W2K Roaming Profiles security concern?

From: Bowden, Zeb (zbowden@VT.EDU)
Date: 03/04/03

  • Next message: Russ: "Alert: New Worm - W32/Deloder on TCP445"
    Date:         Tue, 4 Mar 2003 12:48:12 -0500
    From: "Bowden, Zeb" <zbowden@VT.EDU>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    In an attempt to build end-user storage space on a network attached storage device, we've run into what we consider a security concern.

    Scenario: All systems running W2K SP3. Domain structure is small, just one domain with everything running in the root of the AD. All systems are members of this domain.

    A server called 'ServerA' is set up with a folder called 'FolderA' which we share as 'ShareA' so the path to the share is <\\ServerA\ShareA>

    ShareA has the following permissions:
    Share level: Authenticated Users -> Change, Read

    FolderA has the following permissions:
    NTFS level: ServerA\Admins -> Full Control

    within ShareA are folders corresponding to different users, an example path would be <\\ServerA\ShareA\user1> the user1 folder would inherit permissions from the NTFS permissions of FolderA and receive the following permissions:

    NTFS level: DOMAIN\user1 -> all rights except Full control, take ownership, change permissions, and delete subfolders

    Then we set the profilepath property for DOMAIN\user1 to <\\ServerA\ShareA\user1\profile> to set up a roaming profile for user1.

    ** we do not create a folder called profile for user1**

    When user1 logs into a workstation within the domain, the folder called profile will be created automatically by something (System maybe?) on ServerA, however when you look at the rights to the profile folder user1 and System have EXPLICIT 'Full Control' of the folder and all subfolders/files and the profile folder did not inherit the permissions set on the user1 folder, thus OVERRIDING NTFS permissions!

    This appears to be vulnerability because now ServerA\Admins have no rights to <\\ServerA\ShareA\user1\profile>. They can logon to ServerA locally, take ownership, etc. and get the space back but it was never their intention to allow user1 the ability to have Full Control of anything within the user1 folder. Is this the intended design for how roaming profiles work?

    MS KB related article which seems to say this IS the way its supposed to work in 2000 but will be corrected in 2003:
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/New_Features_And_Changes.asp

    Zeb Bowden
    VT.IS&C.IAD.MIG:Application Developer
    http://vtmig.w2k.vt.edu
    zbowden@vt.edu

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Have you discovered a security vulnerability related to Windows or a
    commercial product which runs on Windows?

    Need assistance crafting the format or translating your advisory to English?

    Need to verify it, or having problems contacting the Vendor?

    Contact mailto:Advisories@NTBugtraq.com

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Russ: "Alert: New Worm - W32/Deloder on TCP445"

    Relevant Pages

    • RE: What server hardening are you doing these days?
      ... permissions on their data, and Microsoft encourages ISVs to minimize ... I've been able to discuss ACLs and other security issues in Windows with ... Control or DAC (which is what you're referring to by the "stupid ...
      (Focus-Microsoft)
    • Re: Password Protect IExplore
      ... You can protect the files and folders you store on your computer to make ... To set, view, change, or remove special permissions for files and folders ... clear the Inherit from parent the permission entries that apply ... To configure security so that the subfolders and files will not ...
      (microsoft.public.internet.explorer.ieak)
    • Re: Removing the Internet Security in SP2
      ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
      (microsoft.public.windowsxp.security_admin)
    • RE: Any way to remove ADMIN$ only?
      ... partition to allow you to set local permissions. ... Network Security Specialist ... Any way to remove ADMIN$ only? ... default security of Windows drives. ...
      (Focus-Microsoft)
    • Re: Windows Firewall Wont Stay On
      ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
      (microsoft.public.windowsxp.help_and_support)