User bypasses security

[Jim Matthews]

My setup (partially) a W2K Server (DC) which houses AD, and files, and a
W2K3 Server which houses Exchange and files.

I set up a new user (without admin rights) and he has access to _everything_
on the W2k Server, but is ''restricted" normally on the W2K3 server.

He is not a member of any admin group or anything like that. I have checked
and rechecked the permissions on several restricted folders.

He is running XP Pro

I assume that because he is restricted on the W2K3 server that his
"permissions" are correct, but there is something amiss on the one server

Can anyone shed some light on this ?

Many Thanks

JM

 

[Steven L Umbach]

Define more specifically what you mean by everything with some examples. Can
he logon to the domain controller console? Can he access it's security logs
via Event Viewer? --- Steve

 

[Jim Matthews]

Sorry - he can look at any share and open any file he wishes

For example, I have a folder in which I keep confidential info. The only
share and security permissions on it are me - as Domain Admin and as a user.

He can simply go to Start-->Run and type \\servername and he is shown a list
of all shares. If he clicks on my share, he is given access to it all

I have no idea whether he can log on to the server console

Thanks for your help

JM

 

[Steven L Umbach]

Jim.

When he is connected to the share go to Computer Management/Shared Folders -
sessions to see as what user he is connected to the folder as and it should
also show the source computer. Type 3 logon events would also be generated
in the security log of the server for the user accessing the share if
auditing of logon events is enabled. If the user is different than what you
expect then he may be accessing the share with credentials other than his
own. Windows XP can use "stored credentials" [see link below]to access a
server or share though I have no idea how he would have access to your
credentials unless you logged on as that account one time and configured
stored credentials. Try having that user logon to another computer to see if
he still can gain access. Also double check the user's group membership to
make sure it is what you expect --- Steve

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prdp_log_vkxx.asp

 

[Steven L Umbach]

Also keep in mind that if you change group membership of a user that you
must logoff and logon as the user again to update the user's security token
with the correct group membership. The support tool whoami can be used as in
whoami /groups to show the users group membership for the current security
token. --- Steve

Jim.

When he is connected to the share go to Computer Management/Shared
Folders - sessions to see as what user he is connected to the folder as
and it should also show the source computer. Type 3 logon events would
also be generated in the security log of the server for the user accessing
the share if auditing of logon events is enabled. If the user is
different than what you expect then he may be accessing the share with
credentials other than his own. Windows XP can use "stored credentials"
[see link below]to access a server or share though I have no idea how he
would have access to your credentials unless you logged on as that account
one time and configured stored credentials. Try having that user logon to
another computer to see if he still can gain access. Also double check the
user's group membership to make sure it is what you expect --- Steve

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prdp_log_vkxx.asp

Sorry - he can look at any share and open any file he wishes

For example, I have a folder in which I keep confidential info. The only
share and security permissions on it are me - as Domain Admin and as a
user.

He can simply go to Start-->Run and type \\servername and he is shown a
list
of all shares. If he clicks on my share, he is given access to it all

I have no idea whether he can log on to the server console

Thanks for your help

JM

 

[Jim Matthews]

Steven - you is da man

We are new to XP - his laptop was "caching" my credentials, used to set it
up

Many Thanks,

JM

Also keep in mind that if you change group membership of a user that you
must logoff and logon as the user again to update the user's security token
with the correct group membership. The support tool whoami can be used as in
whoami /groups to show the users group membership for the current security
token. --- Steve

Jim.

When he is connected to the share go to Computer Management/Shared
Folders - sessions to see as what user he is connected to the folder as
and it should also show the source computer. Type 3 logon events would
also be generated in the security log of the server for the user accessing
the share if auditing of logon events is enabled. If the user is
different than what you expect then he may be accessing the share with
credentials other than his own. Windows XP can use "stored credentials"
[see link below]to access a server or share though I have no idea how he
would have access to your credentials unless you logged on as that account
one time and configured stored credentials. Try having that user logon to
another computer to see if he still can gain access. Also double check the
user's group membership to make sure it is what you expect --- Steve

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prdp_log_vkxx.asp

Sorry - he can look at any share and open any file he wishes

For example, I have a folder in which I keep confidential info. The only
share and security permissions on it are me - as Domain Admin and as a
user.

He can simply go to Start-->Run and type \\servername and he is shown a
list
of all shares. If he clicks on my share, he is given access to it all

I have no idea whether he can log on to the server console

Thanks for your help

JM

Define more specifically what you mean by everything with some examples.
Can
he logon to the domain controller console? Can he access it's security
logs
via Event Viewer? --- Steve


My setup (partially) a W2K Server (DC) which houses AD, and files, and
a
W2K3 Server which houses Exchange and files.

I set up a new user (without admin rights) and he has access to
_everything_
on the W2k Server, but is ''restricted" normally on the W2K3 server.

He is not a member of any admin group or anything like that. I have
checked
and rechecked the permissions on several restricted folders.

He is running XP Pro

I assume that because he is restricted on the W2K3 server that his
"permissions" are correct, but there is something amiss on the one
server

Can anyone shed some light on this ?

Many Thanks

JM

 

[Steven L Umbach]

OK. That one seems to catch a lot of us off guard though I don't know how
that user got your saved credentials. My guess is that he was a test user
account your were using to see how your access policies worked. --- Steve

Steven - you is da man

We are new to XP - his laptop was "caching" my credentials, used to set it
up

Many Thanks,

JM

Also keep in mind that if you change group membership of a user that you
must logoff and logon as the user again to update the user's security token
with the correct group membership. The support tool whoami can be used as in
whoami /groups to show the users group membership for the current
security
token. --- Steve

Jim.

