0

This question is unanswered on Super User, I thought it was the best place for it but no one knows. As it is related to a server, hoping it can be moved to server fault and someone can help me there.

Basically, I wanted to test security on a server. I made a ASP script that just lists the files in a directory. The user IIS logs in as is meant to be locked down and have access to only one folder. The script returned the number of folders and files, but got access denied on trying to read their actual names.

This user is called testlockdown and there is a group called lockeddown

I can go to any folder, right click and do properties then security, I click advanced and effective permissions.

If I check either the guest user or gusts group, I can see there is no checkboxes. If I check the group object lockeddown, there is no checkboxes but if I check the user testlockdown, there are a bunch (about 6) of objects that have ticks including list, read, create.

I have been tearing my hear out for about 2 hours trying to figure this out, turned on auditing, gone through the local security policy, created additional users, groups..

I have done all I think I can and I just can not figure out how it is getting these permissions and why / where they are coming from.

During my test, I created a new folder called foo, on creation it has inherited Administrator, Creator owner (and im not logged in as this user) System and the users group. However, under effective permissions, again, I have all the check boxes!

From paste of "net user testlockdown" I get

User name                    testlockdown
Full Name                    testlockdown
Comment                      User for testing security
User's comment
Country code                 000 (System Default)
Account active               Yes
Account expires              Never
Password last set            28/06/2009 19:22
Password expires             Never
Password changeable          28/06/2009 19:22
Password required            Yes
User may change password     Yes
Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   03/08/2009 03:56
Logon hours allowed          All
Local Group Memberships      *lockeddown
Global Group memberships     *None

The command completed successfully.

I see a star next to local group membership, but I can not find out what this means and do not know if it is relevant.

My best guess is that somehow, this user is getting permissions from the user group, however I can not see or understand why.

I hope I have given enough information. I am pulling my hair out over this! If you need any more information, I am happy to provide it.

Edit - I should say, I know I can add a deny permission, but that is not really the point as it should be unnecessary

Thanks

crb
  • 7,998
  • 1
  • 38
  • 53
William Hilsum
  • 3,536
  • 6
  • 29
  • 39
  • I don't suppose it will be possible to move this to Server Fault, I thought it was more user related but it is something that does occur on servers and maybe they will have better luck knowing what to do :S – William Hilsum Aug 07 '09 at 21:38
  • I clicked close and it has bumped the message - I thought admins just get a notification and can close... if someone can answer it here, then great! otherwise hopefully it can be closed and moved. – William Hilsum Aug 24 '09 at 15:50
  • I've flagged the message for you - one of the mods should come along and move to server fault. – EvilChookie Sep 07 '09 at 16:15

3 Answers3

0

What you are looking at is known as Special Permissions. I would highly recommend you read this article at Windows Security that covers and explains in detail how security on NTFS works.

Warning: Be careful when testing security with IIS. IIS has another layer of security which is not linked to NTFS, however it will enforce NTFS permission. Also locking down folders for a specific user will not affect anonymous website access, where IIS uses it's own account, and not the logged in user, to specify access.

BinaryMisfit
  • 1,593
  • 2
  • 15
  • 30
  • Im sorry, this does not solve it - I disabled IIS's user and anonymous authentication and actually type in the details of the locked down user. I was shocked to see that the user had permission over folders, however at the end of the day the problem was discovered by using IIS but it is not related to it. I took a look at your link and it is good, but does not explain what is happening on my box - here is nothing set up for inheritance of special permissions. Thanks anyway for trying. – William Hilsum Aug 03 '09 at 13:46
0

Check with Process Monitor that the user that is accessing the files is the user you are expecting.

You can also see what right the user is requesting.

If this all looks good, start looking at permissions using the subinacl utility.

crb
  • 7,998
  • 1
  • 38
  • 53
0

I found out that this was happening because any user (other than guest) is automatically a member of authenticated users, who in return is a member of users.

This means that by default, any user created is a member of users (even if you do not add them) so, even though I created a user that looks like it is fully locked down and a member of only one group (which only has permission over one directory), it still has full list permission over the Windows directory and other critical paths.

I am unsure how big hosts deal with this or even control panels (such as plesk) automate this, but my best guess is going to the root of each drive and having a deny on everything and then just manually allowing the home folder - it seems messy, but I don't know any other way to exclude a group from the authenticated users group.

Anyway, thanks for your help to others.

William Hilsum
  • 3,536
  • 6
  • 29
  • 39