Re: Win 2K3 Serv: NETWORK built in account on UNC share grants EVERYONE permissions

From: Matt G. (
Date: 05/17/04

  • Next message: "Re: Securing a Windows 2003 server"
    Date: 16 May 2004 19:17:15 -0700

    Roger -
    Thanks for the information.
    Perhaps some more detail on our architecture will shed some more light
    on the problem, and what might be the best way to proceed.

    The plan is to a main UNC share to hold our web content... so, we have
    one share, and a set of subfolders under the share - each subfolder
    will act as the root of virtual webs. However, only some of the webs
    require the front page extensions. Most of these sites are legacy
    webs on our Intranet with mostly non-technical support that use the
    FPSE and Front Page to take care of very simple web site
    maintenance... anyhow, when I extend one web, it appears that the
    NETWORK\INTERACTIVE is applied to ALL subfolders within the share, not
    only the root for the web that is extended. This opens up access to
    everyone on every web site under the share (basically everyone can
    read the code if they want to - not so bad for anon sites, but VERY
    bad for sites that must be secure and limited to a specific set of

    Anyhow, we manage well over 100 webs, and to have a custom group for
    every web would be difficult to support, and not optimal. I'd rather
    do a one time setup of specific permissions in the '6 places' and
    disable FPSE's altering of permissions altogether.

    Yes, we are on Win2K3, IIS6, and FPSE 2002. I believe these are the
    extensions that come as part of the sharepoint team services.

    Thanks very much for your help.


    "Roger Abell [MVP]" <> wrote in message news:<#jDMIh1OEHA.1276@TK2MSFTNGP11.phx.gbl>...
    > Hi Matt,
    > To x-post, when appropriate just list the multiple newsgroups on
    > the line of NGs you are sending the one post to, so we all end up
    > with a single thread.
    > What I would recommend is that you first examine whether you
    > do really need that share with the FrontPage Server Extensions.
    > If so, you have said this is W2k3 server, so I assume your FPSE
    > is version 2002. That is too bad from point of view that the nice
    > switch in the IIS mgmt UI is only there for the version 2000
    > server extensions.
    > Here is what is up. Network is as we said a placeholder.
    > FPSE knows that it needs to grant permissions to "some account".
    > There are places where you can guide the FPSE to use a specific
    > custiom group instead of Network, but it will still grant some dirs
    > write for the Network and the Interactive principals no matter
    > what you do (if you let it manage perrmissions).
    > So, the first thing to do is to decide if you really need to use
    > this on tha share.
    > If so, then define a custom group in which all the accounts
    > that should be able to modify the share have been added,
    > and then use the Sharepoint administrations web to view
    > and take control of the roles being granted on that share.
    > You likely will first need to set it to use unique perrmissions
    > rather than inheriting those of its parent, and then use the
    > Users page to grant only what is desired, likely advance
    > authoring, to the custom group, perhaps browse to some
    > other custom group, and admin to Administrators (or as
    > desired - but with that role they can change what you are
    > now doing and also define new accounts on the machine).
    > With those settings, Network/Interactive should get cut
    > back. If they still show up with read/list it is because you
    > still have FPSE thinking that anonymous access is to be
    > allowed. After all of this, there will still be write grants to
    > these principals down in a few spots in the _vti folders
    > but those folders are masked from the view of the users
    > (not that that actually means they cannot make use of
    > the write grant mind you).
    > If that does not work for you post back, noting what is
    > the version of FPSE (2002 vanilla, 2002 team) and I can
    > try to hunt up what is the reg key to disable all FPSE altering
    > of NTFS perms. But keep in mind, shutting this off means
    > you would need to set different ACLs in about 6 or so spots
    > in order to the FPSE to work.
    > BTW make sure you have visited Office Update in order
    > to get the patches on the FPSE.
    > --
    > Roger Abell
    > Microsoft MVP (Windows Server System: Security)
    > MCDBA, MCSE W2k3+W2k+Nt4
    > "Matt G." <> wrote in message
    > > Sorry, I am a newbie to this - will 'cross post' next time.
    > > How do you disable FPSE's automatic management of the NTFS? And if I
    > > do this, will FPSE break? I feel like it needs the NETWORK account to
    > > perform regular functionality.
    > >
    > > "Roger Abell" <> wrote in message
    > > news:<OwMyMSsOEHA.2876@TK2MSFTNGP09.phx.gbl>...
    > >> Not knowing where Joe replied, or if the last part of this is
    > >> there mentioned . . . (all of which would not be an issue if
    > >> you had cross-posted instead of multi-posted)
    > >>
    > >> "Network" stands for any account that has authenticated with
    > >> log on over the network right.
    > >> You need to disable FPSE's automatic management of the
    > >> NTFS permissions. One way to do that is in the IIS UI.
    > >>
    > >> --
    > >> Roger Abell
    > >> Microsoft MVP (Windows Server System: Security)
    > >> MCSE (W2k3,W2k,Nt4) MCDBA
    > >> "Matt G." <> wrote in message
    > >>
    > >> > I am noticing the strangest behavior on my Win2K3 server -
    > >> > I configured a share - granted EVERYONE full control share access (as
    > >> > recommended - limit access via NTFS).
    > >> > Limited the NTFS permissions to 'Administrators-Full', System-'Full',
    > >> > and Network 'Read,Execute'.
    > >> >
    > >> > Even with these seemingly limited permissions, I can access the share
    > >> > with a non-admin domain user - this obviously doesn't make sense since
    > >> > the user isn't in the admin group. I deleted the 'Network' built in
    > >> > account, and access was denied. If Ireapply the NETWORK account,
    > >> > access is granted. The level of access for the non-domain account
    > >> > mimics the access level granted to the built in Network accout on the
    > >> > share.
    > >> >
    > >> > The reason this is a problem is because we are trying to use Front
    > >> > Page Server Extensions on this share... FPSE automatically adds the
    > >> > NETWORK user to all subwebs, which then apparently grants access to
    > >> > non-admin users, or users who don't explicitly have permissions on the
    > >> > share. Very strange, and troubling. I hope I am just doing something
    > >> > stupid....
    > >> >
    > >> > PLease help!!!
    > >> >
    > >> > -Matt

  • Next message: "Re: Securing a Windows 2003 server"

    Relevant Pages