+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 20
Windows Thread, Huge securtity hole in offline files in Technical; So I implemented off-line files last summer for our admin staff as an extra level of backup on their workstations ...
  1. #1
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,765
    Thank Post
    898
    Thanked 417 Times in 350 Posts
    Blog Entries
    12
    Rep Power
    87

    Huge security hole in offline files

    So I implemented off-line files last summer for our admin staff as an extra level of backup on their workstations to hold a local copy of files.

    Today a student came to see me to explain he had found a way to access any of the admin staffs files simply by unplugging the network connection and clicking on the offline files icon and then view files. To my shock he proceeded to open up the documents of one of our senior admin managers and the permissions seemed to allow this for even his locked down account. There were no problems opening any of the files.

    So my question is did I just set this up wrong? or is it an inherent problem with synchronising files to a local computer.
    Last edited by zag; 7th February 2008 at 11:13 AM.

  2. #2
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,199
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Offline files is really a notebook technology for use where users have their own notebook. I wouldn't cache any important documentation on a shared workstation as the files are placed in that folder.

    Unpluging the network cable can get around policies i'm sure it has been discussed on this forum before and a few solutions were suggested have a search and see what you find.

    You can use EFS to help secure the data but i still wouldn't use it on shared PC's.

    http://www.microsoft.com/windowsxp/u...ptoffline.mspx
    Last edited by cookie_monster; 6th February 2008 at 04:36 PM.

  3. #3
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,199
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Having said that the document says that only admins should be able to view other users docs are your users admins on the local station?

  4. #4

    Join Date
    Apr 2006
    Location
    West Midlands
    Posts
    314
    Thank Post
    29
    Thanked 19 Times in 18 Posts
    Rep Power
    20
    I would use Volume Shadow Copy instead from the description that you describe.

  5. #5

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,952
    Thank Post
    886
    Thanked 1,700 Times in 1,477 Posts
    Blog Entries
    12
    Rep Power
    448
    Why have the kids got access to the admin machines?

    Z

  6. #6
    Heebeejeebee's Avatar
    Join Date
    Nov 2006
    Location
    Intergalactic Cruise
    Posts
    1,055
    Thank Post
    69
    Thanked 77 Times in 61 Posts
    Rep Power
    35
    Quote Originally Posted by FN-Greatermanchester View Post
    Why have the kids got access to the admin machines?

    Z
    My thought exactly.

    Offline files is a real PITA - even for laptops. VSC is the better option but it won't give access to (old versions of ) files if they're disconnected from the network.

    HBJB

  7. #7

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,952
    Thank Post
    886
    Thanked 1,700 Times in 1,477 Posts
    Blog Entries
    12
    Rep Power
    448
    We don't use offline files a bit of a pain in the arse if you ask me.

    Although they do seem to have improved in Windows Vista.

    Z

  8. #8
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    34
    Importantly, setting up EFS to protect offline files doesn't work if you deploy it via GPO - you must apply it manually, at least in XP. From the article linked above:

    "One limitation of the encrypted offline files database is that files and folders will not be shown as an alternate color to the user when working offline."

    ^^ that is highly misleading and I'm sure would give many people a false sense of security. Whilst testing it I went to the length of using a disk editor to manually check that the data written to the sectors was indeed NOT encrypted when the policy was applied via GPO. It did do a good job of disabling the GUI to make you think it had applied properly though.

  9. #9
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,765
    Thank Post
    898
    Thanked 417 Times in 350 Posts
    Blog Entries
    12
    Rep Power
    87
    Quote Originally Posted by FN-Greatermanchester View Post
    Why have the kids got access to the admin machines?

    Z
    They don't, a member of the admin staff logged onto a computer in a shared room about a year ago, the files have stayed in the off-line folder ever since.

    Also the student has a totally locked down account, as soon as they disconnected it from the network they gained the ability to read the offline files whatever permissions are set on them, that's why this is so worrying.

  10. #10

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,262
    Thank Post
    111
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    Anyone got a spare suppport call to microsoft they're willing to use on this... I'd be interested in what MS say.


    Also this does directly contradict my personal experience... What are the permisions on the network copy of the FILEs?

  11. #11
    Jona's Avatar
    Join Date
    May 2007
    Location
    Cranleigh
    Posts
    469
    Thank Post
    14
    Thanked 50 Times in 48 Posts
    Rep Power
    23

  12. #12

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,262
    Thank Post
    111
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    Hotfix and adm update for encrypted offiline files.
    http://support.microsoft.com/kb/810859

    Security Permissions are not maintained on the CSC
    http://support.microsoft.com/kb/271830/

  13. #13
    monty's Avatar
    Join Date
    Jan 2008
    Location
    Northampton
    Posts
    26
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    We use offline files for all our staff and apart from the occasional hiccup we don't experience many problems at all. It can be difficult to explain to the teaching staff that if they try to synchronise a large folder that it will take time.
    I've never had a user be able to access others offline files, the permissions stay the same as if they were still on the domain as the computer should cache the user credentials.
    Perhaps if it happened a year ago, the permissions were different at that time? you should still be able to check the permissions applied to the files in the offline folder.
    You can use group policy to control the local settings so that if the domain is not available or the computer is now standalone that there are still restrictions in force. Mine are set so that no one except admin can logon if the domain is not available.
    Check the settings in - computer conf>windows>security>local policies>

  14. #14
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,765
    Thank Post
    898
    Thanked 417 Times in 350 Posts
    Blog Entries
    12
    Rep Power
    87
    Quote Originally Posted by psydii View Post
    Security Permissions are not maintained on the CSC
    http://support.microsoft.com/kb/271830/
    Thanks!!!! that was it, The laptops are fat32.

    Because the FAT and FAT32 file systems lack the necessary structure to store file ACL settings, and the Offline Files feature is a per-computer setting, all users of a Windows 2000 client may be able to access the locally-cached copies of offline files.

    There not joking when they say Microsoft is not the most secure OS!
    Last edited by zag; 7th February 2008 at 02:12 PM.

  15. #15
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    34
    Quote Originally Posted by psydii View Post
    Hotfix and adm update for encrypted offiline files.
    http://support.microsoft.com/kb/810859
    I'd forgotten about that hotfix. Although it presumably does work, the downside is that for laptops which are already deployed it's an order of magnitude harder to apply the fix than just to manually set the policy.

    "This symptom occurs only if the user logs on interactively by using the keyboard." L to the O to the L!

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. offline files on but off.
    By Teth in forum Windows
    Replies: 3
    Last Post: 13th December 2007, 10:27 PM
  2. Disabling Offline Files
    By AnnDroyd in forum Windows
    Replies: 3
    Last Post: 3rd December 2007, 11:34 AM
  3. offline files
    By browolf in forum Windows
    Replies: 2
    Last Post: 25th July 2007, 10:44 AM
  4. Redirected Files when Offline
    By mattpant in forum Windows
    Replies: 4
    Last Post: 8th May 2006, 11:55 AM
  5. Offline Files
    By woody in forum Windows
    Replies: 2
    Last Post: 9th December 2005, 10:52 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •