Security breach in Windows 2000 ?

[test_client 0]

Do the following:

 

1. Install Windows 2000 Professional (the same for Windows 2000 standalone server).

2. Logon as Administrator

3. Get all the security updates and SP2, so that your code is up to date.

 

4. Go to C: and create a test directory, with full access for "Administrators", and "Users" only (remove Everybody else).

5. Now create a test account. Remove all groups from the

"Member Of" list, so that the new accound does not belong

to *any* groups.

6. Now log out and log in with the new account name.

 

Windows 2000 not only lets you log in, but you can also

modify the test directory created in step 4.

 

Now login as Administrator and modify the test account to make

it a member of the "Guests" group. Login with the new account name,

you can still modify the test directory.

 

What is going on ?!!

 

Do *all* accounts belong to "Users" group by default? How

do you change the account so that it does not belong

to the "Users" group? Am I missing something here?

[Uykucu 0]

If you want to restrict acces choose decline for modify. decline takes precedence over allow. and yes all accounts belong to the users group. If you remove them it will still be the users group unless you define it as guest.

But keep the guest disabled if you ask me.

[clutch 1]

It's not a problem with the security, but rather a lack of understanding how NT security works. When Novell was crying about how admins can get into files even when they were locked out (by reclaiming ownership), they were acting as if it was a flaw. It isn't, it's by design. That account is still going to be a member of "authenticated users" since it is a valid account, and any version of "Guest" should never be enabled. This is something that you would learn either in class, or practice. Too many people obtain copies of major vendor server operating systems, fiddle with it for a while until they are convinced they "know" it, then pass themselves off as being "trained" to work with it so they can get a job. Then, when the company network is comprised (security breach, performance issues, whatever) it's a big shock when "the computer guy" can't fix it.

[Uykucu 0]

As always clutch, I totally agree with you. But hey. if they were not there how would guys like us make money

[clutch 1]

 

You know what sucks though, is that I hear the jokes about the paper-MCSEs (Must Consult Someone Experienced), yet they give the competent ones a bad name. Just kinda burns me out when someone doesn't understand something, then proclaims that it's a "problem" with Windows.

 

test_client, do yourself a favor and pick up a Sybex book (or any of the MCSE grade books will do) on Windows 2000 Server. This will go a LONG way to teaching you the nuances of object-based permissions management (plus you'll pick up some other cool stuff on the way...).

[test_client 0]

Clutch:

 

I asked for help because it got me confused. You do not have to tell me that you know better, I was hoping that somebody would know better than I did. That is why I submitted the question to this group.

 

The idea behind removing *all* groups the account belongs to was to strip this account of *all* access rights. Ideally that would let me create a fresh group with unique access rights.

 

As it turns out Microsoft gives *everybody* User access rights by default, even the guest account will have User rights by default. This happens because the newly created account belongs to INTERACTIVE default group, although this group does not show up in the list of groups the account belongs to. The INTERACTIVE group in its turn belongs to the Users group.

 

These default groups are very much like ghosts lurking around in the dark granting different users different access rights. And instead of being able to *simply* look up what account belongs to which specific group the administrator has to know what was in the minds of the designers of the operating system.

 

Reading books is very good and I do thank you for your suggestion. However it would be much better if I simply could look up who belongs to which group in the user manager. (Instead of keeping it in my memory).

 

Account management does not really have to be so muddled. Make these "ghost" groups grayed out to identify that you cannot remove them, but they should show up in the list. But this is a request for Microsoft rather than a topic for the forum.

 

It's true that denying access rights will override the granted access rights. However Windows gurus tell you that denying access rather than granting access should be the last resort, so they recommend staying away from denying access (I think this was a white paper on the Microsoft site or on one of the Microsoft CDs).

 

Thank you all for your feedback.

[Intlharvester 0]

As an aside, NT 3.50 didn't automatically grant domain users Interactive access. This meant that you couldn't just set up a machine and have any user sit down and logon without taking an extra step or two, so it's somewhat understandable why Microsoft made this change. Also, you could manage these 'ghost' groups from the user manager, instead of a seperate tool as with W2K.

[Uykucu 0]

Hey I wanna be a "WINDOWS GURU". Does anybody know how to become one? Appearantly that is the only thing that counts, not the experience or education.

[test_client 0]

I do not know how you would become a Windows GURU. Possibly you read books and magazines, spend a lot of time hands on with Windows, associate with people who know something about your subject. Also you need some talent, and be open-minded, as with any other profession. It is a good question, and I do not know the answer.

 

Here is a piece from Microsoft KnowledgeBase article for your information which warns you about using the "deny" column:

>

>Access permissions are combined from any permissions that are

>assigned directly to the user and those that are assigned to any

>groups of which the user is a member.

>

>The exception to this rule is if there is an explicit Deny

>permission on the folder or file. This occurs because Deny

>permissions are enumerated first when Windows 2000 is determining

>whether or not a particular user can perform a particular task.

