Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Missing Something Fundamental About Secuirty

Status
Not open for further replies.
lameid

lameid

Programmer
Jan 31, 2001
4,212
US
We have a Windows Server 2008 R2 Sever that people RDP into.

It's been a while since I was an admin, Windows Server 2003 and no remote desktop users. In any case I'm thinking file permissions are least restrictive except when a deny is explicitly set.

I as a member of the Administrators Group have permission to more or less everything explicitly. If I remove the Users group permission from the D: drive which I am also a member, I can no longer view the drive contents, access is denied which is counter to my expectation. I'm guessing this is related to some sort of login context surrounding UAC or similar change?

In any case I don't know what terms to read up on to point me in the right direction as to why that is the case to see my way clear.

Fundamentally, I wanted to remove the List Folders permission form the users group as this is undesirable for an entire drive.

 
Sort by date Sort by votes
Stay clear of using the deny permission, it is should be used very little.

"In any case I'm thinking file permissions are least restrictive except when a deny is explicitly set." If you deny, it supercedes less restrictive permissions..a royal pain to managed a system where deny is used frequently, there are very very few instances where it should be used. Lastly you should not be applying permissions unless you have learned the basics.

There are very few groups administrator ( or an administrator) should be added into, there is no need, administrator should have no restrictions except those the OS applies. It is also dangerous, as you found out... used in the wrong place, you can lock yourself out of a server.

What you are looking for is Access Based Enumeration , using this, if a user does not have permissions to use/see a directory/file, for the user it does not exist...a great tool, makes up for some of the things Microsoft did not learn from Novell.




........................................
Chernobyl disaster..a must see pictorial

"Computers in the future may weigh no more than 1.5 tons."
Popular Mechanics, 1949
 
Upvote 0 Downvote
To sum up as this does not answer my question: There is something odd about permissions I'm seeing via the local Windows UI where a certain group (Administrators) does not seem to be in effect. I suspect it has to do with some sort of security context when logging into the machine (Remote Desktop)... I expect there is a name for this. I do not know this name to read up on it. What is it? Or is something else at work? Another possibility when I had another administrator log out and in and they told me they couldn't get to the drive they did something other than use their admin account? In the last scenario I would not have been able to access the drive either after the change but did not want to log out and in when seeing unexpected behavior, often the kiss of death if something is wrong.

"In any case I'm thinking file permissions are least restrictive except when a deny is explicitly set." If you deny, it supercedes less restrictive permissions..a royal pain to managed a system where deny is used frequently, there are very very few instances where it should be used. Lastly you should not be applying permissions unless you have learned the basics.
Click to expand...

Exactly my understanding. And I did not set deny, I left a group I was a member of with permissions (Administrators) and removed the Users group permission and did not have the permission to browse with windows explorer. Hence my assumption something has changed along the lines of security contexts similar to UAC (Apparently the Administrators group permission are not applied in all contexts). From my previous experience I had full expectation what I was doing would work as the least restrictive permissions from Administrators group should have been in effect. What I don't know is what MS calls these things to go read up on what has changed from my understanding from Windows Server 2003 (I have a more than basic understanding in that environment) or what else might be in effect.

Access-based Enumeration looks interesting but my fundamental problem is I do not want the users group to have permission to the entire drive and when removing USERS group (not denying), not kill the Administrators Group members permissions which exist and are correct. Seems like adding another group and adding using it would work but still does not tell me why that should be necessary. Nor if I add the Administrators group to it if that will have the same apparent security context limiting effect and not behave as I expect.
 
Upvote 0 Downvote
So it is UAC...


What I am gleaming is Administrators is a Special Group that requires an escalated OS event or RUN AS Administrator to use those permissions.

So everything since Windows Server 2008 and Vista on the client side will behave this way for file permissions.

Just another case of MS under documentation... Top search result for security to an MS site does not mention LUA for UAC nor least restrictive permissions. Because why would you want to understand what you are doing?

I'm thinking that in my case, "admins" should be in a new group and that group added to Administrators Group, the new group assigned appropriate permissions and Users Group permissions removed (set as desired).
 
Upvote 0 Downvote
Follow up, no domain can't add groups to other groups.

Hence the new question...
thread1674-1745856
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Billz66
  • Locked
  • Question
unable to instal msmq on server 2019 get sxs assembly missing
Replies
0
Views
382
Billz66
Billz66
ADB100
  • Locked
  • Question
Odd DNS lookups - not sure if there is something wrong with my DNS setup?
Replies
0
Views
135
ADB100
ADB100
ChrisBanks2014
  • Locked
  • Question
Connect link is missing under Printer Action on Internet Printing Web Page
Replies
0
Views
224
ChrisBanks2014
ChrisBanks2014
skyislandmaggie
  • Locked
  • Question
Two questions about my Windows 2008 network
Replies
1
Views
174
NetworkTek
NetworkTek
hgate73
  • Locked
  • Question
Server 2008 R2 domain name missing suffix (e.g. DOMAIN instead of DOMAIN.COM)
Replies
0
Views
162
hgate73
hgate73

Part and Inventory Search

Sponsor

Back
Top