R2 Anonymous Security Issue

[Guest confusedr2@yahoo.com]

I installed a 2003 R2 file server. I setup some folders and applied

NTFS security permissions to them. I tested using a test domain logon

w/ no rights to make sure that the standard user couldn't access the

secured folders. Everything worked as expected.

 

Jump forward a couple of weeks and I have discovered that if you are

not logged into the domain - you can access the server with more

rights than a standard user. For example - you can access the

administrative shares, you can access folders that have NTFS security

applied, etc. At first I thought it was a share rights issue, but you

can't even edit the share rights for the admin shares. After doing

some digging I discovered that if the R2 server's local administrator

account was given rights to the folder - anonymous users also had

rights to the folder, but domain users did not.

 

How/why is R2 assigning anonymous logons local administrator

permissions? I have corrected the problem by removing the local admin

account but this should not be doing what it is doing. Where do I

start?

[Guest Meinolf Weber]

Re: R2 Anonymous Security Issue

 

Hello confusedr2@yahoo.com,

 

Please post the share permissions you set and also the security/NTFS rights

from the shared folder.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I installed a 2003 R2 file server. I setup some folders and applied

> NTFS security permissions to them. I tested using a test domain logon

> w/ no rights to make sure that the standard user couldn't access the

> secured folders. Everything worked as expected.

>

> Jump forward a couple of weeks and I have discovered that if you are

> not logged into the domain - you can access the server with more

> rights than a standard user. For example - you can access the

> administrative shares, you can access folders that have NTFS security

> applied, etc. At first I thought it was a share rights issue, but you

> can't even edit the share rights for the admin shares. After doing

> some digging I discovered that if the R2 server's local administrator

> account was given rights to the folder - anonymous users also had

> rights to the folder, but domain users did not.

>

> How/why is R2 assigning anonymous logons local administrator

> permissions? I have corrected the problem by removing the local admin

> account but this should not be doing what it is doing. Where do I

> start?

>

[Guest Marcin]

Re: R2 Anonymous Security Issue

 

Do you happen to use some sort of disk cloning to duplicate OS installs?

 

hth

Marcin

[Guest confusedr2@yahoo.com]

Re: R2 Anonymous Security Issue

 

On Feb 18, 3:13 pm, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:

> Hello confuse...@yahoo.com,

>

> Please post the share permissions you set and also the security/NTFS rights

> from the shared folder.

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

> ** Please do NOT email, only reply to Newsgroups

> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm

>

> > I installed a 2003 R2 file server. I setup some folders and applied

> > NTFS security permissions to them. I tested using a test domain logon

> > w/ no rights to make sure that the standard user couldn't access the

> > secured folders. Everything worked as expected.

>

> > Jump forward a couple of weeks and I have discovered that if you are

> > not logged into the domain - you can access the server with more

> > rights than a standard user. For example - you can access the

> > administrative shares, you can access folders that have NTFS security

> > applied, etc. At first I thought it was a share rights issue, but you

> > can't even edit the share rights for the admin shares. After doing

> > some digging I discovered that if the R2 server's local administrator

> > account was given rights to the folder - anonymous users also had

> > rights to the folder, but domain users did not.

>

> > How/why is R2 assigning anonymous logons local administrator

> > permissions? I have corrected the problem by removing the local admin

> > account but this should not be doing what it is doing. Where do I

> > start?

 

The root of the drive has

local admin - Full

Domain Admins - Full

Everyone - Read

and default admin share permissions

 

D:\Shared has the same NTFS permissions and is also shared w/ Everyone

= Full Share. The setting for anonymous to use everyone is still at

the 2003 default of disabled.

 

D:\Shared\Accounting has

no share

local admin = full

domain admins = full

accounting = Modify

 

D:\shared\HR has

no share

local admin = full

domain admins = full

accounting = Modify

 

D:\shared\Public has

no share

local admin = full

domain admins = full

Everyone = Full

 

There are other folders but the structure is similar. The same thing

happens if I connect to the shared share.

[Guest confusedr2@yahoo.com]

Re: R2 Anonymous Security Issue

 

On Feb 18, 4:20 pm, "Marcin" <mar...@community.nospam> wrote:

> Do you happen to use some sort of disk cloning to duplicate OS installs?

>

> hth

> Marcin

 

 

Normally for servers we just use a sysprepped image but for this

server it was built from scratch since the image is 2003 SP1.