Solved

Term Server Search is bypassing security

Posted on 2014-01-05
6
228 Views
Last Modified: 2014-01-13
We have a terminal server running windows 2008 with an AD.  One of the users just pointed out that a user ID with very restricted access is able to look at there Search - Recently Changed Files which is provided as a default link to the users, and it shows all files from all users that have changed on the system.  Double clicking on a file opens it up and thus bypasses the security in place on the system.  This is a major loop hole and we need to get it closed up or shut down, either or.

Any suggestions as to how to approach this and correct it as quickly as possible?

Dallas
0
Comment
Question by:dstewart83161
  • 3
  • 2
6 Comments
 
LVL 18

Expert Comment

by:Netflo
ID: 39757973
Implement NTFS security on your file store locations or if there is no file server, then ensure that the 'restricted user' does not have local admin rights on the Terminal Server, which appears to be the case.
0
 

Author Comment

by:dstewart83161
ID: 39758271
The term server is also an AD so NTFS security is already on by default.  The user IDs have only two groups they are a member of:  VPN access group and Guest group...that's it.  No local admin rights.
0
 
LVL 18

Assisted Solution

by:Netflo
Netflo earned 250 total points
ID: 39758776
If the TS is also your AD server firstly this is not recommended first of all.

Have you had a look at the file in question and checked effective permissions? Looks to me that NTFS security is not bolted down correctly on a file level and you may be relying on share level security.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 54

Accepted Solution

by:
McKnife earned 250 total points
ID: 39760556
Hi.

I bet there's not much magic involved. Make sure that you did not overlook something like him being a member of groups that are nested in the local administrators group or even nested in domain admins.

Being a TS does not induce anything like this.
0
 

Author Closing Comment

by:dstewart83161
ID: 39775660
I fully understand the TermServer not recommended as an AD as well.  I didn't create the environment, just inherited it.  In many SMB's though, this kind of stuff is required for them to keep costs down.  RAS is not recommended on an AD either yet Microsoft delivers an all in one solution with its SBS environments that does this very thing.

What I did discover was that the yahoo...uh...prior technician, handed out the Remote Desktop Users group to give out file permissions instead of just what it was intended for.  Once I removed it and dealt with some other user permissions fallout from that issue, the problem was corrected.  Thanks so much for weighing in.
0
 
LVL 18

Expert Comment

by:Netflo
ID: 39776310
Glad to hear your up and running. Just to note SBS is a very different type of machine, which is supported by MS, that's the difference.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article covers how to install the Microsoft Windows Operating System (OS). What is covered in this article:  > Different Versions and Editions of the Windows OS  > Upgrading versus Fresh Installation of the OS           - Steps to take pr…
I have put this article together as i needed to get all the information that might be available already into one general document that could be referenced once without searching the Internet for the different pieces. I have had a few issues where…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now