Too many rights because of BUILTIN\Users Group. Please help.

Question

Too many rights because of BUILTIN\Users Group. Please help.

Lev Anni 41

Hello to everyone!

I'm facing this issue and need your help guys. I have Windows Server primarily for hosting web sites. Well, now some developers need to access web root folders to run web based commands like composer install etc. For this purpose I have installed SSH server so they can access their web folder and run those commands.

Problem is that every user I have created belongs to windows built-in users group which has access to almost everywhere! C or D etc. They can even write anywhere they want. I tried to remove them from USERS group but they still belong to BUILTIN\Users group and still able to see and write to unwanted folders.

So my main question is, can I just remove Users Group from these disks or this may lead to serious problems?

Or, is there an option to isolate these users leaving this group untouched?

Thanks!!

3 answers

Your answer

Answer 1

I didn't let developers install anything on my IIS web servers unless the server was dedicated to their application team. Typically we created a network share at the site root folder and the developers just did a file copy or a Visual Studio publish to the share.

Some applications had Windows services that occasionally needed to be stopped/started. I was not about to grant developers admin access, so I built my own ASPX web site that authenticated users and showed them a page where they could stop and start just their services. It was based on the user's membership in a local security group.

I don't know what "composer install" does. What files (or registry keys) does it update outside of the root folder? Typically, the word install implies administrator access. Can't the developer configure "composer" on their desktop, and then publish the site content to the web server? Is it a repeatable command where you could build a front-end web site to run it on behalf of the user like I did with stop/start of a Windows service?

Answer 2

Lev Anni 41

thanks for your input!

Well, my initial thought also was to just build a special web site to give these users ability to run system commands, but unfortunately this can't solve this problem because for example, unlike composer, there is also GIT HUB involved, which comes with a lot of GIT related commands, which must be run at system level (init, pull request etc etc.). I just can't predict what kind of git related commands they will use. Both composer and git are not interacting with windows registry whatsoever, they are just exchanging physical files. As far as I know, not SFTP, FTPS protocol clients does not have ability to initiate commands such commands, otherwise it would be just perfect.

It also would be just great if OpenSSH Server could be configured to isolate the user in their root folder (in which they are building web sites), in this case there would be no need to worry about folder permissions outside their root folder, but again, I can't find a way yet.

MotoX80 36,501 Reputation points

2022-07-30T14:13:43.8+00:00

configured to isolate the user in their root folder

If they only need to update files in the root folder, why can't they do the updates on their desktop and just copy the files to the root folder on the server via a network share?

I've been retired for a few years now, but as I recall, our developers had Visual Studio and IIS installed on their desktop where they would do initial development and testing. Then they copied the root folder to the test web server, and did checkout there. Finally it was copied to production.

The web.config file was parameterized and the Application_OnStart code looked at the server name to determine which environment it was running in. So if it was running on "TestWeb1", It looked to the web.config to get the base URL to use, and the SQL/Oracle server to call.

The key point is that the web content was just copied from the dev to the test to the prod server and didn't need to be modified because the site code would recognize which environment it was executing in.

Don't know if that helps you, but that's what we did.

Answer 3

Lev Anni 41

Maybe you have seen some linux based Cpanels where you can open terminal and directly interact with server, or just generate private/public key for Putty and log on using SSH protocol to do same things. They wouldn't implement these features just for fun imho...

MotoX80 36,501 Reputation points

2022-07-30T19:00:47.96+00:00

Sorry, I do not have any Linux experience.
Lev Anni 41 Reputation points

2022-07-30T19:13:29.223+00:00

no I just said that for comparison. Looks like I even can't force user to run only certain program with windows native tools, maybe there is some way by digging into windows system but anyway.... pain in the....
MotoX80 36,501 Reputation points

2022-07-30T19:34:11.643+00:00

Well, back when I was still working the direction was to use automation and eliminate manual processes where we could. Heck the security team at one point was proposing that even the server admins could not log on to the servers. They wanted to randomize passwords and force us to request access just to use RDP. With moves to AWS and Azure we were starting to use a tool called Puppet with the goal of having a mostly software defined data center. (That all fell apart but that's another story.)

Other than the C drive, you have full access to restrict access to folders. But if your developers just need to update files in their web site root folder, then don't incur the security risk of letting them RDP/SSH to the web server. Let them access the files from a network share.

Share via

Too many rights because of BUILTIN\Users Group. Please help.

3 answers

Your answer