RE: User accounts for shared folders
Why shouldn't system talk to shares? Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, 14 June 2011 3:55 AM To: NT System Admin Issues Subject: Re: User accounts for shared folders Why would you do that, when System isn't supposed to be able to talk to shares? Has something changed drastically in later versions of of Windows, that is, after Win2k3? On Mon, Jun 13, 2011 at 12:45, Crawford, Scott crawfo...@evangel.edu wrote: System on share permissions may be rare, but its certainly not out of the question. I've got share permissions that specify System. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 2:42 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders On Mon, Jun 13, 2011 at 10:57, Tammy Stewart copper...@personainternet.com wrote: Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine – non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares – all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy When you say that the share doesn't list the System account - do you mean the Share permissions, or the NTFS permissions? Shares never list System for permissions, AFAIK. If the NTFS permissions for System have been deleted on the directories that are shared, that's either a conscious action by someone with Full Control permissions listed in an ACE on the directory, or else it's something that the malware did. If a person at the firm did that, I'd say it's a big mistake - well, unless they are doing something unusual, like setting up an FTP server. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: User accounts for shared folders
I expected that System would have access to shares because they are normally for network access, and according to everything I've read, System doesn't have that. AFAIK, System is only for access to resources local to the machine. Someone else noted that System is used in DFS (FRS), which is surprising to me, but I don't think he'd be joshing me, so I believe him, because I have never had cause to use DFS. Now, if System can access shares that are local to the machine, that's perhaps not quite as surprising, but does seem a fairly odd way of doing things. Kurt On Tue, Jun 14, 2011 at 04:45, Ken Schaefer k...@adopenstatic.com wrote: Why shouldn't system talk to shares? Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, 14 June 2011 3:55 AM To: NT System Admin Issues Subject: Re: User accounts for shared folders Why would you do that, when System isn't supposed to be able to talk to shares? Has something changed drastically in later versions of of Windows, that is, after Win2k3? On Mon, Jun 13, 2011 at 12:45, Crawford, Scott crawfo...@evangel.edu wrote: System on share permissions may be rare, but its certainly not out of the question. I've got share permissions that specify System. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 2:42 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders On Mon, Jun 13, 2011 at 10:57, Tammy Stewart copper...@personainternet.com wrote: Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine – non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares – all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy When you say that the share doesn't list the System account - do you mean the Share permissions, or the NTFS permissions? Shares never list System for permissions, AFAIK. If the NTFS permissions for System have been deleted on the directories that are shared, that's either a conscious action by someone with Full Control permissions listed in an ACE on the directory, or else it's something that the malware did. If a person at the firm did that, I'd say it's a big mistake - well, unless they are doing something unusual, like setting up an FTP server. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: User accounts for shared folders
It may be common, and can even be said to ease administration somewhat, but I prefer to apply appropriate security at *both* levels. Makes containment of mistakes much easier. *ASB *(Professional Bio http://about.me/Andrew.S.Baker/bio) Harnessing the Advantages of Technology for the SMB market... On Mon, Jun 13, 2011 at 8:01 PM, Kurt Buff kurt.b...@gmail.com wrote: BTW - it's common to have shares with permissions of Everyone (or Domain Users, or Authenticated Users) with Full Control, then separately administer the NTFS permissions underneath the share, as that makes administration much easier. It can become very confusing, for instance, if the Share permissions are Everyone (or some other group) with Read-Only, that controls access to the file system underneath, and nobody (including Domain Admins, etc.) can write/modify the files or directories, when accessing them through the network share - even though the NTFS permissions would otherwise are set to Modify or Full Control. Kurt On Mon, Jun 13, 2011 at 15:03, Tammy Stewart copper...@personainternet.com wrote: Thanks Kurt, Makes sense. They likely logged onto the infected workstation as domain admin. I can't recall now but will find out. Not sure if they let users have full control on the shares. Thanks, Tammy -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 5:05 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders I see. What you're saying implies that the infected workstation talked with the machine hosting the shares. That's standard - and if the malware is running in the context of a user that has the Full Control permissions for the shares, it can strip out or add permissions at will, without being resident on the machine hosting the shares. I have found that all too often folks are given Full Control permissions, instead of Modify, which is all most people should have - the only difference between them is that Full Control grants the ability to modify permissions. Kurt On Mon, Jun 13, 2011 at 13:05, Tammy Stewart copper...@personainternet.com wrote: Hi Kurt, It is the NTFS permissions on the shares. (right click folder properties security) (not who on the network have access) Oddly enough other folders that are not shared have all the usual accounts listed. It is a file infecting virus (chir.b) from a few machines hitting the shares -- however the server that had the shares hit did not have the OS hit. Just shares so it did not get to memory or make registry modifications. Thanks, Tammy -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 3:42 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders On Mon, Jun 13, 2011 at 10:57, Tammy Stewart copper...