Announcement

Collapse
No announcement yet.

Spontaneous permission changes on user folders

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spontaneous permission changes on user folders

    System
    Win2003 servers Std. Single DC, 9 workstations, roaming profiles enabled, behind Sonicwall TZ170 Firewall with McAfee Antivirus. The site is tight, and users have very limited privileges on workstations and they aren't savvy enough to go browsing to random sites. In fact most of them still have the computer vendors home page as the default home page on their browsers.
    We have 4 Terminal Services CALS operating.

    Situation.
    All permissions except Administrators FC were stripped from the users home drive and profile folders on the server so that they were getting error message saying their profile was unavailable.
    This happened to every profile in the office over a period of about 4 months. After we figured out what happened the first time it was easy to fix, but disturbing to have something like this happening and not know the cause.

    Evidence
    Auditing showed that permissions were removed by the users account. The users didn't do it because we were sitting there chatting with them when the log showed the situation occurred

    How we solved it ...sort of....
    Created new userIDs from scratch and blew away the old ones. Haven't had the problem re-occur since.

    What could cause this problem. I know people are going to say hackers or viruses but this site is tight and not very interesting to outsiders in my opinion any way. We have done full scans with products from a number of Antivirus vendors and this site always comes up cleaner than clean.

    Time Traveller

  • #2
    Re: Spontaneous permission changes on user folders

    Is user "sharing" there user+pass with others?
    Do the users have full control permission on the share + NTFS? Try to remove
    full control and give them limited access.
    Is the VPN working? Is there been changes in the firewall policy or/and some logon via VPN in the same time?
    Do you use Macfee Ent? Did you checked the policy? There may problem if the clients scan network drivers etc.
    Best Regards,

    Yuval Sinay

    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

    Comment


    • #3
      Re: Spontaneous permission changes on user folders

      Is user "sharing" there user+pass with others?
      This happens occasionally, but I think it's unlikely that this would cause the problem. These people don't know how to set/remove permissions, and it did happen to every single profile.

      Do the users have full control permission on the share + NTFS? Try to remove
      full control and give them limited access.
      No, they have only Change acess. Only Administrators have FC

      Is the VPN working? Is there been changes in the firewall policy or/and some logon via VPN in the same time?
      VPN is used occasionally but nearly always by administrators, not by regular users. We use Microsoft basic PPTP that comes with Windows. VPN by users is very rare...maybe once a month and only 2 users have access.


      Do you use Macfee Ent?
      Yes, at least I think that's what it's called...it comes as part of the SonicWall package.

      Did you checked the policy?
      No, I'll check this out.

      There may problem if the clients scan network drivers
      Does this mean you recommend I get McAffee to stop scanning network drives from workstation clients?

      Comment


      • #4
        Re: Spontaneous permission changes on user folders

        1. There no logic to run scan of network drive when the server have AV on it.
        2. Verity that you use Macfee Ent. 8.
        3. If the users have change right so I guess that a second account make the
        changes - The user cant do it due permission limit.
        4. Block the VPN and reset all admin password on the firewall + domain + local machines.
        5. You sad that you use NT4 TS - What account the users use to logon into the TS server?
        Best Regards,

        Yuval Sinay

        LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

        Comment

        Working...
        X