W2K Roaming Profiles security concern?

From: Bowden, Zeb (zbowden@VT.EDU)
Date: 03/04/03

  • Next message: Russ: "Alert: New Worm - W32/Deloder on TCP445"
    Date:         Tue, 4 Mar 2003 12:48:12 -0500
    From: "Bowden, Zeb" <zbowden@VT.EDU>

    In an attempt to build end-user storage space on a network attached storage device, we've run into what we consider a security concern.

    Scenario: All systems running W2K SP3. Domain structure is small, just one domain with everything running in the root of the AD. All systems are members of this domain.

    A server called 'ServerA' is set up with a folder called 'FolderA' which we share as 'ShareA' so the path to the share is <\\ServerA\ShareA>

    ShareA has the following permissions:
    Share level: Authenticated Users -> Change, Read

    FolderA has the following permissions:
    NTFS level: ServerA\Admins -> Full Control

    within ShareA are folders corresponding to different users, an example path would be <\\ServerA\ShareA\user1> the user1 folder would inherit permissions from the NTFS permissions of FolderA and receive the following permissions:

    NTFS level: DOMAIN\user1 -> all rights except Full control, take ownership, change permissions, and delete subfolders

    Then we set the profilepath property for DOMAIN\user1 to <\\ServerA\ShareA\user1\profile> to set up a roaming profile for user1.

    ** we do not create a folder called profile for user1**

    When user1 logs into a workstation within the domain, the folder called profile will be created automatically by something (System maybe?) on ServerA, however when you look at the rights to the profile folder user1 and System have EXPLICIT 'Full Control' of the folder and all subfolders/files and the profile folder did not inherit the permissions set on the user1 folder, thus OVERRIDING NTFS permissions!

    This appears to be vulnerability because now ServerA\Admins have no rights to <\\ServerA\ShareA\user1\profile>. They can logon to ServerA locally, take ownership, etc. and get the space back but it was never their intention to allow user1 the ability to have Full Control of anything within the user1 folder. Is this the intended design for how roaming profiles work?

    MS KB related article which seems to say this IS the way its supposed to work in 2000 but will be corrected in 2003:

    Zeb Bowden
    VT.IS&C.IAD.MIG:Application Developer

    Have you discovered a security vulnerability related to Windows or a
    commercial product which runs on Windows?

    Need assistance crafting the format or translating your advisory to English?

    Need to verify it, or having problems contacting the Vendor?

    Contact mailto:Advisories@NTBugtraq.com


  • Next message: Russ: "Alert: New Worm - W32/Deloder on TCP445"