Windows 2003 Server - Default Local\User group

[BootMeUp]

We have a pair of Dell Windows 2003 Servers (identical). The other day an experienced user discovered he could copy files to folders, copy files in folders, and delete them, in an area where he had no explicit permission to do other that read/execute.

I found a new group in the tree of folders (and on all folders throughout Both systems, which had special permission to "create files/write data" - "create folders/append data". The local group is "MySrvr\User". Properties of "User" contain the "MyDomain\Domain users" account. Obviously this allows anyone with an account to use the special permission on every folder in the system.
I have successfully removed the special permission from "MySrvr\User" on a few folders and, as expected,it prevented writing, copying, deleting.

What really concerns me is how the "MyDomain\Domain users" account got into the local User group, the User group got inserted into all folders and with special permissions.

The operating system was already installed when the machines were delivered. I have scoured the Microsoft site and can't find an explanation for this. I can continue to remove the special permissions - seems to work ok - but, AM I creating an unseen problem that will come back to bite?
Anyone have knowledge of/experience with this latest Microsoft "feature"?

Thanks,
Steve

 

[markdmac]

It is not a Microsoft Feature. Whoever setup that group explicitly added the Domain Users to it.

If you are nto using the group, remove the whole group or remove Domain Users from it.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[BootMeUp]

Mark,
Thanks for responding. I have been able to successfully remove the "special" permissions from the User group in all folders. I felt since that was the real problem, why unplug something else.

I did also discover that desktop windows xp machines have the same special permissions, except on the c:\ drive, they have omitted it in "Doc & Settings", "Program Files", and "Windows". Clearly, this was not a case of hitting the wrong key during oper system install.

At home, I have two dell pc's. One I bought used 5 years ago. It had 98SE installed. I upgraded to W2K, then XP. It did not have the User group on any folders, with any permissions. The other dell I bought new from dell with oper system installed. Yup, it has User group with special permissions plastered all over it (except on c:\ as noted above.).

"Dell" seems to be the common denominator. Problem is, how many users really know about this? In a test, a user with no inherent write permissions, was able to copy a file into a folder thought to be secure. Imagine the possibilities if that file extension was ".exe". He could also create folders and copy existing data and delete the copied files. Removing the special permissions prevented the above actions.

Steve

 

[NickFerrar]

Hmm does sound a bit of a strange thing for Dell to do, although we buy Dell servers we get the OS elsewhere and install it ourselves so haven't come across this issue.

 

[pseudopod]

I seem to have a similar issue.
Users were able to access files on various Windows 2003 servers on our network and when I checked I found that the local Users group for each server had Special Permissions set to Create Folders/Append Data Create Files/Write Data.
The Users group itself contains NT Authority/Authenticated users, so it seems to allow access for anyone authenticated to AD.
Initially I thought that this might be set on the image we use to build servers, so I built a new server from scratch using our Select CD.
Same issue.
Can't seem to find any reference to it on Microsoft's site.
I could remove the special permissions, but it must be set as a default for some reason, so I'm loathe to do so without understanding why.

Any suggestions?

Rob

 

[BootMeUp]

I typed this from my notes and saved it. It is exactly what I used. I decided to do
this in case someone else might need to do the same procedure.

I had to do this for a production server, so I had to learn quickly and make no
mistakes. I would recommend testing an easily recoverable folder first – this is tricky stuff.

I decided not to remove the entire Users group from the folders because I wasn’t sure what that would unplug. I traversed the MS site from one end to the other for info – nada.

By the way, I discovered a number of Windows XP machines at our site and my new Dell computer at home are like this. An older at home Dell that I upgraded to XP SP2 (from an MS reseller copy, doesn’t have the special permission).

· Open properties in the top folder under root directory (c:\ d:\ etc.).
· Highlight ‘Users(MyServer\Users)’
· Click “Advanced” button
· Scroll down and highlight:
‘Users(MyServer\Users)’ “Special”
(Special provides: Create Files/Write Data
Create Folders/Append Data)
· Remove check mark from
“Allow inheritable permissions
from the parent….”

· This opens text box with three buttons: Copy, Remove, Cancel
· Click Copy (Text box closes)
· On Advanced Security Settings with “Special “ permissions highlighted
Click Remove (Special permissions line will be gone).
· Click OK.
(Depending on size of folders and speed of machine, it may take a while for the modify to run. Be sure to check a few folders to verify the outcome.)

11/30/2006 ‘BootMeUp’