Surprise – I still have access!

Here’s an interesting report that crossed my transom today.


An administrator of a domain-joined machine created a share, and wanted to make sure that it could only be reached by the administrators and local accounts on the machine (service accounts, basically).


So, he created the share, and edited its permissions – removed “Everyone”, added “Administrators” and “Users”; clicked OK and went away.


Domain users still had access to the share – and this somewhat worried the administrator. But, after some time considering, he thinks he has the answer, and removes “MyDomain\Domain Users” from the “Users” group; clicks OK and went away.


Surprise – domain users still have access to the share.


Before I give away the secret of how, can you see it for yourselves?

5 Responses to Surprise – I still have access!

  • alunj says:

    No takers? There’s no trick, it’s just a “did you expect that” kind of thing. Just to remind you all that when you take what you believe is a protective action, it’s a good idea to verify that you have completely protected yourselves.

  • Al says:

    Alun,

    Do you know the reason behind this? I just recreated the scenario, but took it a step further and removed all groups/users from the Permissions window. I then mapped to the shared folder from two different nodes using two different user objects in AD, and I can still access the share. The only caveat is that both users had Domain Admin privileges. If I have time, I’ll try it with a non-Admin user, but I suspect that it will yield the same results. So, what’s the reason behind this?

    Many thanks,

    Al

  • alunj says:

    For your example, I wonder if this is because all files naturally have Creator/Owner Full Control permissions, in any OS before Vista / Longhorn. Try it from a user who isn’t the owner. I suppose it’s also possible (but I don’t think this is the case) that you caused the file to have a NULL DACL, rather than a present-but-empty DACL. NULL DACLs indicate “everyone full control”.
    My teaser is a little simpler than that.

  • Steve says:

    Thanks for the teaser – this officially promoted you to my “Priority” RSS label :). I haven’t tried this but according to http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccscg/w2kscgcd.mspx definition of Users – “This group provides the user with the necessary rights to operate the computer as an end user, such as running applications and managing files. By default, Windows 2000 adds all new local user accounts to the Users group. When a member server or a computer running Windows 2000 joins a domain, the Domain Users global group, the Authenticated Users special group, and the INTERACTIVE special group are added to the local Users group.”

    With the Authenticated Users group still in the local Users group the act of removing Domain Users from the group had no real effect.

  • alunj says:

    I was beginning to wonder if anyone would get it – Steve wins!
    Unfortunately, we have no prizes here, especially since even my wife figured it out inside of thirty seconds. :)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>