@personainternet.com wrote: Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine - non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares - all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy When you say that the share doesn't list the System account - do you mean the Share permissions, or the NTFS permissions? Shares never list System for permissions, AFAIK. If the NTFS permissions for System have been deleted on the directories that are shared, that's either a conscious action by someone with Full Control permissions listed in an ACE on the directory, or else it's something that the malware did. If a person at the firm did that, I'd say it's a big mistake - well, unless they are doing something unusual, like setting up an FTP server. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: User accounts for shared folders
LocalSystem has full control over the local machine, and can authenticate as machinename$ to remote machines (which is what would be required for services that are running as LocalSystem but need to access remote machines, without some proxy process). Additionally for LocalSystem to access shares on the same machine, it would still have full control (unless you change the perms). Anyhoo, the previous is merely technical limitations - i.e. what is possible. Am still curious to know why it shouldn't have that access. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, 14 June 2011 10:41 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders I expected that System would have access to shares because they are normally for network access, and according to everything I've read, System doesn't have that. AFAIK, System is only for access to resources local to the machine. Someone else noted that System is used in DFS (FRS), which is surprising to me, but I don't think he'd be joshing me, so I believe him, because I have never had cause to use DFS. Now, if System can access shares that are local to the machine, that's perhaps not quite as surprising, but does seem a fairly odd way of doing things. Kurt On Tue, Jun 14, 2011 at 04:45, Ken Schaefer k...@adopenstatic.com wrote: Why shouldn't system talk to shares? Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, 14 June 2011 3:55 AM To: NT System Admin Issues Subject: Re: User accounts for shared folders Why would you do that, when System isn't supposed to be able to talk to shares? Has something changed drastically in later versions of of Windows, that is, after Win2k3? On Mon, Jun 13, 2011 at 12:45, Crawford, Scott crawfo...@evangel.edu wrote: System on share permissions may be rare, but its certainly not out of the question. I've got share permissions that specify System. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 2:42 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders On Mon, Jun 13, 2011 at 10:57, Tammy Stewart copper...@personainternet.com wrote: Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine – non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares – all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: User accounts for shared folders
Wasn't necessarily stating a should/shoudn't - was stating my expectations and understanding, which was clearly faulty. On Tue, Jun 14, 2011 at 08:52, Ken Schaefer k...@adopenstatic.com wrote: LocalSystem has full control over the local machine, and can authenticate as machinename$ to remote machines (which is what would be required for services that are running as LocalSystem but need to access remote machines, without some proxy process). Additionally for LocalSystem to access shares on the same machine, it would still have full control (unless you change the perms). Anyhoo, the previous is merely technical limitations - i.e. what is possible. Am still curious to know why it shouldn't have that access. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, 14 June 2011 10:41 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders I expected that System would have access to shares because they are normally for network access, and according to everything I've read, System doesn't have that. AFAIK, System is only for access to resources local to the machine. Someone else noted that System is used in DFS (FRS), which is surprising to me, but I don't think he'd be joshing me, so I believe him, because I have never had cause to use DFS. Now, if System can access shares that are local to the machine, that's perhaps not quite as surprising, but does seem a fairly odd way of doing things. Kurt On Tue, Jun 14, 2011 at 04:45, Ken Schaefer k...@adopenstatic.com wrote: Why shouldn't system talk to shares? Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, 14 June 2011 3:55 AM To: NT System Admin Issues Subject: Re: User accounts for shared folders Why would you do that, when System isn't supposed to be able to talk to shares? Has something changed drastically in later versions of of Windows, that is, after Win2k3? On Mon, Jun 13, 2011 at 12:45, Crawford, Scott crawfo...@evangel.edu wrote: System on share permissions may be rare, but its certainly not out of the question. I've got share permissions that specify System. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 2:42 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders On Mon, Jun 13, 2011 at 10:57, Tammy Stewart copper...@personainternet.com wrote: Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine – non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares – all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: User accounts for shared folders
