×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Missing Something Fundamental About Secuirty

Missing Something Fundamental About Secuirty

Missing Something Fundamental About Secuirty

(OP)
We have a Windows Server 2008 R2 Sever that people RDP into.

It's been a while since I was an admin, Windows Server 2003 and no remote desktop users. In any case I'm thinking file permissions are least restrictive except when a deny is explicitly set.

I as a member of the Administrators Group have permission to more or less everything explicitly. If I remove the Users group permission from the D: drive which I am also a member, I can no longer view the drive contents, access is denied which is counter to my expectation. I'm guessing this is related to some sort of login context surrounding UAC or similar change?

In any case I don't know what terms to read up on to point me in the right direction as to why that is the case to see my way clear.

Fundamentally, I wanted to remove the List Folders permission form the users group as this is undesirable for an entire drive.

RE: Missing Something Fundamental About Secuirty

Stay clear of using the deny permission, it is should be used very little.

"In any case I'm thinking file permissions are least restrictive except when a deny is explicitly set." If you deny, it supercedes less restrictive permissions..a royal pain to managed a system where deny is used frequently, there are very very few instances where it should be used. Lastly you should not be applying permissions unless you have learned the basics.

There are very few groups administrator ( or an administrator) should be added into, there is no need, administrator should have no restrictions except those the OS applies. It is also dangerous, as you found out... used in the wrong place, you can lock yourself out of a server.

What you are looking for is Access Based Enumeration , using this, if a user does not have permissions to use/see a directory/file, for the user it does not exist...a great tool, makes up for some of the things Microsoft did not learn from Novell.

https://technet.microsoft.com/en-us/library/cc7847...

........................................
Chernobyl disaster..a must see pictorial
http://www.kiddofspeed.com/default.htm

"Computers in the future may weigh no more than 1.5 tons."
Popular Mechanics, 1949

RE: Missing Something Fundamental About Secuirty

(OP)
To sum up as this does not answer my question: There is something odd about permissions I'm seeing via the local Windows UI where a certain group (Administrators) does not seem to be in effect. I suspect it has to do with some sort of security context when logging into the machine (Remote Desktop)... I expect there is a name for this. I do not know this name to read up on it. What is it? Or is something else at work? Another possibility when I had another administrator log out and in and they told me they couldn't get to the drive they did something other than use their admin account? In the last scenario I would not have been able to access the drive either after the change but did not want to log out and in when seeing unexpected behavior, often the kiss of death if something is wrong.

Quote:


"In any case I'm thinking file permissions are least restrictive except when a deny is explicitly set." If you deny, it supercedes less restrictive permissions..a royal pain to managed a system where deny is used frequently, there are very very few instances where it should be used. Lastly you should not be applying permissions unless you have learned the basics.

Exactly my understanding. And I did not set deny, I left a group I was a member of with permissions (Administrators) and removed the Users group permission and did not have the permission to browse with windows explorer. Hence my assumption something has changed along the lines of security contexts similar to UAC (Apparently the Administrators group permission are not applied in all contexts). From my previous experience I had full expectation what I was doing would work as the least restrictive permissions from Administrators group should have been in effect. What I don't know is what MS calls these things to go read up on what has changed from my understanding from Windows Server 2003 (I have a more than basic understanding in that environment) or what else might be in effect.

Access-based Enumeration looks interesting but my fundamental problem is I do not want the users group to have permission to the entire drive and when removing USERS group (not denying), not kill the Administrators Group members permissions which exist and are correct. Seems like adding another group and adding using it would work but still does not tell me why that should be necessary. Nor if I add the Administrators group to it if that will have the same apparent security context limiting effect and not behave as I expect.

RE: Missing Something Fundamental About Secuirty

(OP)
So it is UAC...

http://stackoverflow.com/questions/3044901/windows...

What I am gleaming is Administrators is a Special Group that requires an escalated OS event or RUN AS Administrator to use those permissions.

So everything since Windows Server 2008 and Vista on the client side will behave this way for file permissions.

Just another case of MS under documentation... Top search result for security to an MS site does not mention LUA for UAC nor least restrictive permissions. Because why would you want to understand what you are doing?

I'm thinking that in my case, "admins" should be in a new group and that group added to Administrators Group, the new group assigned appropriate permissions and Users Group permissions removed (set as desired).

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login


Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close