RE: Computer accounts in NTFS permissions

From: Jim Masson (jmasson_at_exchange.microsoft.com)
Date: 02/25/05

  • Next message: Tomasz Onyszko: "Re: Terminal Services - Domain Controller - Normal User" 
    Date: Fri, 25 Feb 2005 08:49:33 -0800
To: "Miroslaw Slawek Chorazy" <mchorazy@depaul.edu>, <dschmidt@buddyrents.com>, <bkmlstsgohere@comcast.net>

    I'm not an expert here, but I do happen to recall the story on this
    particular question.

    The basic rule is that when accessing local resources, LocalSystem and
    NetworkService use their well known SIDs (S-1-5-18 and S-1-5-20), just
    as you would expect. When going out over the network, processes running
    under those accounts use the computer's SID.

    So, if you want a service running as Local System or Network Service on
    machine B to access a file share on machine A, you need to ensure that
    machine B's SID is granted access (or a group that machine B is in) to
    both the share (using the share ACL) and the underlying files using the
    NTFS ACLs. By default, all computer accounts in a domain are members of
    the "Authenticated Users" and "Domain Computers" security groups.

    Security filtering in Group Policy for computer policies works using
    this mechanism - the policy processing code on the client (running as
    LocalSystem) goes and talks to the domain controller, and policies that
    the computer account is unable to see are automatically skipped.

    You can read more in this article (just look for the LocalSystem and
    Network Service well known SIDs)

    http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/te
    chref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/al
    l/techref/en-us/w2k3tr_sids_how.asp

    Cheers,

    -Jim

    -----Original Message-----
    From: Miroslaw Slawek Chorazy [mailto:mchorazy@depaul.edu]
    Sent: Wednesday, February 23, 2005 2:24 PM
    To: dschmidt@buddyrents.com; bkmlstsgohere@comcast.net
    Cc: focus-ms@securityfocus.com
    Subject: Re: Computer accounts in NTFS permissions

    Marshall
    >The computer account -- not System or some other account on the
    computer --
    >isn't ever going to be accessing files (at least not in any examples I
    can
    >think of).

    In an AD environment, the computer account will indeed be used during
    the startup process and will need appropriate permissions and rights
    associated with it to read AD Objects like GPOs and scripts.
    In some environments, the AD DNS dynamic name registration is also
    performed using the SID associated with the Computer.

    slawek

    >>> "Bruce K. Marshall" <bkmlstsgohere@comcast.net> 2/23/2005 14:23
    >>>
    Daniel,

    The computer account -- not System or some other account on the
    computer --
    isn't ever going to be accessing files (at least not in any examples I
    can
    think of). And permissions won't be enforced just because a user or
    service
    account happens to be operating from that computer. So, setting using
    a
    computer security principal in NTFS ACLs won't have any effect.

    If a service on the computer is trying to access the file then you
    should be
    able to set up NTFS ACLs using the appropriate account (System, Local
    Service, Network Service, etc.). 

    ----
Bruce K. Marshall - bmarshall@securityps.com 
Security PS - Kansas City
----- Original Message ----- 
From: "Daniel Schmidt" <dschmidt@buddyrents.com>
To: <focus-ms@securityfocus.com>
Sent: Wednesday, February 23, 2005 9:32 AM
Subject: Computer accounts in NTFS permissions
> It is my understanding that computer accounts can be used as
security
> principals, but using them in a NTFS ACL seems to have no effect. 
Does
> computer account authentication only authorize accesses from the
SYSTEM
> account?  Can anyone point me toward some useful reading on the
subject?
>
> Daniel Schmidt 
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Tomasz Onyszko: "Re: Terminal Services - Domain Controller - Normal User"

    Relevant Pages

    • Re: Computer accounts in NTFS permissions
      ... And permissions won't be enforced just because a user or service ... able to set up NTFS ACLs using the appropriate account (System, ... Security PS - Kansas City ... > It is my understanding that computer accounts can be used as security ...
      (Focus-Microsoft)
    • Re: Central Site info not flowing down
      ... > Sounds like a security issue. ... > to the Site to Site Connection group. ... This means that all child site servers ... > Parent site server computer accounts should be added to the Site to Site ...
      (microsoft.public.sms.admin)
    • Re: Missing Computer Accounts
      ... In every case I have investigated this alleged occurrence someone or something was actually deleting the objects. ... It's been my experience that computer accounts don't randomly get suicidal and leave the domain. ... I've checked event viewer under Security and specifically the Account ... to varifiy that auditing of account management is indeed turned on. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Missing Computer Accounts
      ... You've checked to see that nobody is manually removing them. ... I have an issue where computer accounts just randomly go missing in Active ... I've checked event viewer under Security and specifically the Account ... to varifiy that auditing of account management is indeed turned on. ...
      (microsoft.public.windows.server.active_directory)