RE: Computer accounts in NTFS permissions

From: Jim Masson (jmasson_at_exchange.microsoft.com)
Date: 02/25/05

  • Next message: Tomasz Onyszko: "Re: Terminal Services - Domain Controller - Normal User"
    Date: Fri, 25 Feb 2005 08:49:33 -0800
    To: "Miroslaw Slawek Chorazy" <mchorazy@depaul.edu>, <dschmidt@buddyrents.com>, <bkmlstsgohere@comcast.net>
    
    

    I'm not an expert here, but I do happen to recall the story on this
    particular question.

    The basic rule is that when accessing local resources, LocalSystem and
    NetworkService use their well known SIDs (S-1-5-18 and S-1-5-20), just
    as you would expect. When going out over the network, processes running
    under those accounts use the computer's SID.

    So, if you want a service running as Local System or Network Service on
    machine B to access a file share on machine A, you need to ensure that
    machine B's SID is granted access (or a group that machine B is in) to
    both the share (using the share ACL) and the underlying files using the
    NTFS ACLs. By default, all computer accounts in a domain are members of
    the "Authenticated Users" and "Domain Computers" security groups.

    Security filtering in Group Policy for computer policies works using
    this mechanism - the policy processing code on the client (running as
    LocalSystem) goes and talks to the domain controller, and policies that
    the computer account is unable to see are automatically skipped.

    You can read more in this article (just look for the LocalSystem and
    Network Service well known SIDs)

    http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/te
    chref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/al
    l/techref/en-us/w2k3tr_sids_how.asp

    Cheers,

    -Jim

    -----Original Message-----
    From: Miroslaw Slawek Chorazy [mailto:mchorazy@depaul.edu]
    Sent: Wednesday, February 23, 2005 2:24 PM
    To: dschmidt@buddyrents.com; bkmlstsgohere@comcast.net
    Cc: focus-ms@securityfocus.com
    Subject: Re: Computer accounts in NTFS permissions

    Marshall
    >The computer account -- not System or some other account on the
    computer --
    >isn't ever going to be accessing files (at least not in any examples I
    can
    >think of).

    In an AD environment, the computer account will indeed be used during
    the startup process and will need appropriate permissions and rights
    associated with it to read AD Objects like GPOs and scripts.
    In some environments, the AD DNS dynamic name registration is also
    performed using the SID associated with the Computer.

    slawek

    >>> "Bruce K. Marshall" <bkmlstsgohere@comcast.net> 2/23/2005 14:23
    >>>
    Daniel,

    The computer account -- not System or some other account on the
    computer --
    isn't ever going to be accessing files (at least not in any examples I
    can
    think of). And permissions won't be enforced just because a user or
    service
    account happens to be operating from that computer. So, setting using
    a
    computer security principal in NTFS ACLs won't have any effect.

    If a service on the computer is trying to access the file then you
    should be
    able to set up NTFS ACLs using the appropriate account (System, Local
    Service, Network Service, etc.).

    ----
    Bruce K. Marshall - bmarshall@securityps.com 
    Security PS - Kansas City
    ----- Original Message ----- 
    From: "Daniel Schmidt" <dschmidt@buddyrents.com>
    To: <focus-ms@securityfocus.com>
    Sent: Wednesday, February 23, 2005 9:32 AM
    Subject: Computer accounts in NTFS permissions
    > It is my understanding that computer accounts can be used as
    security
    > principals, but using them in a NTFS ACL seems to have no effect. 
    Does
    > computer account authentication only authorize accesses from the
    SYSTEM
    > account?  Can anyone point me toward some useful reading on the
    subject?
    >
    > Daniel Schmidt 
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Tomasz Onyszko: "Re: Terminal Services - Domain Controller - Normal User"