Some classes of mistakes are easier to contain if permissions are maintained at both points, it's true. However, it's somewhat harder to manipulate share permissions remotely than it is NTFS permissions, and it's two things to remember to do rather than one when setting permissions. I've run into situations over the years where share permissions have clouded troubleshooting when others have applied them, and NTFS permissions are robust enough that they're enough for my purposes. I suppose it's the different philosophies that are represented by: Don't put all of your eggs in one basket and Put all of your eggs in one basket and watch the basket very carefully Either works. Kurt On Tue, Jun 14, 2011 at 08:40, Andrew S. Baker asbz...@gmail.com wrote: It may be common, and can even be said to ease administration somewhat, but I prefer to apply appropriate security at *both* levels. Makes containment of mistakes much easier. ASB (Professional Bio) Harnessing the Advantages of Technology for the SMB market... On Mon, Jun 13, 2011 at 8:01 PM, Kurt Buff kurt.b...@gmail.com wrote: BTW - it's common to have shares with permissions of Everyone (or Domain Users, or Authenticated Users) with Full Control, then separately administer the NTFS permissions underneath the share, as that makes administration much easier. It can become very confusing, for instance, if the Share permissions are Everyone (or some other group) with Read-Only, that controls access to the file system underneath, and nobody (including Domain Admins, etc.) can write/modify the files or directories, when accessing them through the network share - even though the NTFS permissions would otherwise are set to Modify or Full Control. Kurt On Mon, Jun 13, 2011 at 15:03, Tammy Stewart copper...@personainternet.com wrote: Thanks Kurt, Makes sense. They likely logged onto the infected workstation as domain admin. I can't recall now but will find out. Not sure if they let users have full control on the shares. Thanks, Tammy -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 5:05 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders I see. What you're saying implies that the infected workstation talked with the machine hosting the shares. That's standard - and if the malware is running in the context of a user that has the Full Control permissions for the shares, it can strip out or add permissions at will, without being resident on the machine hosting the shares. I have found that all too often folks are given Full Control permissions, instead of Modify, which is all most people should have - the only difference between them is that Full Control grants the ability to modify permissions. Kurt On Mon, Jun 13, 2011 at 13:05, Tammy Stewart copper...@personainternet.com wrote: Hi Kurt, It is the NTFS permissions on the shares. (right click folder properties security) (not who on the network have access) Oddly enough other folders that are not shared have all the usual accounts listed. It is a file infecting virus (chir.b) from a few machines hitting the shares -- however the server that had the shares hit did not have the OS hit. Just shares so it did not get to memory or make registry modifications. Thanks, Tammy -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 3:42 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders On Mon, Jun 13, 2011 at 10:57, Tammy Stewart copper...@personainternet.com wrote: Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine - non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares - all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy When you say that the share doesn't list the System account - do you mean the Share permissions, or the NTFS permissions? Shares never list System for permissions, AFAIK. If the NTFS permissions for System have been deleted on the directories that are shared, that's either a conscious action by someone with Full Control permissions listed in an ACE on the directory, or else it's something that the malware did. If a person at the firm did that, I'd say it's a big
Re: User accounts for shared folders
On Tue, Jun 14, 2011 at 3:05 PM, Kurt Buff kurt.b...@gmail.com wrote: I suppose it's the different philosophies that are represented by: Don't put all of your eggs in one basket and Put all of your eggs in one basket and watch the basket very carefully A twin engine airplane will have twice as many engine problems as a single engine plane. Sometimes you really want that second engine, but make sure it's worth the trouble. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: User accounts for shared folders
The admin could have removed it. On some data areas System has no need for access permissions. Typed frustratingly slowly on my BlackBerry® wireless device -Original Message- From: Tammy Stewart copper...@personainternet.com Date: Mon, 13 Jun 2011 13:57:19 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comSubject: User accounts for shared folders Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine - non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares - all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: User accounts for shared folders
On Mon, Jun 13, 2011 at 10:57, Tammy Stewart copper...@personainternet.com wrote: Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine – non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares – all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy When you say that the share doesn't list the System account - do you mean the Share permissions, or the NTFS permissions? Shares never list System for permissions, AFAIK. If the NTFS permissions for System have been deleted on the directories that are shared, that's either a conscious action by someone with Full Control permissions listed in an ACE on the directory, or else it's something that the malware did. If a person at the firm did that, I'd say it's a big mistake - well, unless they are doing something unusual, like setting up an FTP server. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: User accounts for shared folders
System on share permissions may be rare, but its certainly not out of the question. I've got share permissions that specify System. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 2:42 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders On Mon, Jun 13, 2011 at 10:57, Tammy Stewart copper...@personainternet.com wrote: Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine – non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares – all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy When you say that the share doesn't list the System account - do you mean the Share permissions, or the NTFS permissions? Shares never list System for permissions, AFAIK. If the NTFS permissions for System have been deleted on the directories that are shared, that's either a conscious action by someone with Full Control permissions listed in an ACE on the directory, or else it's something that the malware did. If a person at the firm did that, I'd say it's a big mistake - well, unless they are doing something unusual, like setting up an FTP server. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: User accounts for shared folders