>

>Therefore, you should avoid using explicit Deny permissions

>(that is, avoid clicking to select a check box in the Deny column)

>unless there is no other way to achieve the permissions mix that

>you need.

>

 

Also I noticed that you talk about "decline" in your earlier posts. Do you mean "deny", or is there another set of "decline" permissions I am not aware of? That would be really spooky.

 

Thanks!

[clutch 1]

Yeah, he more than likely meant "deny" in his earlier posts (unless the UK version uses "decline" rather than "deny").

 

As for being a guru, I have no idea. I can tell you this though, most of the more advanced people here have had more than a few years under their respective belts not only using various versions of Windows, but administering them in business situations. Earlier, I wasn't so much attacking you (I am sorry if you got that impression) as illustrating what most people really need to do before they start handling server-class operating systems. When I tried to use Linux, I went through about a dozen "how-tos" before I could get anywhere with it. After a while, I was able to move around in a somewhat pathetic manner . I got Samba working with NT while retaining encryted authentication, and I did mess with Apache for a brief amount of time. I had a couple of friends that knew Linux quite well, and they gave me some assistance. However, the main source of information came from reading books (I bought QUE's "Using Linux" and Sam's "Teach Yourself Samba in 24 Hours") to get myself off the ground. Now while I know using books like this may not be particularly attractive, it is far better than getting bits and pieces of information from dozens of sources and then patching it all together. In that scenario, you rarely get an accurate picture of what is going on. So many people manage to get their hands on NT/2K server, and start setting up boxes with little or no idea what they are doing. Most of them install IIS in full default trim, and then wonder why their machines are used as "zombies" for DoS attacks. Learning to use an OS is something requires temperment, and a great deal of patience. I just feel that this is getting pushed aside in favor of quickly picking up some commonly used tasks, and then trying to land a job as an admin somewhere. I mean, for those who don't know, Win2K server can do more than host game and w4rez servers...

 

[Uykucu 0]

Nope decline is deny....

It is the multi-os talking. I also use Unix a lot so got the commands confused sometimes

 

With using deny only problem i can see is having 100 users which all have to be limited etc. But this is not the case with you. I simply told you how to do it. take my advice or not is up to you.

 

About Guru's... As far as i am concerned in order to become one, you have to make random and meaningless comments about all the subjects related to windows (glass, pvc or computer one). And when the solution finally present itself claim very loudly and drawing attention to yourself that this was what you really meant on your earlier remark.

 

PS. Of course there are some real ones but they do not call themselves guru!

[clutch 1]

Your description sounds more like middle management, rather than being a "guru".

[Uykucu 0]

Come to think of it, it does.

I do not deal with middle low management but i deal with loads of people who think, they know everything about computers

 

The type that unplugs a Hub because it wastes electricity! Forget to plug it back in and than scream to me on the phone that the network they paid x amount is crap!

 

Freedom and profits of self employment and consultancy does come with a price.

[bug_666 0]

Quote:

It's not a problem with the security, but rather a lack of understanding how NT security works. When Novell was crying about how admins can get into files even when they were locked out (by reclaiming ownership), they were acting as if it was a flaw. It isn't, it's by design. That account is still going to be a member of "authenticated users" since it is a valid account, and any version of "Guest" should never be enabled. This is something that you would learn either in class, or practice. Too many people obtain copies of major vendor server operating systems, fiddle with it for a while until they are convinced they "know" it, then pass themselves off as being "trained" to work with it so they can get a job. Then, when the company network is comprised (security breach, performance issues, whatever) it's a big shock when "the computer guy" can't fix it.

i wonder if that's the case with code red worm.

[Uykucu 0]

I believe it to be mostly related bug.

Code red did not come out last week, it was around (under differnt names) for about 3 months. At least that was the first time my defult sites (which were actually trap ) got defaced.

 

MS released a patch, we all installed it. and sircam etc. did not furt me a bit. Each of the machines just constantly got scanned. which is not a problem in my opinion.

 

It became the responsibility of the admin the moment IIS patch was released they should have looked, followed what was happening and installed it. Just blaming MS is destructive criticism and does not help anybody.

 

If admin's do pay real attention worldwide breaches like that will happen a lot less. Of course most of the blame goes to MS!!! Since they can not get anything right.

I am betting if they wrote a batch file to copy files it will have a security leak as well. I know it is not possible but i am sure they can manage

[Intlharvester 0]

Speaking of GURUs, one thing that shocks me about NT Admin culture is how few people have read the Resource Kit (aka "the f*ing manual"). It's all in there, and usually in a format that that's better presented for real work than a book oriented towards gaining the subset of knowledge necessary for passing the MCSE tests.

 

(OK, I don't do that work any more so I haven't read gigantic $300 2K bookshelf, but the 3.x books were quite good as with parts of the 4.0 set.)