Re: USERS group has the ability to change security permissions???

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 05/07/05 

Date: Fri, 6 May 2005 18:23:53 -0700

Please use the Advance view in the NTFS permissions dialog to
see if there are an Special permissions grants to Users or to a group
of which the test accounts are members.

When there is a generic grant and a special grant to the same entity
it is very easy to not see the special grant if only the generic grant
view is used. To complicate things, if there was a grant of Full
to say Users, and you use the generic view to reduce this it is
possible to end up with what looks like a normal, generic grant
of read, or list, etc. when in fact use of Advanced view will show
that some specific grant, such as the premission to change permissions,
or to take ownership, are still being granted although not visible in
the generic view. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Silly" <Silly@discussions.microsoft.com> wrote in message
news:F455353F-FB0F-4B29-BEEF-50B42FA1110E@microsoft.com...
> Okay, here are the steps:
> - clean install of windows 2000 professional (standalone)
> - reconfigure default everyone's permissions to those posted previously >
> restart
> - install all security updates through windows update
> - create a user JohnDoe with password "password" and user JaneDoe without
> password
> - restart > login using both users
> RESULTS: permissions work as they are supposed too! PHEW!!!
>
> So, I setup another machine and load the image that is currently run on so
> many computers here, just to see if it's something related to the image
that
> I might have missed, the RESULT: user level access can change NTFS
> permissions when they right click on local hard disks > properties >
security.
>
> THIS IS HOW I CREATED THE IMAGE FOR MASS DEPLOYMENT
> - Same steps as I wrote above with a user "Public" without password for
> general access
> - all required applications were installed and tested OK
> - ran Sysprep, leaving every settings in Sysprep as default (meaning I
just
> clicked on Sysprep and let it go throught whatever processes that it
needed
> to go through, and then the computer is automatically shut down).
> - booted system with Norton Ghost 2003 to create an image
> - when done, rolled the image out to the other computers, went through
> simple initial setup steps (i.e. Name, company, computer name, etc.)
> - login with user "Public" and this user is able to change the NTFS
> permissions.
>
> I don't know where I got it wrong, if anyone has done the image with
Norton
> Ghost 2003 and had everything works fine, could you please show the way?
> thanks!
>
>
> "Steven L Umbach" wrote:
>
> > I would be interested in the results on a clean machine. I would also
verify
> > that the user is indeed not a local administrator which can be easily
done
> > with the " net user username " command on the local computer. Another
thing
> > I would consider doing on a computer where a user is doing such is
enabling
> > auditing of object access and then auditing that folders in question for
> > just "change permission" to see if the user name that is changing the
> > permission is indeed who you think they are - IE not using other
credentials
> > by viewing object access events in the security log though that is not a
> > real user friendly procedure the info is usually there.  Users that have
> > physical access to a computer can easily use utilities to make
themselves
> > local administrators if steps are not taken to disallow them to boot
from
> > floppy, cdrom, etc. Often when confronted about how they are able to do
> > tasks that only administrators can do they act stupid rather than admit
they
> > hacked the computer. --- Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;301640

Relevant Pages

  • Re: share permissions -- how to?
    ... that, then allow a set of groups to upload files to but not delete, ... access to shares that have their storage on NTFS. ... The share permissions are no where near as granular as ... grant Read to such as Domain Users or Authenticated ...
    (microsoft.public.win2000.security)
  • Re: Permissions Question
    ... One may do this by using the Advanced view in the NTFS ... Suppose it is to CustomGrp you want this granted. ... You would grant share level Change to CustomGrp. ... Then, in the NTFS permissions dialog, grand Modify to it, ...
    (microsoft.public.win2000.security)
  • Re: DCOM Event ID 10015
    ... Grant the user permissions to start the COM component ... Run the MPSRPT_DirSvc.exe on the server box. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: NTFS woes
    ... "In some cases with a grant of Full is reduced ... NTFS permissions dialog. ... check Allow Delete Subfolders and Files ... Explicit Deny Delete on file does not work (user can still delete ...
    (microsoft.public.windows.server.security)
  • Re: NTFS woes
    ... "In some cases with a grant of Full is reduced ... NTFS permissions dialog. ... check Allow Delete Subfolders and Files ... Explicit Deny Delete on file does not work (user can still delete ...
    (microsoft.public.windows.server.security)