Windows permissions are ignored???

[sv]

Hi Everybody,

I am not a pro in Windows security and permissions and would really
appreciate if somebody have encountered same problem before.
We have Windows 2003 domain and there are some network shares that
need to be protected.
For example, only Managers group should has full access to folder
"Secret stuff"., that is owned by OurDomain\Administrators.
Permissions are not inherited from the upper directory structure and do
not propagate to child objects for this folder and no other
users/groups are mentioned in ACL.
Here comes the weird stuff.
I logon to my Windows 2000 workstation as member of Domain
Administrators (I am not in Managers group, however!) and I can
traverse this 'secret' folder, seeing filenames and directories
structure.I cannot see objects security properties.
When I logon to another Windows 2000 or Windows 2003 machine,both
members of the same domain, all I get is "Access denied message",
exactly what is expected with this kind of permissions.

Am I missing something very basic or my computer is possesed by dark
forces?
Please let me know what directions I should look to, any advice will be
gratly appreciated!

 

[Steven L Umbach]

Assuming all else is equal with the other computers in the domain as far as
proper configuration and network availability [including compatible ipsec
policies if used] to that server I wonder if maybe you are accessing the
share via a mapped drive with persistent credentials maybe which is giving
you access other than your logged on account. You could check that and also
on the server use Computer Management/shared folders/sessions to see as what
user account you are accessing the share and/or check the security logs on
the server for type 3 logon events that correspond to the time you access
the share. You could also try checking your effective permissions to that
folder/file in the security properties/advanced - effective permissions
though that is not always accurate. --- Steve

 

[sv]

Thank you Steven!

I guess there might be something to do with persistent connections to
the mapped drive.When I reboot the machine, permissions are not ignored
anymore and I am denied access to secure ddirectories, however
connection is not established as 'persistent' in login script.We do not
use ipsec policies on site.

I have also found out other side of the issue.If I am given ,for
example, read permssions to X:/secure1 folder by someone from the
Managers group, I can read X:/some_other_dir/secure2 folder , as I
would become member of some security group.Even when my permissions are
revoked, I am still able to access these objects untill the computer is
rebooted.This is quite scary.
I have been testing out quite a few security tools (NTSEC Security
Tools 5.5, subinacl, etc)on my computer and I wonder if I have changed
some security settings on my machine that might have caused this kind
of misbehaiviour..

Thank again for the reply!

 

[Steven L Umbach]

If you ever have any question regarding how you are authenticating to a
share then as I suggested you can use Computer Management/shared
folders/sessions and the security logs on the server with the share to check
that. A mapped drive can be configured on the client computer with
persistent alternate credentials without any logon script and XP Pro can
also use stored credentials though the you are not having the problem from a
Windows XP pro computer.

It is normal to gain access if you are a member of any group that has
permissions to a folder/file. The exception is if deny permissions are used.
However here is the kicker. An explicit allow permission overrides and
inherited deny permission and an inherited allow permission could override
an inherited deny permission if the allow permission was granted at a folder
level closer to the folder where permissions are inherited than where the
deny permission was granted. Something to keep in mind.

Also keep in mind that when testing access to a folder that if your group
membership is changed [either added or deleted] while you are logged on then
you need to logoff and logon again to refresh your user access token which
contains your group memberships and user rights. You can use the command
whoami as in whoami /groups to see the groups in your access token. You may
need to install the support or RK tools to find whoami if it is not on your
computer. Another thing you can do to restrict access to a server is to
configure the user rights for access this computer from the network and deny
access this computer from the network though you should always try to
refrain from using deny permissions as no permission or user right is an
implicit deny. If only managers group and administrators should access file
shares on the server or remotely manage via Computer Management then I would
just have those two groups in access this computer from the network user
right which is an extra security step in case share/ntfs permissions are
inadvertently too permissive. --- Steve