SYSTEM account can access shares without explicit permissions (Server 2019)

Randy 1 Reputation point
2022-03-30T13:59:55.2+00:00

Hi,

So i was rolling out a new RDS environment with a FSLOGIX implementation and I started noticing something strange...
The RDS server in question was able to create the folders and VHDX files on the fileserver without explicit NTFS permissions.
So i started testing around and noticed that I could start a scheduled task as SYSTEM and have it perform a simple DIR on the share and too my suprise I got results back?!
I inspected the share and it had the following configuration:

Share Permissions
Everyone -> Full control

NTFS permissions (default inherited from D:)
ADMINISTRATORS (LOCAL) -> Full control (This folder, subfolder and files)
SYSTEM -> Full control (This folder, subfolder and files)
CREATOR OWNER -> Full control (Subfolder and files only)
USERS (LOCAL) -> Read & execute (This folder, subfolder and files)
USERS (LOCAL) -> Special permissions - Create (This folder, subfolder and files)

These are just the default enherited permissions from the D:.
With this permission scheme set I can then go to any random domain joined server create a scheduled task and set it to run under the SYSTEM account.
Then under actions set CMD as the application and with the arguments "/C DIR "\SOMEFILESERVER.SOMEDOMAIN.COM\FSLOGIX$" >> C:\log.txt" I get the following output:

Volume in drive \SOMEFILESERVER.SOMEDOMAIN.COM\FSLOGIX$ is Data
Volume Serial Number is 1234-5678

Directory of \SOMEFILESERVER.SOMEDOMAIN.COM\FSLOGIX$

29-03-2022 20:41 <DIR> .
29-03-2022 20:41 <DIR> ..
20-07-2021 13:10 <DIR> FSLRedirections
30-03-2022 14:18 <DIR> OfficeContainer
30-03-2022 14:18 <DIR> ProfileContainer
0 File(s) 0 bytes
5 Dir(s) 1.085.502.128.128 bytes free

How is this even remotely possible?!!!!
This would mean that if a server is compromised and attackers can use the SYSTEM account they can access all regular shares they want and do whatever they want on it..
After some experimentation i found out that if i remove the USERS (This is the local users group of the server) from the NTFS permissions the other machien is no longer capable of accessing the share with its SYSTEM account.
I noticed domain users being part of the local users group but even removing that the other server was still capable of accessing the share without any problems..

So can somebody please explain to me if this is normal behaviour.
Why this is normal behaviour and how this is not categorized as a major security hole in regards to file shares..

PS:
This also works if I created the share on another server so its not just related to that fileserver.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,125 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MotoX80 31,571 Reputation points
    2022-03-31T20:50:06.073+00:00

    I no longer have access to an Active Directory domain to test with, but as I recall, in a domain environment, SYSTEM will be authenticated as the computer's domain account. YourDomainName\YourComputerName$.

    I would expect that you would find a logon event in the Security eventlog on the file server. On the folder that is shared, in the Security tab, click on the Advanced button, then select the Effective Access tab. There you can "Select a User". Try to find the computer account in the domain and see what access it shows.

    Check to see where the AD group "Domain Computers" is referenced. Maybe it's getting included in the local Builtin\Users group.

    0 comments