SECURITY ALERT!!! Adobe CS3 - Home Folder Share Browsing

[Gatt]

Argh!!

Just found a glaringly big security hole in Adobe CS3..

Open Dreamweaver (or flash., etc) and then file - open..

Using the "Up" icon you can go all the way up the share tree

Eg: Pupil1 is mapped to H: drive using \\server\pupils\year xx\pupil1

Using the "Up" icon in the Open dialog you can go all the way up to \\server\

But wait theres more..

Pupil can then go back down the tree into \\server\pupils\year yy\pupil3 and delete files & folders

Looks like same problem as Office 2003 had..

Cant find any mention from a quick google, so wondering if anyone here has come across this and/or a solution

[elsiegee40]

Argh!!

Pupil can then go back down the tree into \\server\pupils\year yy\pupil3 and delete files & folders

Surely this should be prevented by permissions?

A pupil here has read permissions on the folder containing all the home drives, but these are not inherited and so the pupil can go no further as they have modify on their home folder, but no more.

[DMcCoy]

Argh!!

Just found a glaringly big security hole in Adobe CS3..

Open Dreamweaver (or flash., etc) and then file - open..

Using the "Up" icon you can go all the way up the share tree

Eg: Pupil1 is mapped to H: drive using \\server\pupils\year xx\pupil1

Using the "Up" icon in the Open dialog you can go all the way up to \\server\

But wait theres more..

Pupil can then go back down the tree into \\server\pupils\year yy\pupil3 and delete files & folders

Looks like same problem as Office 2003 had..

Cant find any mention from a quick google, so wondering if anyone here has come across this and/or a solution

Then the permissions are wrong. I'd suggest you install and enable access based enumeration but that's not going to do anything while the students have permissions over another students folder.

Students will only need read/traverse for "This folder only" for those folders between the share root and their folder. Then they only need permissions on their own folder.

It's not a security issue in CS3 or any other app. Correct permissions and access based enumeration turned on will mean the server doesn't even show the other users folders.

[AngryTechnician]

I assume you have My Documents redirection to point to their H: drive. Does the policy actually redirect to the drive letter H:, or to the equivalent UNC path that the H: drive also happens to be mapped to?

I also assume there is a reason you haven't simply applied security permissions on the folder hierarchy so they can't browse to it?

[Gatt]

Have checked permissions - All folders only have read & execute, list & read set (inherited) and Individual Pupils only have FC access to their OWN folder

My GPO also denies them the rights to browse the network manually (typing the path into explorer brings back a disallowed error)

Still looking...

[FN-GM]

Have checked permissions - All folders only have read & execute, list & read set (inherited) and Individual Pupils only have FC access to their OWN folder

My GPO also denies them the rights to browse the network manually (typing the path into explorer brings back a disallowed error)

Still looking...

Seems ok here.... We have also hidden all our shares so they cant do anything when they get to server level.

[DMcCoy]

Have checked permissions - All folders only have read & execute, list & read set (inherited) and Individual Pupils only have FC access to their OWN folder

My GPO also denies them the rights to browse the network manually (typing the path into explorer brings back a disallowed error)

Still looking...

The gpo settings only affect explorer and applications that use it, anything using it's own file menus will be unrestricted. It's more for convenience than security.

What do the permissions show for the user that can get into the other folders? Is the file actually deleted or just say it's deleted and the comes back after a refresh?

You can use the effective permission tab under security to see what a user will get on that folder.

[apeo]

No problems here, students have access to any other folder then their own. Looks like you have a permissions related problem.

[MrLudwig]

I've had this as well. Here it did it under both Office 2007 and FreeMind.

After some poking around in the NTFS permissions I removed the NETWORK account from the student folder permissions which solved it.

I don't understand why these apps are using the NETWORK account, and it may be there is a good reason, but from my limited understanding, I'm not aware of any.

[Zimmer]

Indeed I agree with DMcCoy...

Installing Access Based Enumeration on the file servers is a very good idea - We use it on ALL of our servers for that little extra bit of security from snooping students.

Personally though I would look at sitting down and spending a while checking all your NT security permissions and share permissions.

Also, $ all your shares if you don't already do so.

[Tamarside]

Pupil can then go back down the tree into \\server\pupils\year yy\pupil3 and delete files & folders

As others had said, your security permissions are clearly not tight enough.

Assuming you use the following example groups, further down is what I suggest permissions should be like:
StaffLocal - staff members
StaffStudWriteLocal - used for staff members that need write permissions to student home folders
StudentLocal - student accounts
StudentYearXLocal - relevant year group for student accounts

RootOfShare$-| > Perms: StaffLocal = Read, StaffStudWriteLocal = Read,
....................| StudentLocal = Traverse (under advanced)
....................|
....................|
....................|-- YrGrp > Perms: StaffLocal = Read,
...............................|................St affStudWriteLocal = Read,
...............................|................St udentLocal = Traverse
...............................|
...............................|---StudentName > Perms: StaffLocal = Read,
.................................................. ..................StaffStudWriteLocal = Write
.................................................. ..................StudentUser = Modify

Also, as suggested above, do install Access Based Enumeration - this will result in users only being able to see files and folders that they have access to.
You will notice I suggested "Modify" permissions to students accounts. This is specifically so that they cannot possibly have the "Take ownership" right on objects within their home folder. When we find something untoward in a student's home folder, e.g. a pornographic picture, we set a deny permission entry on it and we only delete it after disciplinary steps (if needed) were done. The downside is setting Modify instead of Full Control means empty .TMP files will be created in the root of the student's home folder. These are hidden files of 0kb in size and Microsoft says you can safely ignore them. As they are hidden, our students don't know they are there.

[Geoff]

You'll find 'AccessChk' , 'ShareEnum' and 'AccessEnum' tools from sysinternals useful for auditing for this sort of problem.

Sysinternals Security Utilities

[Gatt]

Thanks guys - will take a look later today

[OutToLunch]

ShareEnum looks handy. For checking file permissions etc I find the output of DumpSec from SystemTools (free) a bit more easily readable/laid out, even if the app is looking a bit dated now.

Free Utilities from SystemTools Software

Few other handy freebies there that are worth checking out too.