When he is connected to the share go to Computer Management/Shared
Folders - sessions to see as what user he is connected to the folder as
and it should also show the source computer. Type 3 logon events would
also be generated in the security log of the server for the user accessing
the share if auditing of logon events is enabled. If the user is
different than what you expect then he may be accessing the share with
credentials other than his own. Windows XP can use "stored credentials"
[see link below]to access a server or share though I have no idea how
he
would have access to your credentials unless you logged on as that account
one time and configured stored credentials. Try having that user logon to
another computer to see if he still can gain access. Also double check the
user's group membership to make sure it is what you expect --- Steve

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prdp_log_vkxx.asp

Sorry - he can look at any share and open any file he wishes

For example, I have a folder in which I keep confidential info. The only
share and security permissions on it are me - as Domain Admin and as a
user.

He can simply go to Start-->Run and type \\servername and he is shown
a
list
of all shares. If he clicks on my share, he is given access to it all

I have no idea whether he can log on to the server console

Thanks for your help

JM

Define more specifically what you mean by everything with some examples.
Can
he logon to the domain controller console? Can he access it's
security
logs
via Event Viewer? --- Steve


My setup (partially) a W2K Server (DC) which houses AD, and files, and
a
W2K3 Server which houses Exchange and files.

I set up a new user (without admin rights) and he has access to
_everything_
on the W2k Server, but is ''restricted" normally on the W2K3
server.

He is not a member of any admin group or anything like that. I have
checked
and rechecked the permissions on several restricted folders.

He is running XP Pro

I assume that because he is restricted on the W2K3 server that his
"permissions" are correct, but there is something amiss on the one
server

Can anyone shed some light on this ?

Many Thanks

JM

 

[Guest]

Sorry - he can look at any share and open any file he wishes

For example, I have a folder in which I keep confidential info. The only
share and security permissions on it are me - as Domain Admin and as a user.

He can simply go to Start-->Run and type \\servername and he is shown a list
of all shares. If he clicks on my share, he is given access to it all

I have no idea whether he can log on to the server console

I'm pulling this from my foggy memory. I know I fought this fight once -
and lost.

As I understand it:
The issue is that you have W2K as your DC. You need to install the XP Pro
group policy plugins which are a superset of the W2K. Those plugins are
only avaialbe from an Xp Pro client. W2k clients, including the W2K server
will ignore the superset plugins effectively turning them off if you open the
polcies from a W2k session. YOu have to set the polcies from an Xp Pro
client to make them work.

Alternatively, make your W2003 server become the DC and set your policies
from that.

The better answer is described here:
http://support.microsoft.com/?kbid=307900

hope this helps.

Kim

 

[Jim Matthews]

I set up his laptop, using a network share for the source files

As I mentioned. we just went to XP - on Windows 2000, if not logging into
the domain, when you reboot you must retype your password, to gain access
to persistent shares.

What I have found, with your help, is, that XP allows you to "save" the
password over restarts. BUT it saves the username too. Disconnecting the
share does not rfemove the un/password.

Very interesting

JM

OK. That one seems to catch a lot of us off guard though I don't know how
that user got your saved credentials. My guess is that he was a test user
account your were using to see how your access policies worked. ---
Steve

Steven - you is da man

We are new to XP - his laptop was "caching" my credentials, used to set
it
up

Many Thanks,

JM

Also keep in mind that if you change group membership of a user that you
must logoff and logon as the user again to update the user's security token
with the correct group membership. The support tool whoami can be used
as in
whoami /groups to show the users group membership for the current
security
token. --- Steve


Jim.

When he is connected to the share go to Computer Management/Shared
Folders - sessions to see as what user he is connected to the folder
as
and it should also show the source computer. Type 3 logon events would
also be generated in the security log of the server for the user accessing
the share if auditing of logon events is enabled. If the user is
different than what you expect then he may be accessing the share with
credentials other than his own. Windows XP can use "stored
credentials"
[see link below]to access a server or share though I have no idea how
he
would have access to your credentials unless you logged on as that account
one time and configured stored credentials. Try having that user logon to
another computer to see if he still can gain access. Also double check the
user's group membership to make sure it is what you expect --- Steve

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prdp_log_vkxx.asp

Sorry - he can look at any share and open any file he wishes

For example, I have a folder in which I keep confidential info. The only
share and security permissions on it are me - as Domain Admin and as
a
user.

He can simply go to Start-->Run and type \\servername and he is shown
a
list
of all shares. If he clicks on my share, he is given access to it all

I have no idea whether he can log on to the server console

Thanks for your help

JM

Define more specifically what you mean by everything with some examples.
Can
he logon to the domain controller console? Can he access it's
security
logs
via Event Viewer? --- Steve


My setup (partially) a W2K Server (DC) which houses AD, and files, and
a
W2K3 Server which houses Exchange and files.

I set up a new user (without admin rights) and he has access to
_everything_
on the W2k Server, but is ''restricted" normally on the W2K3
server.

He is not a member of any admin group or anything like that. I
have
checked
and rechecked the permissions on several restricted folders.

He is running XP Pro

I assume that because he is restricted on the W2K3 server that his
"permissions" are correct, but there is something amiss on the one
server

Can anyone shed some light on this ?

Many Thanks

JM