Solved

Term Server Search is bypassing security

Posted on 2014-01-05
6
232 Views
Last Modified: 2014-01-13
We have a terminal server running windows 2008 with an AD.  One of the users just pointed out that a user ID with very restricted access is able to look at there Search - Recently Changed Files which is provided as a default link to the users, and it shows all files from all users that have changed on the system.  Double clicking on a file opens it up and thus bypasses the security in place on the system.  This is a major loop hole and we need to get it closed up or shut down, either or.

Any suggestions as to how to approach this and correct it as quickly as possible?

Dallas
0
Comment
Question by:dstewart83161
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 18

Expert Comment

by:Netflo
ID: 39757973
Implement NTFS security on your file store locations or if there is no file server, then ensure that the 'restricted user' does not have local admin rights on the Terminal Server, which appears to be the case.
0
 

Author Comment

by:dstewart83161
ID: 39758271
The term server is also an AD so NTFS security is already on by default.  The user IDs have only two groups they are a member of:  VPN access group and Guest group...that's it.  No local admin rights.
0
 
LVL 18

Assisted Solution

by:Netflo
Netflo earned 250 total points
ID: 39758776
If the TS is also your AD server firstly this is not recommended first of all.

Have you had a look at the file in question and checked effective permissions? Looks to me that NTFS security is not bolted down correctly on a file level and you may be relying on share level security.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 54

Accepted Solution

by:
McKnife earned 250 total points
ID: 39760556
Hi.

I bet there's not much magic involved. Make sure that you did not overlook something like him being a member of groups that are nested in the local administrators group or even nested in domain admins.

Being a TS does not induce anything like this.
0
 

Author Closing Comment

by:dstewart83161
ID: 39775660
I fully understand the TermServer not recommended as an AD as well.  I didn't create the environment, just inherited it.  In many SMB's though, this kind of stuff is required for them to keep costs down.  RAS is not recommended on an AD either yet Microsoft delivers an all in one solution with its SBS environments that does this very thing.

What I did discover was that the yahoo...uh...prior technician, handed out the Remote Desktop Users group to give out file permissions instead of just what it was intended for.  Once I removed it and dealt with some other user permissions fallout from that issue, the problem was corrected.  Thanks so much for weighing in.
0
 
LVL 18

Expert Comment

by:Netflo
ID: 39776310
Glad to hear your up and running. Just to note SBS is a very different type of machine, which is supported by MS, that's the difference.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The way I use Experts Exchange to assist me in analyzing and diagnosing a problem is I first enter a Verbose Question at Experts Exchange like: Office 2007 will hang when opening and saving files I then launch WordPad (any text editor will do) an…
I have put this article together as i needed to get all the information that might be available already into one general document that could be referenced once without searching the Internet for the different pieces. I have had a few issues where…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question