Too many rights because of BUILTIN\Users Group. Please help.

Lev Anni 41 Reputation points
2022-07-30T11:14:21.137+00:00

Hello to everyone!

I'm facing this issue and need your help guys. I have Windows Server primarily for hosting web sites. Well, now some developers need to access web root folders to run web based commands like composer install etc. For this purpose I have installed SSH server so they can access their web folder and run those commands.

Problem is that every user I have created belongs to windows built-in users group which has access to almost everywhere! C or D etc. They can even write anywhere they want. I tried to remove them from USERS group but they still belong to BUILTIN\Users group and still able to see and write to unwanted folders.

So my main question is, can I just remove Users Group from these disks or this may lead to serious problems?

Or, is there an option to isolate these users leaving this group untouched?

Thanks!!

Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. MotoX80 36,421 Reputation points
    2022-07-30T13:06:33.3+00:00

    I didn't let developers install anything on my IIS web servers unless the server was dedicated to their application team. Typically we created a network share at the site root folder and the developers just did a file copy or a Visual Studio publish to the share.

    Some applications had Windows services that occasionally needed to be stopped/started. I was not about to grant developers admin access, so I built my own ASPX web site that authenticated users and showed them a page where they could stop and start just their services. It was based on the user's membership in a local security group.

    I don't know what "composer install" does. What files (or registry keys) does it update outside of the root folder? Typically, the word install implies administrator access. Can't the developer configure "composer" on their desktop, and then publish the site content to the web server? Is it a repeatable command where you could build a front-end web site to run it on behalf of the user like I did with stop/start of a Windows service?

    0 comments No comments

  2. Lev Anni 41 Reputation points
    2022-07-30T13:37:01.057+00:00

    thanks for your input!

    Well, my initial thought also was to just build a special web site to give these users ability to run system commands, but unfortunately this can't solve this problem because for example, unlike composer, there is also GIT HUB involved, which comes with a lot of GIT related commands, which must be run at system level (init, pull request etc etc.). I just can't predict what kind of git related commands they will use. Both composer and git are not interacting with windows registry whatsoever, they are just exchanging physical files. As far as I know, not SFTP, FTPS protocol clients does not have ability to initiate commands such commands, otherwise it would be just perfect.

    It also would be just great if OpenSSH Server could be configured to isolate the user in their root folder (in which they are building web sites), in this case there would be no need to worry about folder permissions outside their root folder, but again, I can't find a way yet.


  3. Lev Anni 41 Reputation points
    2022-07-30T16:37:08.933+00:00

    Maybe you have seen some linux based Cpanels where you can open terminal and directly interact with server, or just generate private/public key for Putty and log on using SSH protocol to do same things. They wouldn't implement these features just for fun imho...


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.