This question is unanswered on Super User, I thought it was the best place for it but no one knows. As it is related to a server, hoping it can be moved to server fault and someone can help me there.
Basically, I wanted to test security on a server. I made a ASP script that just lists the files in a directory. The user IIS logs in as is meant to be locked down and have access to only one folder. The script returned the number of folders and files, but got access denied on trying to read their actual names.
This user is called testlockdown and there is a group called lockeddown
I can go to any folder, right click and do properties then security, I click advanced and effective permissions.
If I check either the guest user or gusts group, I can see there is no checkboxes. If I check the group object lockeddown, there is no checkboxes but if I check the user testlockdown, there are a bunch (about 6) of objects that have ticks including list, read, create.
I have been tearing my hear out for about 2 hours trying to figure this out, turned on auditing, gone through the local security policy, created additional users, groups..
I have done all I think I can and I just can not figure out how it is getting these permissions and why / where they are coming from.
During my test, I created a new folder called foo, on creation it has inherited Administrator, Creator owner (and im not logged in as this user) System and the users group. However, under effective permissions, again, I have all the check boxes!
From paste of "net user testlockdown" I get
User name testlockdown Full Name testlockdown Comment User for testing security User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set 28/06/2009 19:22 Password expires Never Password changeable 28/06/2009 19:22 Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 03/08/2009 03:56 Logon hours allowed All Local Group Memberships *lockeddown Global Group memberships *None The command completed successfully.
I see a star next to local group membership, but I can not find out what this means and do not know if it is relevant.
My best guess is that somehow, this user is getting permissions from the user group, however I can not see or understand why.
I hope I have given enough information. I am pulling my hair out over this! If you need any more information, I am happy to provide it.
Edit – I should say, I know I can add a deny permission, but that is not really the point as it should be unnecessary
Thanks
Best Answer
What you are looking at is known as Special Permissions. I would highly recommend you read this article at Windows Security that covers and explains in detail how security on NTFS works.
Warning: Be careful when testing security with IIS. IIS has another layer of security which is not linked to NTFS, however it will enforce NTFS permission. Also locking down folders for a specific user will not affect anonymous website access, where IIS uses it's own account, and not the logged in user, to specify access.