A Domain User able to access "Secure" Folders
Posted on 2004-11-14
We need your help in resolving a security issue. We have discovered that a new user on a client's Windows network can access what were thought to be secure directories accessible only by members of an upper management security group. The new user seems to be an ordinary domain user, but can freely roam through personnel and confidential management folders. We are asking for help in determining:
1) what happened to make this situation possible,
2) what we can do to rectify it, and
3) how we can avoid this in the future.
The folders in question reside on a Windows Server 2000 Standard Edition which serves as a domain controller and file server for user directories. It also provides DHCP and DNS services for a network of around 100 users. It is protected by up-to-date antivirus software, a Cisco PIX firewall filters Internet access, and it has all current Microsoft security updates installed.
The user's desktop runs WinXP SP1 with up-to-date antivirus protection. The user is a member of the domain user's security group and no other.
We do not know how this user account obtained privileges to access these secure directories nor can we find any evidence anywhere to indicate that such privileges should exist. The user account was created as a member of the domain users group and seems to be member of that and only that security group yet it permits one to freely roam through human resource files and confidential management folders. The secured (?) directories were presumed to be accessible only by members of the domain security group and domain administrators. We are not aware of any other domain user accounts which can access these directories. We cannot find any evidence that such privileges should exist for this user account or that any security settings have been changed.
We would appreciate your thoughts on what to do here. We are considering removing the user's entry from the domain and re-creating it and/or explicitly denying this user access to the sensitive folders, but neither of these solutions help us understand why this might have happened or how to avoid it in the future.