General discussion

  • Creator
  • #2341363

    Windows Server 2012 ~ local user account passing permission 2 domain users?


    by occi_dave ·


    I was surprised to find that “Jack” a domain user account was able to get into Jill’s network file share on server 2012 R2. Jack’s network account wasn’t listed in the permissions tab for Jill’s share yet when Jack opened windows explorer and typed \\fileservername to reveal the shares he was able to access Jill’s directory when he double clicked it. He had the access and was able to read all about Jill’s fantasy of them running up the hill and the tragedy that followed shortly after when Jack fell down. (that’s what he gets for snooping in Jill’s share)

    The local server’s users account also had permissions on the root of the drive which filtered down to Jill’s file share. Read & execute, list folder contents, read and special permissions. I didn’t make any special effort to put them there, they were just there.

    So, remove the local server’s user account from the root and Jack isn’t able to see Jill’s share. Solved! but wait, when you remove the local server’s user account from the root, nobody else will be able to access anything on the share….. not solved. I put the permissions back on the root for the local user’s account and from Jill’s share, dis-inherited permissions then explicitly named Jill…. and not Jack…. and not the file server’s local user account, and Jill was able to continue writing her fantasy’s about Jack in private as he was no longer to access Jill’s file share.

    Normal operation? A change from earlier server versions? Seems like a serious security concern to have the local server’s user permissions to flow through to domain user accounts which aren’t even listed on the security tab and thus granting then access. Danger Will Robinson!

All Comments