FlowMotion
asked on
Small security issue
i'm a 20 year old student and i'm relatively new to network admin (call me a trainee). i manage a small 10 machine lan for our training facility, the terminals are running win2kpro and the server is win2kserver. I have roaming profiles set up, so no data is saved on the clients, so that all My Documents drives are mapped to folders on the server. I also have it set up so that individuals in special groups have permissions to access other mapped drives.
i have a common area which everyone gets mapped (Shared Folders on 'Server' (S:)) so everyone has access to its content. Within this directory there are sub-directories of which only certain users are privy to. The problem i have is, individuals who aren't allowed access to the folders are able to cut and paste it into their own directory, thus giving themselves ownership of the folder. Though the folder is not removed (and though it's contents is copied to their own directory) they now have ownership and full control over the origional file. In a nutshell, somehow one of our clients is obtaining ownership and full control over a file that he shouldn't even have access to. i know, it sounds far fetched, but i saw it with my own eyes. I created a graphic so you can kind of see what stuff is looking like. You can find it here http://www.opaquevision.com/scrnshot.gif ... any ideas?
i have a common area which everyone gets mapped (Shared Folders on 'Server' (S:)) so everyone has access to its content. Within this directory there are sub-directories of which only certain users are privy to. The problem i have is, individuals who aren't allowed access to the folders are able to cut and paste it into their own directory, thus giving themselves ownership of the folder. Though the folder is not removed (and though it's contents is copied to their own directory) they now have ownership and full control over the origional file. In a nutshell, somehow one of our clients is obtaining ownership and full control over a file that he shouldn't even have access to. i know, it sounds far fetched, but i saw it with my own eyes. I created a graphic so you can kind of see what stuff is looking like. You can find it here http://www.opaquevision.com/scrnshot.gif ... any ideas?
Graphic is tough to read, but let me see if I can help you out. What you really should be looking at is the users effective rights to the share. There are also advanced rights that can be set in place of the standard rights. As an example if a user has Read, Write, Change and Delete to a folder, he can do exactly what you are stating.
in the Active Directory users and Computers you can assign them a home folder.
S:\ to the \\homefolderserver\share\%
%username% is a wildcard that the server uses and can change the folder to the username. If you use this, it will only open their folders and not the whole share showing their folder with everyone elses
Also, set the ntfs permissions on the \\homefolderserver\share to read and the \%username% to allow the owner to modify only. This should prevent them from accessing the other home folders of your users.
S:\ to the \\homefolderserver\share\%
%username% is a wildcard that the server uses and can change the folder to the username. If you use this, it will only open their folders and not the whole share showing their folder with everyone elses
Also, set the ntfs permissions on the \\homefolderserver\share to read and the \%username% to allow the owner to modify only. This should prevent them from accessing the other home folders of your users.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question is still open and getting old. If any of the comment(s) above helped you please accept it as an answer or split the points who ever helped you in this question. Your attention in finalising this question is very much appreciated. Thanks in advance,
****** PLEASE DO NOT ACCEPT THIS AS AN ANSWER ********
- If you would like to close this question and have your points refunded, please post a question in community support area on https://www.experts-exchange.com/Community_Support/ giving the address of this question. Thank you
Pasha
Cleanup Volunteer
****** PLEASE DO NOT ACCEPT THIS AS AN ANSWER ********
- If you would like to close this question and have your points refunded, please post a question in community support area on https://www.experts-exchange.com/Community_Support/ giving the address of this question. Thank you
Pasha
Cleanup Volunteer
FlowMotion.. I believe your question has been answered?? MSGeek.
ASKER
Wow, my apologies for allowing this question to sit for so long, it has completely evaded me. Thank you for your help, and I'll try to pay better attention to the questions I have floating around. Again I apologize for not following up.
-FlowMotion-
-FlowMotion-
No prob, thanks FlowMotion. Glad I could help, MSGeek.