Small security issue

Posted on 2003-03-25
Medium Priority
Last Modified: 2010-04-13
i'm a 20 year old student and i'm relatively new to network admin (call me a trainee).  i manage a small 10 machine lan for our training facility, the terminals are running win2kpro and the server is win2kserver.  I have roaming profiles set up, so no data is saved on the clients, so that all My Documents drives are mapped to folders on the server.  I also have it set up so that individuals in special groups have permissions to access other mapped drives.  

i have a common area which everyone gets mapped (Shared Folders on 'Server' (S:)) so everyone has access to its content.  Within this directory there are sub-directories of which only certain users are privy to.  The problem i have is, individuals who aren't allowed access to the folders are able to cut and paste it into their own directory, thus giving themselves ownership of the folder.  Though the folder is not removed (and though it's contents is copied to their own directory) they now have ownership and full control over the origional file.  In a nutshell, somehow one of our clients is obtaining ownership and full control over a file that he shouldn't even have access to.  i know, it sounds far fetched, but i saw it with my own eyes.  I created a graphic so you can kind of see what stuff is looking like.  You can find it here http://www.opaquevision.com/scrnshot.gif ... any ideas?
Question by:FlowMotion
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 8206498
Graphic is tough to read, but let me see if I can help you out.  What you really should be looking at is the users effective rights to the share.  There are also advanced rights that can be set in place of the standard rights.  As an example if a user has Read, Write, Change and Delete to a folder, he can do exactly what you are stating.
LVL 15

Expert Comment

ID: 8206649
in the Active Directory users and Computers you can assign them a home folder.

S:\  to the \\homefolderserver\share\%username%

%username% is a wildcard that the server uses and can change the folder to the username.  If you use this, it will only open their folders and not the whole share showing their folder with everyone elses

Also, set the ntfs permissions on the \\homefolderserver\share to read and the \%username% to allow the owner to modify only.   This should prevent them from accessing the other home folders of your users.  

Accepted Solution

MSGeek earned 80 total points
ID: 8206762
> " allow the owner to modify only."

If you do this, then there can me no collaboration.  You want to set rights like Traverse folder, List Folder/read Data, Read Attributes, Read Extended Attributes, Create Files Write Data, Create Folders Append Data and Read Permissions.  That's All!
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users


Expert Comment

ID: 8595675
This question is still open and getting old. If any of the comment(s) above helped you please accept it as an answer or split the points who ever helped you in this question. Your attention in finalising this question is very much appreciated. Thanks in advance,


- If you would like to close this question and have your points refunded, please post a question in community support area on http://www.experts-exchange.com/Community_Support/ giving the address of this question. Thank you      


Cleanup Volunteer


Expert Comment

ID: 8602242
FlowMotion.. I believe your question has been answered??  MSGeek.

Author Comment

ID: 9563442
Wow, my apologies for allowing this question to sit for so long, it has completely evaded me.  Thank you for your help, and I'll try to pay better attention to the questions I have floating around.  Again I apologize for not following up.


Expert Comment

ID: 9566102
No prob, thanks FlowMotion.  Glad I could help, MSGeek.

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This is a fine trick which I've found useful many times, when you just don't want to accidentally run a batch script or the commands needs administrator rights.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question