Term Server Search is bypassing security

We have a terminal server running windows 2008 with an AD.  One of the users just pointed out that a user ID with very restricted access is able to look at there Search - Recently Changed Files which is provided as a default link to the users, and it shows all files from all users that have changed on the system.  Double clicking on a file opens it up and thus bypasses the security in place on the system.  This is a major loop hole and we need to get it closed up or shut down, either or.

Any suggestions as to how to approach this and correct it as quickly as possible?

Dallas
dstewart83161Asked:
Who is Participating?
 
McKnifeConnect With a Mentor Commented:
Hi.

I bet there's not much magic involved. Make sure that you did not overlook something like him being a member of groups that are nested in the local administrators group or even nested in domain admins.

Being a TS does not induce anything like this.
0
 
NetfloCommented:
Implement NTFS security on your file store locations or if there is no file server, then ensure that the 'restricted user' does not have local admin rights on the Terminal Server, which appears to be the case.
0
 
dstewart83161Author Commented:
The term server is also an AD so NTFS security is already on by default.  The user IDs have only two groups they are a member of:  VPN access group and Guest group...that's it.  No local admin rights.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
NetfloConnect With a Mentor Commented:
If the TS is also your AD server firstly this is not recommended first of all.

Have you had a look at the file in question and checked effective permissions? Looks to me that NTFS security is not bolted down correctly on a file level and you may be relying on share level security.
0
 
dstewart83161Author Commented:
I fully understand the TermServer not recommended as an AD as well.  I didn't create the environment, just inherited it.  In many SMB's though, this kind of stuff is required for them to keep costs down.  RAS is not recommended on an AD either yet Microsoft delivers an all in one solution with its SBS environments that does this very thing.

What I did discover was that the yahoo...uh...prior technician, handed out the Remote Desktop Users group to give out file permissions instead of just what it was intended for.  Once I removed it and dealt with some other user permissions fallout from that issue, the problem was corrected.  Thanks so much for weighing in.
0
 
NetfloCommented:
Glad to hear your up and running. Just to note SBS is a very different type of machine, which is supported by MS, that's the difference.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.