Re: R2 Anonymous Security Issue

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

On Feb 18, 3:13 pm, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
Hello confuse...@xxxxxxxxx,

Please post the share permissions you set and also the security/NTFS rights
from the shared folder.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm

I installed a 2003 R2 file server. I setup some folders and applied
NTFS security permissions to them. I tested using a test domain logon
w/ no rights to make sure that the standard user couldn't access the
secured folders. Everything worked as expected.

Jump forward a couple of weeks and I have discovered that if you are
not logged into the domain - you can access the server with more
rights than a standard user. For example - you can access the
administrative shares, you can access folders that have NTFS security
applied, etc. At first I thought it was a share rights issue, but you
can't even edit the share rights for the admin shares. After doing
some digging I discovered that if the R2 server's local administrator
account was given rights to the folder - anonymous users also had
rights to the folder, but domain users did not.

How/why is R2 assigning anonymous logons local administrator
permissions? I have corrected the problem by removing the local admin
account but this should not be doing what it is doing. Where do I
start?

The root of the drive has
local admin - Full
Domain Admins - Full
Everyone - Read
and default admin share permissions

D:\Shared has the same NTFS permissions and is also shared w/ Everyone
= Full Share. The setting for anonymous to use everyone is still at
the 2003 default of disabled.

D:\Shared\Accounting has
no share
local admin = full
domain admins = full
accounting = Modify

D:\shared\HR has
no share
local admin = full
domain admins = full
accounting = Modify

D:\shared\Public has
no share
local admin = full
domain admins = full
Everyone = Full

There are other folders but the structure is similar. The same thing
happens if I connect to the shared share.
.

Relevant Pages

  • Re: Ensure Directory is writable for All Users
    ... This grants admins all permissions, and most permissions to everyone else. ... CSIDL_COMMON_DOCUMENTS is not the correct folder, because my files are configuration files and should not be visible to the user. ... only users with admin rights can modify files in this folder. ... Tell the customer never to install this program into "Program Files". ...
    (microsoft.public.vc.mfc)
  • Re: NTFS - Restrict file deletion
    ... NTFS permissions are XP standard. ... File is in folder. ... the Admin from deleting a file or folder. ... check on "Inherit from Parent...", click Apply, click ...
    (microsoft.public.windowsxp.general)
  • Re: Word mail merge data source
    ... we still did not get it working using UNC. ... Word on it) then there may be a problem if the folder containing the data ... but just because a user has full admin rights does not necessarily ... superset of other users' permissions - for example, ...
    (microsoft.public.word.vba.general)
  • Re: Word mail merge data source
    ... Word on it) then there may be a problem if the folder containing the data ... Word builds a connection string. ... but just because a user has full admin rights does not necessarily ... superset of other users' permissions - for example, ...
    (microsoft.public.word.vba.general)
  • RE: Share permissions question
    ... Thanks for your prompt reply and valuable info David. ... Ex boyfriend b/c he set up computer obv knows my admin rights number. ... there are application folders that require special permissions such as ... With the Advanced Security Settings Permissions (Traverse folder, ...
    (microsoft.public.windows.server.general)