Windows Permissions? (multiple admins)

[edro]

On windows 2000 Server...

I have the Administrator account and the Administrator2 account. Both are admins.

I would like to be able to create a share, that only Administrator2 can access.

I did it the standard way, but the Administrator can still go into the share properties and change the permissions so Administrator can access it too.

How can you prevent this?

 

[Zugzwang152]

you can't do this. by very definition administrators have full access to everything. you can do this by changing administrator to a power user and adding all other permissions with the second administrator account, except for the ones allowing him to access the share or change permissions so he can access the share.

 

[Nothinman]

by very definition administrators have full access to everything

Not at all. Ever try to go into the "System Volume Information" directory?

I did it the standard way, but the Administrator can still go into the share properties and change the permissions so Administrator can access it too.

You shouldn't use share permissions, ever. You should limit things with filesystem ACLs. I believe there's a way to remove the ability for admins to take ownership, probably somewhere in the security policy, but I can't remember for sure and I don't a Windows box to look at right now.

 

[edro]

bump

 

[edro]

.

 

[Nothinman]

You're not going to find a good solution.

 

[stash]

quote:

--------------------------------------------------------------------------------
by very definition administrators have full access to everything
--------------------------------------------------------------------------------



Not at all. Ever try to go into the "System Volume Information" directory?

Admins don't have permissions to that directory by default, but they can add themselves.

I believe there's a way to remove the ability for admins to take ownership, probably somewhere in the security policy, but I can't remember for sure and I don't a Windows box to look at right now.

No. There would be no point. An admin can always take ownership and give himself permission to anything on the box. If you don't trust a user to have that kind of access, they shouldn't be an admin.

 

[Nothinman]

If you don't trust a user to have that kind of access, they shouldn't be an admin.

Tell that to people running "trusted" OSes that have MACs to determine who can do what, on systems like TrustedSolaris, SELinux, etc even root can be limited.

 

[stash]

Good for them Those are obviously very specialized OS's and that capability does not exist in Windows.

 

[Zugzwang152]

im pretty sure everything Nothinman had to say about my first reply was refuted already. Someone let me know if I missed something so I can come back to defend my honor.

 

[Nothinman]

Originally posted by: Zugzwang152
im pretty sure everything Nothinman had to say about my first reply was refuted already. Someone let me know if I missed something so I can come back to defend my honor.

Although incorrectly. Lookie here

Removing that right results in a ACL property page that looks like this and attempting to use a CLI chown tool results in this .

 

[edro]

Hmmm.... so basically... there isn't a way to do this?

I guess I can try to make the other Admin acct. a Power User instead.

 

[stash]

Originally posted by: Nothinman

Originally posted by: Zugzwang152
im pretty sure everything Nothinman had to say about my first reply was refuted already. Someone let me know if I missed something so I can come back to defend my honor.

Although incorrectly. Lookie here

Removing that right results in a ACL property page that looks like this and attempting to use a CLI chown tool results in this .

Umm...again, big deal. An administrator would need five seconds to change the policy back.

 

[Nothinman]

A) That's probably good enough to stop most people
B) There's probably a policy to restrict who can change the local system policy, but I can't find it right now
C) If there isn't and you really want you can use filesystem ACLs to restrict access to the policy files, that way they can't be changed and since the target user's won't have the ability to take ownership to change the rights they won't be able to change the policy.

 

[stash]

Sure you could do that, and I could run "at 12:01 /interactive cmd" and run gpedit as system and reset the user right.

You could lock out my access to the command prompt, but if you are going to go through all this trouble, why make them an admin?

 

[Nothinman]

Sure you could do that, and I could run "at 12:01 /interactive cmd" and run gpedit as system and reset the user right.

If you're going to such lengths to get around a local security policy, you should be fired anyway.

He wanted a way to prevent an Admin from taking ownership of things, I gave it to him, what's wrong with that?

but if you are going to go through all this trouble, why make them an admin?

Because Windows developers are stupid and design everything to run with admin rights.

 

[stash]

If you're going to such lengths to get around a local security policy, you should be fired anyway.

Right. I'm an ADMIN. Again, in the Windows world, if you don't trust a user to perform administrative tasks, you don't make them an administrator.

He wanted a way to prevent an Admin from taking ownership of things, I gave it to him, what's wrong with that?

Nothing wrong with that, have a cookie. I'm just pointing out that it would possible to circumvent. It also restricts an admin, perhaps more than the OP wants. What if the restricted admin wants to edit local group policy? That's a perfectly reasonable thing for an administrator to expect to be able to do. But you've locked him out of the secedit.sdb file, so he's screwed. What if he needs to be able to take ownership of certain directories? Again, he's not able to do so.

Because Windows developers are stupid and design everything to run with admin rights

And they bow to your obvious brilliance.

 

[Nothinman]

Right. I'm an ADMIN. Again, in the Windows world, if you don't trust a user to perform administrative tasks, you don't make them an administrator.

Of course you do, most people are local admin on their machines.

I'm just pointing out that it would possible to circumvent

Everything is possible to circumvent

What if he needs to be able to take ownership of certain directories? Again, he's not able to do so.

Obviously it depends on the environment, but IME taking ownership of files is rarely needed in Windows, infact most people don't even pay attention to who owns the file when they adjust the ACLs.

And they bow to your obvious brilliance.

I wish they would, so many commercial developers make so many stupid mistakes that it's so frustrating to have to implement their crap.

 

[Jzero]

Originally posted by: Nothinman
Of course you do, most people are local admin on their machines.

Not my enterprise :evil:

 

[SagaLore]

Are these admin accounts local accounts to the server, or domain accounts?

 

[stash]

Of course you do, most people are local admin on their machines.

Not where I work either. Users who are domain admins are not allowed to log in interactively to anything, even their own machines. Nobody is a local admin of anything. Everyone has a LUA account, which they log in interactively with. Users who need to do administrative tasks are delegated those rights and perform their duties using an elevated account and runas.

Obviously it depends on the environment, but IME taking ownership of files is rarely needed in Windows, infact most people don't even pay attention to who owns the file when they adjust the ACLs.

It's used quite a lot when you have a situtation where a user leaves the organization and you need to get access to their files.

 

[Nothinman]

Not where I work either

Out of curiosity, since your sig mentions MS, are you referring to MS as a whole or a subdivision? I remember reading somwhere a while back that most people are MS were local admins, but that was a few years ago and as I said I don't remember the source so I have no idea how reliable it was.

It's used quite a lot when you have a situtation where a user leaves the organization and you need to get access to their files.

Only if you didn't already have Admins:Full Control on the file shares, but most of our user data is on NetWare still.

 

[stash]

I'm talking about the customer that I support, not Microsoft.

 

[Nothinman]

Ah, so MS does give all of their employees local Admin access.

 

[stash]

Yes, that is true. This is changing however. There is a growing number of people (myself included) who run as LUA, to practice what we preach, as it were. I think it is safe to say that Longhorn will be making changes in this area.

http://msdn.microsoft.com/longhorn/defa...rary/en-us/dnlong/html/leastprivlh.asp

Not making users admins by default would be a huge step, obviously, but the real challenge is getting third-party developers to create applications that follow the principle of least-privilege.