Why would you do that, when System isn't supposed to be able to talk to shares? Has something changed drastically in later versions of of Windows, that is, after Win2k3? On Mon, Jun 13, 2011 at 12:45, Crawford, Scott crawfo...@evangel.edu wrote: System on share permissions may be rare, but its certainly not out of the question. I've got share permissions that specify System. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 2:42 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders On Mon, Jun 13, 2011 at 10:57, Tammy Stewart copper...@personainternet.com wrote: Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine – non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares – all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy When you say that the share doesn't list the System account - do you mean the Share permissions, or the NTFS permissions? Shares never list System for permissions, AFAIK. If the NTFS permissions for System have been deleted on the directories that are shared, that's either a conscious action by someone with Full Control permissions listed in an ACE on the directory, or else it's something that the malware did. If a person at the firm did that, I'd say it's a big mistake - well, unless they are doing something unusual, like setting up an FTP server. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: User accounts for shared folders
It’s on a 2k3 DFS share. The FRS service, running as System needs to write to the share, but everyone else only has read. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 2:55 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders Why would you do that, when System isn't supposed to be able to talk to shares? Has something changed drastically in later versions of of Windows, that is, after Win2k3? On Mon, Jun 13, 2011 at 12:45, Crawford, Scott crawfo...@evangel.edu wrote: System on share permissions may be rare, but its certainly not out of the question. I've got share permissions that specify System. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 2:42 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders On Mon, Jun 13, 2011 at 10:57, Tammy Stewart copper...@personainternet.com wrote: Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine – non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares – all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy When you say that the share doesn't list the System account - do you mean the Share permissions, or the NTFS permissions? Shares never list System for permissions, AFAIK. If the NTFS permissions for System have been deleted on the directories that are shared, that's either a conscious action by someone with Full Control permissions listed in an ACE on the directory, or else it's something that the malware did. If a person at the firm did that, I'd say it's a big mistake - well, unless they are doing something unusual, like setting up an FTP server. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: User accounts for shared folders
I see. What you're saying implies that the infected workstation talked with the machine hosting the shares. That's standard - and if the malware is running in the context of a user that has the Full Control permissions for the shares, it can strip out or add permissions at will, without being resident on the machine hosting the shares. I have found that all too often folks are given Full Control permissions, instead of Modify, which is all most people should have - the only difference between them is that Full Control grants the ability to modify permissions. Kurt On Mon, Jun 13, 2011 at 13:05, Tammy Stewart copper...@personainternet.com wrote: Hi Kurt, It is the NTFS permissions on the shares. (right click folder properties security) (not who on the network have access) Oddly enough other folders that are not shared have all the usual accounts listed. It is a file infecting virus (chir.b) from a few machines hitting the shares -- however the server that had the shares hit did not have the OS hit. Just shares so it did not get to memory or make registry modifications. Thanks, Tammy -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 3:42 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders On Mon, Jun 13, 2011 at 10:57, Tammy Stewart copper...@personainternet.com wrote: Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine - non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares - all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy When you say that the share doesn't list the System account - do you mean the Share permissions, or the NTFS permissions? Shares never list System for permissions, AFAIK. If the NTFS permissions for System have been deleted on the directories that are shared, that's either a conscious action by someone with Full Control permissions listed in an ACE on the directory, or else it's something that the malware did. If a person at the firm did that, I'd say it's a big mistake - well, unless they are doing something unusual, like setting up an FTP server. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: User accounts for shared folders
OK - have never used DFS, so have not run into that before. On Mon, Jun 13, 2011 at 13:29, Crawford, Scott crawfo...@evangel.edu wrote: It’s on a 2k3 DFS share. The FRS service, running as System needs to write to the share, but everyone else only has read. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 2:55 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders Why would you do that, when System isn't supposed to be able to talk to shares? Has something changed drastically in later versions of of Windows, that is, after Win2k3? On Mon, Jun 13, 2011 at 12:45, Crawford, Scott crawfo...@evangel.edu wrote: System on share permissions may be rare, but its certainly not out of the question. I've got share permissions that specify System. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 2:42 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders On Mon, Jun 13, 2011 at 10:57, Tammy Stewart copper...@personainternet.com wrote: Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine – non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares – all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy When you say that the share doesn't list the System account - do you mean the Share permissions, or the NTFS permissions? Shares never list System for permissions, AFAIK. If the NTFS permissions for System have been deleted on the directories that are shared, that's either a conscious action by someone with Full Control permissions listed in an ACE on the directory, or else it's something that the malware did. If a person at the firm did that, I'd say it's a big mistake - well, unless they are doing something unusual, like setting up an FTP server. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: User accounts for shared folders
