Page 1 of 3 123 LastLast
Results 1 to 10 of 30

Thread: Users exceeding permissions -- How do you find 'em?

  1. #1

    Question Users exceeding permissions -- How do you find 'em?

    I just came into work this morning, and first thing I see is an e-mail from the boss asking me why Photoshop was installed on our newest terminal server.

    Here's the odd thing -- Only he and I, as administrators, have install permission on our terminal servers. So if he didn't do it, and I didn't do it, who could have done it?

    None of our employees are anywhere near having the knowledge to hack their accounts to add permissions. But, the only thing I can figure is that somehow, somebody managed to get it installed on there. And if they can do that, then we have a security issue.

    SonicWALL logs look clean (other than the one port scan I mentioned in my other thread yesterday), so it doesn't look like anything of concern's going on from the outside.

    So, where do I start looking for clues?

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    First thing I would do is get any old app, log in as a regular user and try to install it. If it works then there is something wrong with your permissions somewhere.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Hrmm.. Personally I'd start with the time of installation and see if you can find out who logged in during that time period. Also, you might want to ensure that some auditing is in place to log events that are "successful" in what they do and not just those that fail.

    What is the OS of the Terminal Server and what other permissions cascade down? (Permissions on directories, etc.) What about "operator" accounts or poweruser accounts?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,534
    As a first; double check your permission set up. You MIGHT have missed something.
    I seem to remember that the LEAST restrictive applies on a profile, and it could be there that you have a cross over.............

    Cannot remember when it goes to the MOST restrictive. Presumably, the user has just slotted the CD in and set it up ? This suggests (to me) that the permissions are a bit wonky.........

    On the files themselves, aren't there ownership details available ? At the least you should be able to determine WHEN the deed was done.

    [edit] Damn !!! but my typing is SLOW. beaten to the punch line by MsM AND Tiger, and this time I was in the ball park. Ah Well, there's always tomorrow.........[/edit]
    so now I'm in my SIXTIES FFS
    WTAF, how did that happen, so no more alterations to the sig, it will remain as is now

    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  5. #5
    On the files themselves, aren't there ownership details available ? At the least you should be able to determine WHEN the deed was done.
    The boss uninstalled it as soon as he found it. Doh!!

    Thanks for all the input guys, that gives me some ideas to start with. It was installed at 1:04 pm yesterday before the boss removed it 6:45 that same evening.

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I installed it, you ungrateful bastard!

    Oh and the back doors and trojans, whilst I was at it

    OK....Serious now,

    1. If it has been loaded onto a server, rather than a desktop, it is for shared use?
    2. Who would use such an application
    3. Is your "boss" a for real "boss" or only in his dreams
    4. Go and kill one in ten in Marketing/Sales/Publicity, until one of the little toads squeals?

    If someone with a budget gets in outsiders, and there is money involved....you will find it in the morning

    Maybe keep quiet and log who tries to access it?
    Maybe get a boozing buddy go find you a nice 9mm.....and your wife go out of state and get you a couple of boxes of 50?

    Sorry old chap, I think that you have been undermined at a higher level?

    /me smell treason


  7. #7
    If memory serves correct, I go into the security section of Event Viewer to see logon times, right? Well, the security portion is completely empty of an entries.

    Ok Nihil, on those points:

    1) That's usually the case with any program installed. Ufortunately, now that it's been removed, I'll never know.
    2) That's one thing I want to know. Not many. Actually, pretty much me and the president, maybe the HR manager.
    3) He's very much the real boss, prez of the company.
    4) Kill....kill....

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    As Foxyloxley noted another way to find out who installed it is by looking at the ownership of the files. You're scewed if it's administrator though.

    Edit: AFAIK there's no real need to "install" photoshop. You can just drag 'n drop the program dir and it will function.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    You don't have security logging enabled. It's not a default setting. If you have access to the AD use a domain policy to enable logging on all domain objects. Or just turn it on the server.

    //edit let me know what you have access to and I'll show you how to enable it. Domain policy is best.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  10. #10
    Is there a way I can still see those files since it's all been uninstalled though?

    RoadClosed -- I have full administrative access.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •