Hi,
So i was rolling out a new RDS environment with a FSLOGIX implementation and I started noticing something strange...
The RDS server in question was able to create the folders and VHDX files on the fileserver without explicit NTFS permissions.
So i started testing around and noticed that I could start a scheduled task as SYSTEM and have it perform a simple DIR on the share and too my suprise I got results back?!
I inspected the share and it had the following configuration:
Share Permissions
Everyone -> Full control
NTFS permissions (default inherited from D:)
ADMINISTRATORS (LOCAL) -> Full control (This folder, subfolder and files)
SYSTEM -> Full control (This folder, subfolder and files)
CREATOR OWNER -> Full control (Subfolder and files only)
USERS (LOCAL) -> Read & execute (This folder, subfolder and files)
USERS (LOCAL) -> Special permissions - Create (This folder, subfolder and files)
These are just the default enherited permissions from the D:.
With this permission scheme set I can then go to any random domain joined server create a scheduled task and set it to run under the SYSTEM account.
Then under actions set CMD as the application and with the arguments "/C DIR "\SOMEFILESERVER.SOMEDOMAIN.COM\FSLOGIX$" >> C:\log.txt" I get the following output:
Volume in drive \SOMEFILESERVER.SOMEDOMAIN.COM\FSLOGIX$ is Data
Volume Serial Number is 1234-5678
Directory of \SOMEFILESERVER.SOMEDOMAIN.COM\FSLOGIX$
29-03-2022 20:41 <DIR> .
29-03-2022 20:41 <DIR> ..
20-07-2021 13:10 <DIR> FSLRedirections
30-03-2022 14:18 <DIR> OfficeContainer
30-03-2022 14:18 <DIR> ProfileContainer
0 File(s) 0 bytes
5 Dir(s) 1.085.502.128.128 bytes free
How is this even remotely possible?!!!!
This would mean that if a server is compromised and attackers can use the SYSTEM account they can access all regular shares they want and do whatever they want on it..
After some experimentation i found out that if i remove the USERS (This is the local users group of the server) from the NTFS permissions the other machien is no longer capable of accessing the share with its SYSTEM account.
I noticed domain users being part of the local users group but even removing that the other server was still capable of accessing the share without any problems..
So can somebody please explain to me if this is normal behaviour.
Why this is normal behaviour and how this is not categorized as a major security hole in regards to file shares..
PS:
This also works if I created the share on another server so its not just related to that fileserver.