Thanks Kurt, Makes sense. They likely logged onto the infected workstation as domain admin. I can't recall now but will find out. Not sure if they let users have full control on the shares. Thanks, Tammy -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 5:05 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders I see. What you're saying implies that the infected workstation talked with the machine hosting the shares. That's standard - and if the malware is running in the context of a user that has the Full Control permissions for the shares, it can strip out or add permissions at will, without being resident on the machine hosting the shares. I have found that all too often folks are given Full Control permissions, instead of Modify, which is all most people should have - the only difference between them is that Full Control grants the ability to modify permissions. Kurt On Mon, Jun 13, 2011 at 13:05, Tammy Stewart copper...@personainternet.com wrote: Hi Kurt, It is the NTFS permissions on the shares. (right click folder properties security) (not who on the network have access) Oddly enough other folders that are not shared have all the usual accounts listed. It is a file infecting virus (chir.b) from a few machines hitting the shares -- however the server that had the shares hit did not have the OS hit. Just shares so it did not get to memory or make registry modifications. Thanks, Tammy -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 3:42 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders On Mon, Jun 13, 2011 at 10:57, Tammy Stewart copper...@personainternet.com wrote: Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine - non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares - all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy When you say that the share doesn't list the System account - do you mean the Share permissions, or the NTFS permissions? Shares never list System for permissions, AFAIK. If the NTFS permissions for System have been deleted on the directories that are shared, that's either a conscious action by someone with Full Control permissions listed in an ACE on the directory, or else it's something that the malware did. If a person at the firm did that, I'd say it's a big mistake - well, unless they are doing something unusual, like setting up an FTP server. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: User accounts for shared folders
BTW - it's common to have shares with permissions of Everyone (or Domain Users, or Authenticated Users) with Full Control, then separately administer the NTFS permissions underneath the share, as that makes administration much easier. It can become very confusing, for instance, if the Share permissions are Everyone (or some other group) with Read-Only, that controls access to the file system underneath, and nobody (including Domain Admins, etc.) can write/modify the files or directories, when accessing them through the network share - even though the NTFS permissions would otherwise are set to Modify or Full Control. Kurt On Mon, Jun 13, 2011 at 15:03, Tammy Stewart copper...@personainternet.com wrote: Thanks Kurt, Makes sense. They likely logged onto the infected workstation as domain admin. I can't recall now but will find out. Not sure if they let users have full control on the shares. Thanks, Tammy -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 5:05 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders I see. What you're saying implies that the infected workstation talked with the machine hosting the shares. That's standard - and if the malware is running in the context of a user that has the Full Control permissions for the shares, it can strip out or add permissions at will, without being resident on the machine hosting the shares. I have found that all too often folks are given Full Control permissions, instead of Modify, which is all most people should have - the only difference between them is that Full Control grants the ability to modify permissions. Kurt On Mon, Jun 13, 2011 at 13:05, Tammy Stewart copper...@personainternet.com wrote: Hi Kurt, It is the NTFS permissions on the shares. (right click folder properties security) (not who on the network have access) Oddly enough other folders that are not shared have all the usual accounts listed. It is a file infecting virus (chir.b) from a few machines hitting the shares -- however the server that had the shares hit did not have the OS hit. Just shares so it did not get to memory or make registry modifications. Thanks, Tammy -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 3:42 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders On Mon, Jun 13, 2011 at 10:57, Tammy Stewart copper...@personainternet.com wrote: Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine - non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares - all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy When you say that the share doesn't list the System account - do you mean the Share permissions, or the NTFS permissions? Shares never list System for permissions, AFAIK. If the NTFS permissions for System have been deleted on the directories that are shared, that's either a conscious action by someone with Full Control permissions listed in an ACE on the directory, or else it's something that the malware did. If a person at the firm did that, I'd say it's a big mistake - well, unless they are doing something unusual, like setting up an FTP server. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click