Missing Something Fundamental About Secuirty
Missing Something Fundamental About Secuirty
(OP)
We have a Windows Server 2008 R2 Sever that people RDP into.
It's been a while since I was an admin, Windows Server 2003 and no remote desktop users. In any case I'm thinking file permissions are least restrictive except when a deny is explicitly set.
I as a member of the Administrators Group have permission to more or less everything explicitly. If I remove the Users group permission from the D: drive which I am also a member, I can no longer view the drive contents, access is denied which is counter to my expectation. I'm guessing this is related to some sort of login context surrounding UAC or similar change?
In any case I don't know what terms to read up on to point me in the right direction as to why that is the case to see my way clear.
Fundamentally, I wanted to remove the List Folders permission form the users group as this is undesirable for an entire drive.
It's been a while since I was an admin, Windows Server 2003 and no remote desktop users. In any case I'm thinking file permissions are least restrictive except when a deny is explicitly set.
I as a member of the Administrators Group have permission to more or less everything explicitly. If I remove the Users group permission from the D: drive which I am also a member, I can no longer view the drive contents, access is denied which is counter to my expectation. I'm guessing this is related to some sort of login context surrounding UAC or similar change?
In any case I don't know what terms to read up on to point me in the right direction as to why that is the case to see my way clear.
Fundamentally, I wanted to remove the List Folders permission form the users group as this is undesirable for an entire drive.
RE: Missing Something Fundamental About Secuirty
"In any case I'm thinking file permissions are least restrictive except when a deny is explicitly set." If you deny, it supercedes less restrictive permissions..a royal pain to managed a system where deny is used frequently, there are very very few instances where it should be used. Lastly you should not be applying permissions unless you have learned the basics.
There are very few groups administrator ( or an administrator) should be added into, there is no need, administrator should have no restrictions except those the OS applies. It is also dangerous, as you found out... used in the wrong place, you can lock yourself out of a server.
What you are looking for is Access Based Enumeration , using this, if a user does not have permissions to use/see a directory/file, for the user it does not exist...a great tool, makes up for some of the things Microsoft did not learn from Novell.
https://technet.microsoft.com/en-us/library/cc7847...
........................................
Chernobyl disaster..a must see pictorial
http://www.kiddofspeed.com/default.htm
"Computers in the future may weigh no more than 1.5 tons."
Popular Mechanics, 1949
RE: Missing Something Fundamental About Secuirty
Exactly my understanding. And I did not set deny, I left a group I was a member of with permissions (Administrators) and removed the Users group permission and did not have the permission to browse with windows explorer. Hence my assumption something has changed along the lines of security contexts similar to UAC (Apparently the Administrators group permission are not applied in all contexts). From my previous experience I had full expectation what I was doing would work as the least restrictive permissions from Administrators group should have been in effect. What I don't know is what MS calls these things to go read up on what has changed from my understanding from Windows Server 2003 (I have a more than basic understanding in that environment) or what else might be in effect.
Access-based Enumeration looks interesting but my fundamental problem is I do not want the users group to have permission to the entire drive and when removing USERS group (not denying), not kill the Administrators Group members permissions which exist and are correct. Seems like adding another group and adding using it would work but still does not tell me why that should be necessary. Nor if I add the Administrators group to it if that will have the same apparent security context limiting effect and not behave as I expect.
RE: Missing Something Fundamental About Secuirty
http://stackoverflow.com/questions/3044901/windows...
What I am gleaming is Administrators is a Special Group that requires an escalated OS event or RUN AS Administrator to use those permissions.
So everything since Windows Server 2008 and Vista on the client side will behave this way for file permissions.
Just another case of MS under documentation... Top search result for security to an MS site does not mention LUA for UAC nor least restrictive permissions. Because why would you want to understand what you are doing?
I'm thinking that in my case, "admins" should be in a new group and that group added to Administrators Group, the new group assigned appropriate permissions and Users Group permissions removed (set as desired).
RE: Missing Something Fundamental About Secuirty
Hence the new question...
thread1674-1745856: Standalone Terminal Server - Any reason not to Add AD (Domain)?