[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 169
  • Last Modified:

A Domain User able to access "Secure" Folders


We need your help in resolving a security issue.  We have discovered that a new user on a client's Windows network can access what were thought to be secure directories accessible only by members of an upper management security group.  The new user seems to be an ordinary domain user, but can freely roam through personnel and confidential management folders.  We are asking for help in determining:

   1) what happened to make this situation possible,
   2) what we can do to rectify it, and
   3) how we can avoid this in the future.

Additional Information

The folders in question reside on a Windows Server 2000 Standard Edition which serves as a domain controller and file server for user directories.  It also provides DHCP and DNS services for a network of around 100 users.  It is protected by up-to-date antivirus software, a Cisco PIX firewall filters Internet access, and it has all current Microsoft security updates installed.

The user's desktop runs WinXP SP1 with up-to-date antivirus protection.  The user is a member of the domain user's security group and no other.

We do not know how this user account obtained privileges to access these secure directories nor can we find any evidence anywhere to indicate that such privileges should exist.  The user account was created as a member of the domain users group and seems to be member of that and only that security group yet it permits one to freely roam through human resource files and confidential management folders.  The secured (?) directories were presumed to be accessible only by members of the domain security group and domain administrators.  We are not aware of any other domain user accounts which can access these directories.  We cannot find any evidence that such privileges should exist for this user account or that any security settings have been changed.

We would appreciate your thoughts on what to do here.  We are considering removing the user's entry from the domain and re-creating it and/or explicitly denying this user access to the sensitive folders, but neither of these solutions help us understand why this might have happened or how to avoid it in the future.

1 Solution
the ntfs rights are set corect?
it's possible that user was renamed in the past from an administrative account?
As stated above, I'd first start by double checking to make sure the ntfs permissions are setup correctly for the directories in question.
can check also if the user has a SID History attribute (with adsi editor); but that only if the user was moved from other domain
otherwise, I have no other explanation (teoretically - can't exist this situation)
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

wdschoonAuthor Commented:
 Sorry for the delay in getting back on this.  Had a bout with cancer in the intervening months and I really got off task for a while.  The client got involved with other issues because the user in question was a trusted employee and it wasn't until late April that we all got back on task.  We called Microsoft, but the tech demanded $250.00 cash-on-the-barrelhead to even talk ("that's the way we do things," he said) and the client refused the offer.  We did manage to get the tech to admit that they, Microsoft, were quite familiar with the problem.  So, our home grown solution was to create a new user in the domain then migrate the user's email and favorites list to the new domain user and disable the original domain user at the W2k domain server.  All work just fine now, the user's new domain user name behaves normally--no domain administrator privileges--and the client's managers are happy.  However, we still do not know how the problem was created in the first place.
wdschoonAuthor Commented:
Addendum:  We did follow up on each of the user suggestions above, before getting off task, but were unable to resolve the problem.  
PAQed with points refunded (500)

Community Support Moderator

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now