?
Solved

Term Server Search is bypassing security

Posted on 2014-01-05
6
Medium Priority
?
237 Views
Last Modified: 2014-01-13
We have a terminal server running windows 2008 with an AD.  One of the users just pointed out that a user ID with very restricted access is able to look at there Search - Recently Changed Files which is provided as a default link to the users, and it shows all files from all users that have changed on the system.  Double clicking on a file opens it up and thus bypasses the security in place on the system.  This is a major loop hole and we need to get it closed up or shut down, either or.

Any suggestions as to how to approach this and correct it as quickly as possible?

Dallas
0
Comment
Question by:dstewart83161
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 18

Expert Comment

by:Netflo
ID: 39757973
Implement NTFS security on your file store locations or if there is no file server, then ensure that the 'restricted user' does not have local admin rights on the Terminal Server, which appears to be the case.
0
 

Author Comment

by:dstewart83161
ID: 39758271
The term server is also an AD so NTFS security is already on by default.  The user IDs have only two groups they are a member of:  VPN access group and Guest group...that's it.  No local admin rights.
0
 
LVL 18

Assisted Solution

by:Netflo
Netflo earned 750 total points
ID: 39758776
If the TS is also your AD server firstly this is not recommended first of all.

Have you had a look at the file in question and checked effective permissions? Looks to me that NTFS security is not bolted down correctly on a file level and you may be relying on share level security.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 56

Accepted Solution

by:
McKnife earned 750 total points
ID: 39760556
Hi.

I bet there's not much magic involved. Make sure that you did not overlook something like him being a member of groups that are nested in the local administrators group or even nested in domain admins.

Being a TS does not induce anything like this.
0
 

Author Closing Comment

by:dstewart83161
ID: 39775660
I fully understand the TermServer not recommended as an AD as well.  I didn't create the environment, just inherited it.  In many SMB's though, this kind of stuff is required for them to keep costs down.  RAS is not recommended on an AD either yet Microsoft delivers an all in one solution with its SBS environments that does this very thing.

What I did discover was that the yahoo...uh...prior technician, handed out the Remote Desktop Users group to give out file permissions instead of just what it was intended for.  Once I removed it and dealt with some other user permissions fallout from that issue, the problem was corrected.  Thanks so much for weighing in.
0
 
LVL 18

Expert Comment

by:Netflo
ID: 39776310
Glad to hear your up and running. Just to note SBS is a very different type of machine, which is supported by MS, that's the difference.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever had a hard drive that you can't boot into, but need to change the registry? Here is the solution! This article guides you through accessing and editing a registry of a non-primary drive. To read registry information on a non-prim…
I have put this article together as i needed to get all the information that might be available already into one general document that could be referenced once without searching the Internet for the different pieces. I have had a few issues where…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question