Re: Win 2K3 Serv: NETWORK built in account on UNC share grants EVERYONE permissions

From: Roger Abell (
Date: 05/18/04

Date: Tue, 18 May 2004 00:07:27 -0700

That added info does help, and clear up a few things.

The one "big" new wrinkle is that IIS will have its content
over an Unc. This is something I have now worked with
relative to FPSE, and also a place where I could easily
see FPSE wanting to use Network grants as this would
free it from issues of domain vs machine local accounts.

Without the Unc involved, in my experience, if the root
web of the site is either defined for anonymous access,
or has a Browse grant to a custom group that will have
as members all principals that will have rights to the content
of any web in that site, FPSE does not change the NTFS
settings of the root web just when a new web is defined.
It will place its loose NTFS permissions on the new, but
it will not touch the parent (at least not when health checking
is set to not be done in the FPSE admin pages for the site,
which is the config I have always had to use.)
That you are apparently seeing differenntly is due to the UNC
(?). If you look at the permissions on the _vti dirs at the root
and in each web you will find that Network/Interactive are
granted modify on a few of these. These grants are not essential,
but grants on specific contained files that these provide are.
The services.* in all webs, and the *.log in the root web are
what come to mind at the moment. When I get to the site I can
check the template generator and let you know more specifically
the touch points.

You can set the base folder of a new web to not inherit NTFS
permissions (of course, making sure everything desired is then
explicitly set). This will prevent FPSE's changes to the parent
from upsetting all child permissioning.

I will have to find a FPSE2000 W2k server to check what reg
key it is that the switch in the IIS UI sets when one changes it
to manual management of permissions, in order to get a start on
what reg setting FPSE2002 _might_ be paying attention to.
What I can say is that most of what you are dealing with is not
to be found in KB articles, as at one point I believe I read every
one on the matter; was subsequently involved in instigating some
new info to be formalized, and learned that at that time there was
very little interest or resource to go further down that road (FPSE
being a "depricated" approach to the matter, i.e. there is no FPSE03)

Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Matt G." <> wrote in message
> Roger -
> Thanks for the information.
> Perhaps some more detail on our architecture will shed some more light
> on the problem, and what might be the best way to proceed.
> The plan is to a main UNC share to hold our web content... so, we have
> one share, and a set of subfolders under the share - each subfolder
> will act as the root of virtual webs.  However, only some of the webs
> require the front page extensions.  Most of these sites are legacy
> webs on our Intranet with mostly non-technical support that use the
> FPSE and Front Page to take care of very simple web site
> maintenance... anyhow, when I extend one web, it appears that the
> NETWORK\INTERACTIVE is applied to ALL subfolders within the share, not
> only the root for the web that is extended.   This opens up access to
> everyone on every web site under the share (basically everyone can
> read the code if they want to - not so bad for anon sites, but VERY
> bad for sites that must be secure and limited to a specific set of
> users.)
> Anyhow, we manage well over 100 webs, and to have a custom group for
> every web would be difficult to support, and not optimal.   I'd rather
> do a one time setup of specific permissions in the '6 places' and
> disable FPSE's altering of permissions altogether.
> Yes, we are on Win2K3, IIS6, and FPSE 2002.  I believe these are the
> extensions that come as part of the sharepoint team services.
> Thanks very much for your help.
> -Matt
> "Roger Abell [MVP]" <> wrote in message
> > Hi Matt,
> >
> > To x-post, when appropriate just list the multiple newsgroups on
> > the line of NGs you are sending the one post to, so we all end up
> > with a single thread.
> >
> > What I would recommend is that you first examine whether you
> > do really need that share with the FrontPage Server Extensions.
> > If so, you have said this is W2k3 server, so I assume your FPSE
> > is version 2002.  That is too bad from point of view that the nice
> > switch in the IIS mgmt UI is only there for the version 2000
> > server extensions.
> >
> > Here is what is up.  Network is as we said a placeholder.
> > FPSE knows that it needs to grant permissions to "some account".
> > There are places where you can guide the FPSE to use a specific
> > custiom group instead of Network, but it will still grant some dirs
> > write for the Network and the Interactive principals no matter
> > what you do (if you let it manage perrmissions).
> >
> > So, the first thing to do is to decide if you really need to use
> > this on tha share.
> > If so, then define a custom group in which all the accounts
> > that should be able to modify the share have been added,
> > and then use the Sharepoint administrations web to view
> > and take control of the roles being granted on that share.
> > You likely will first need to set it to use unique perrmissions
> > rather than inheriting those of its parent, and then use the
> > Users page to grant only what is desired, likely advance
> > authoring, to the custom group, perhaps browse to some
> > other custom group, and admin to Administrators (or as
> > desired - but with that role they can change what you are
> > now doing and also define new accounts on the machine).
> >
> > With those settings, Network/Interactive should get cut
> > back.  If they still show up with read/list it is because you
> > still have FPSE thinking that anonymous access is to be
> > allowed.  After all of this, there will still be write grants to
> > these principals down in a few spots in the _vti folders
> > but those folders are masked from the view of the users
> > (not that that actually means they cannot make use of
> > the write grant mind you).
> >
> > If that does not work for you post back, noting what is
> > the version of FPSE (2002 vanilla, 2002 team) and I can
> > try to hunt up what is the reg key to disable all FPSE altering
> > of NTFS perms.  But keep in mind, shutting this off means
> > you would need to set different ACLs in about 6 or so spots
> > in order to the FPSE to work.
> >
> > BTW make sure you have visited Office Update in order
> > to get the patches on the FPSE.
> > -- 
> > Roger Abell
> > Microsoft MVP (Windows Server System: Security)
> > MCDBA,  MCSE W2k3+W2k+Nt4
> > "Matt G." <> wrote in message
> >
> > > Sorry, I am a newbie to this - will 'cross post' next time.
> > > How do you disable FPSE's automatic management of the NTFS?  And if I
> > > do this, will FPSE break?  I feel like it needs the NETWORK account to
> > > perform regular functionality.
> > >
> > > "Roger Abell" <> wrote in message
> > > news:<OwMyMSsOEHA.2876@TK2MSFTNGP09.phx.gbl>...
> > >> Not knowing where Joe replied, or if the last part of this is
> > >> there mentioned . . .   (all of which would not be an issue if
> > >> you had cross-posted instead of multi-posted)
> > >>
> > >> "Network" stands for any account that has authenticated with
> > >> log on over the network right.
> > >> You need to disable FPSE's automatic management of the
> > >> NTFS permissions.  One way to do that is in the IIS UI.
> > >>
> > >> -- 
> > >> Roger Abell
> > >> Microsoft MVP (Windows Server System: Security)
> > >> MCSE (W2k3,W2k,Nt4)  MCDBA
> > >> "Matt G." <> wrote in message
> > >>
> > >> > I am noticing the strangest behavior on my Win2K3 server -
> > >> > I configured a share - granted EVERYONE full control share access
> > >> > recommended - limit access via NTFS).
> > >> > Limited the NTFS permissions to 'Administrators-Full',
> > >> > and Network 'Read,Execute'.
> > >> >
> > >> > Even with these seemingly limited permissions, I can access the
> > >> > with a non-admin domain user - this obviously doesn't make sense
> > >> > the user isn't in the admin group.  I deleted the 'Network' built
> > >> > account, and access was denied.  If Ireapply the NETWORK account,
> > >> > access is granted.  The level of access for the non-domain account
> > >> > mimics the access level granted to the built in Network accout on
> > >> > share.
> > >> >
> > >> > The reason this is a problem is because we are trying to use Front
> > >> > Page Server Extensions on this share... FPSE automatically adds the
> > >> > NETWORK user to all subwebs, which then apparently grants access to
> > >> > non-admin users, or users who don't explicitly have permissions on
> > >> > share. Very strange, and troubling.  I hope I am just doing
> > >> > stupid....
> > >> >
> > >> > PLease help!!!
> > >> >
> > >> > -Matt