Re: users can access and view shares that they shouldn't be able to. HELP!
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 17 May 2007 10:02:08 -0400
James H-B <jbroomfield1@xxxxxxxxx> wrote:
Dear all,
I have set up a new file server as part of our migration from SBS2003
to a medium sized network. The problem is that this morning I realised
that I could access even the most sensitive shares on the server when
logged in as a local admin on an XP client.
Make sure your domain admin credentials are different from your local admin
credentials on all workstations.
You cannot access anything on a network resource unless you provide
credentials, but if the two match, they will work as a passthrough.
You can use a simple batch file startup script to reset your workstation
admin account passwords....
net user administrator Passwordblahblahblah123
Do not grant any users local admin rights, and make sure they don't have the
local admin password. Nor should they have the domain admin one, of course -
I'd manually reset that, too, if I were you.
This is a major problem. At first I thought I must have missed
something fundamental such as acciedentally leaving everyone in the
NTFS permissions but the more I looked at it the less I understood it.
I have set the share permissions so that everyone has full access to
the shares.
That's fine. I also like to make shares hidden from browsing - so instead of
\\server\sharedfolder, I use \\server\sharedfolder$
Then I have set the NTFS permissions on the shares so that
only the relevent security group has full control and no one else
(apart from SYSTEM and admins.
Good.
The most puzzling thing about this is that for most of the shares I
used the Microsoft File Server Migration Wizard to move the shares -
so in theory it should've copied the files then migrated the
permissions identically.
It isn't a permissions issue, really, if I'm correct in my assumption
above....
I also notice that if I try to access our sbs2002 server from an XP
client from the run dialogue by typing \\sbs01 - it immediately
requests authentication before showing me the shares.
You mean, while logged in as a local user account?
On the new file
server (running Windows Server 2003 R2) it just opens a window and
shows all the shares!
So - you mean, from a new server, logged in as what account? And connecting
across the network to your SBS box?
This is a serious problem and I have had to disable the sensitive
shares until I have a solution.
Please can someone point out where I am being incredibly stupid or if
not explain how I can rectify this dire state of affairs.
Thanks very much in advance for any help.
James Broomfield
.
- References:
- Prev by Date: Re: Is this a domain server setup issue? (URGENT)
- Next by Date: Re: Conduit encountered a problem and needed to be closed
- Previous by thread: users can access and view shares that they shouldn't be able to. HELP!
- Next by thread: Slow Internet Connection on SBS 2k3
- Index(es):
Relevant Pages
|
