2003 home folder security problem

  • Thread starter Thread starter Dan King
  • Start date Start date
D

Dan King

There seems to be a lack of security in the 2003 version of Active
Directories Users and Computers (ADUC).
When creating a home folder with the 2000 version of ADUC, the home folder
rights given are:
Adminstrators - FULL CONTROL
and
the user FULL CONTROL.

It then makes it so rights are not inherited from the parent folder.
The 2003 version of ADUC gives the same rights, but does NOT prevent the
inheritance of rights.

So a default home folder created by the 2000 ADUC is secure,
and the default home folder created by the 2003 ADUC is NOT secure. Giving
all Domain Users READ access.

The OS that the folder is being created on does not matter, only the ADUC
version used.

Does anyone know of a fix for this, or is having the same experience?
A possible fix is to go to every home folder and uncheck rights inheritance,
but that can be tedious. It seems MS took a step back in security here.

Dan
 
First of all, it does ask you if you want to grant the user full control
permission to the home folder. It does not if you set the folder for
multiple users at a time, but for one user it does.
Second, inheriting permissions is not a security problem. You can configure
permissions on the parent folder where users home folder are created so any
permissions applied to the parent folder (for example, Authenticated Users
or Domain Users-Read) are only applied to the folder itself and not
inherited. Everything is, as usual, in Administrator's hands.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Active Directory


There seems to be a lack of security in the 2003 version of Active
Directories Users and Computers (ADUC).
When creating a home folder with the 2000 version of ADUC, the home folder
rights given are:
Adminstrators - FULL CONTROL
and
the user FULL CONTROL.

It then makes it so rights are not inherited from the parent folder.
The 2003 version of ADUC gives the same rights, but does NOT prevent the
inheritance of rights.

So a default home folder created by the 2000 ADUC is secure,
and the default home folder created by the 2003 ADUC is NOT secure. Giving
all Domain Users READ access.

The OS that the folder is being created on does not matter, only the ADUC
version used.

Does anyone know of a fix for this, or is having the same experience?
A possible fix is to go to every home folder and uncheck rights
inheritance,
but that can be tedious. It seems MS took a step back in security here.

Dan
 
Thanks for the response Dmitry,
When creating a users home folder ADUC does not ask if you want to grant
full rights, unless the folder already exists. In which case, it still does
not prevent inheritance from the parent.

Your second point about applying rights only to the parent folder is a good
one.

It just seems to me that by allowing permissions to be inherited by default
could be a potential security hole. If rights get applied incorrectly at the
parent folder, you could open up access to very private/confidential
information.

Dan
 
Well, in fact for me, cancelling permissions inheritance is what I call a
security fly. With cancelled inheritance, you can forget about permissions
defined at the child level. Then you apply additional (or modify existing)
permissions to the parent container and think that everything is ok. But it
is not, and as a result you may get lots of user complaints, and potential
security problems.

I feel more secure with inherited permissions. They just feel more
consistent this way. And note also that there are very very very rare cases
when a certain security scheme cannot be implemented without cancelling
inheritance at container levels. Both NTFS and AD security models allow you
to manipulate permissions very precisely, and you can do almost everything
with this model - without cancelling inheritance.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Active Directory


Thanks for the response Dmitry,
When creating a users home folder ADUC does not ask if you want to grant
full rights, unless the folder already exists. In which case, it still
does
not prevent inheritance from the parent.

Your second point about applying rights only to the parent folder is a
good
one.

It just seems to me that by allowing permissions to be inherited by
default
could be a potential security hole. If rights get applied incorrectly at
the
parent folder, you could open up access to very private/confidential
information.

Dan
 
Back
Top