Small security issue

Posted on 2003-03-25
Medium Priority
Last Modified: 2010-04-13
i'm a 20 year old student and i'm relatively new to network admin (call me a trainee).  i manage a small 10 machine lan for our training facility, the terminals are running win2kpro and the server is win2kserver.  I have roaming profiles set up, so no data is saved on the clients, so that all My Documents drives are mapped to folders on the server.  I also have it set up so that individuals in special groups have permissions to access other mapped drives.  

i have a common area which everyone gets mapped (Shared Folders on 'Server' (S:)) so everyone has access to its content.  Within this directory there are sub-directories of which only certain users are privy to.  The problem i have is, individuals who aren't allowed access to the folders are able to cut and paste it into their own directory, thus giving themselves ownership of the folder.  Though the folder is not removed (and though it's contents is copied to their own directory) they now have ownership and full control over the origional file.  In a nutshell, somehow one of our clients is obtaining ownership and full control over a file that he shouldn't even have access to.  i know, it sounds far fetched, but i saw it with my own eyes.  I created a graphic so you can kind of see what stuff is looking like.  You can find it here http://www.opaquevision.com/scrnshot.gif ... any ideas?
Question by:FlowMotion

Expert Comment

ID: 8206498
Graphic is tough to read, but let me see if I can help you out.  What you really should be looking at is the users effective rights to the share.  There are also advanced rights that can be set in place of the standard rights.  As an example if a user has Read, Write, Change and Delete to a folder, he can do exactly what you are stating.
LVL 15

Expert Comment

ID: 8206649
in the Active Directory users and Computers you can assign them a home folder.

S:\  to the \\homefolderserver\share\%username%

%username% is a wildcard that the server uses and can change the folder to the username.  If you use this, it will only open their folders and not the whole share showing their folder with everyone elses

Also, set the ntfs permissions on the \\homefolderserver\share to read and the \%username% to allow the owner to modify only.   This should prevent them from accessing the other home folders of your users.  

Accepted Solution

MSGeek earned 80 total points
ID: 8206762
> " allow the owner to modify only."

If you do this, then there can me no collaboration.  You want to set rights like Traverse folder, List Folder/read Data, Read Attributes, Read Extended Attributes, Create Files Write Data, Create Folders Append Data and Read Permissions.  That's All!
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.


Expert Comment

ID: 8595675
This question is still open and getting old. If any of the comment(s) above helped you please accept it as an answer or split the points who ever helped you in this question. Your attention in finalising this question is very much appreciated. Thanks in advance,


- If you would like to close this question and have your points refunded, please post a question in community support area on http://www.experts-exchange.com/Community_Support/ giving the address of this question. Thank you      


Cleanup Volunteer


Expert Comment

ID: 8602242
FlowMotion.. I believe your question has been answered??  MSGeek.

Author Comment

ID: 9563442
Wow, my apologies for allowing this question to sit for so long, it has completely evaded me.  Thank you for your help, and I'll try to pay better attention to the questions I have floating around.  Again I apologize for not following up.


Expert Comment

ID: 9566102
No prob, thanks FlowMotion.  Glad I could help, MSGeek.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Whether you have a site with just static html pages or a dynamic database-driven one, this step-by-step migration guide will help you get started with your new DV server. This guide is by no means comprehensive but it should cover the basics to get …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question