if there are an Special permissions grants to Users or to a group
of which the test accounts are members.

When there is a generic grant and a special grant to the same entity
it is very easy to not see the special grant if only the generic grant
view is used. To complicate things, if there was a grant of Full
to say Users, and you use the generic view to reduce this it is
possible to end up with what looks like a normal, generic grant
of read, or list, etc. when in fact use of Advanced view will show
that some specific grant, such as the premission to change permissions,
or to take ownership, are still being granted although not visible in
the generic view.

 

[Guest]

okay... it was my mistake. i found out that when reconfiguring the NTFS
permissions, the "Everyone" group had to be deleted and then re-added, in
order for the generic grants (i.e. delete subfolders and files, delete,
change permissions, take ownership, etc) to be removed. thanks again you all
for looking into this.

 

[Roger Abell]

Good you have it sorted. Although per MS it was your mistake,
in my view it is MS's mistake that the ACL editor is now doing
this, unlike earlier versions of Windows, but so far I have not
found the right ear in MS to do something about it.