Re: serious Win7 network access security flaw?

Home Everything Microsoft Forums Windows 7 Chat Windows 7 General Re: serious Win7 network access security flaw?

This topic contains 18 replies, has 4 voices, and was last updated by Avatar of kokiks87 kokiks87 3 years, 6 months ago.

Viewing 9 posts - 11 through 19 (of 19 total)
Author Posts
Author Posts
September 3, 2010 at 2:09 am #89647
Avatar of W7NOmoronovo
W7NOmoronovo
Member

I have some time later this evening now to actually test this, i have been very busy this week so I haven’t had a chance to look this over.

September 15, 2010 at 12:36 pm #89659
Avatar of i00b
i00b
Member

Hello Omoronovo,

I’m looking forward to see if you can replicate the results.

Point 1e in my August 27 post should read:

"1e) On the WinXP or Vista computer, log into [b:1tqc9glq]the standard (i.e. non-administrative) user account[/b:1tqc9glq]".

Thanks,

Ian

September 19, 2010 at 3:31 pm #89660
Avatar of W7NOmoronovo
W7NOmoronovo
Member

Thanks for being so patient, I had a lot of stuff going on recently and replying here was put on the back burner.

I have tested your series of events and have come to the conclusion that this is not a network access flaw, but an oversimplification of the ACL’s.

I quote:

"i00b":w3c42nc8 wrote:
1d) From the administrative account on Win7, open Windows Explorer and attempt to access directories to the standard user account just created.  As a security check, you will be need to confirm you want access to these directories. 
[/quote:w3c42nc8]

This is not a security check, it is asking if you want to take ownership of these directories and give [i:w3c42nc8]everybody[/i:w3c42nc8] access. This means, if you have set up your network automatically (via built-in windows wizards and the like) or manually, and set the user group "everybody" to have any network access whatsoever, you are authorizing Windows to enable this folder for access for everybody. This was done as a direct response to slow file and folder access issues under Vista, where files and folders were granted extensive permissions only for the currently logged-in account. To make this process faster, and to limit the number of network file access problems caused by this method, this new method of ACL modification was introduced.

I understand that this might be confusing or counter-productive for people who are otherwise highly technical, but Microsoft seems to like splitting users into two groups – those that can do all this stuff manually, and the (significantly larger) group who simply want it to work fast, if not perfectly.

One point I still cannot get any understanding of however is that you mention you can see logged-in users via SMB – I have no such access and have had no luck in my attempts to find it.

I would however be interested in having you show me the steps – if you have half an hour or so of free time – as I shall install two VM’s and enable you to access them via Remote Desktop, so you can show me the exact steps needed to get this to occur. Let me know if this is something you’d be happy to do.

September 20, 2010 at 11:59 pm #89662
Avatar of i00b
i00b
Member

Hello Omoronovo,

I completely disagree that this is, "an oversimplification of the ACL’s".  The same sequence of steps executed in Vista and Win7 produce different results. 

I also believe you are wrong in stating, "This is not a security check, it is asking if you want to take ownership of these directories and give everybody access."  Again, Vista and Win7 both issue an identical the warning message, "You don’t currently have permission to access this folder.  Click Continue to permanently get access to this folder".  Under Vista, only the administrator account on THAT computer has access to the standard user account.  Under Win7, the standard user account also becomes network accessible with full read/write access – this is unacceptable!

If you have some time, I am open to discussing this with you over Skype or MSN.  Do you have a Skype account?  If so then I will provide you with my yahoo email ID so we can exchange Skype IDs (if not then I will install MSN). 

Thanks,

Ian

September 21, 2010 at 4:57 am #89663
Avatar of W7NOmoronovo
W7NOmoronovo
Member

I have created a skype account. Please PM me the specifics. We will also need to arrange a time, since you’re running on US/Canadian time which is 6-8 hours behind us here in the UK.

September 21, 2010 at 8:47 pm #89665
Avatar of W7NOmoronovo
W7NOmoronovo
Member

Myself and i00b have spent 4 and a half hours (!) discussing this issue on skype, and have gone over it in great detail. In windows 7, it does automatically share the folder when you use the automatic method for gaining access to folders – something previous versions of windows did not – and although I agree this should be more properly documented, I believe it still no more than a minor flaw. System administrators will manage shares the "old fashioned" way, themselves, rather than relying on Windows to do it for them – in which case the issue does not come up. I believe it is an attempt by Microsoft to allow home users to share folders more easily (or perhaps an addition thanks to Homegroup), but it’s not really going to be easy to tell if it was intentional or not, perhaps if SP1 corrects it to the old behaviour.

The issue i00b was having however, was additional to this – for some reason, his automatic shares would not "unshare". This is definitely not intended behaviour, and I have suggested he verify again that no extra applications could be affecting this procedure, and then to file a bug report if it is discovered it’s not. Hopefully he’ll report back on his progress/news.

September 23, 2010 at 2:59 am #89667
Avatar of i00b
i00b
Member

Hi Omoronovo,

It was worthwhile working through the details of this matter with you.  As you suggested, I reinstalled a bare-bones Win7 configuration, without the updates.  The same problems occurred and I was not able to disable network access to the Win7 computer.

There is one work around solution to disabling network access to the Win7 computer – but it is not pretty.  Create a new user account, copy all personal files from the old account to the new account, delete the old account and the work with the new account.  During our conversation yesterday, you recommended using the standard admins procedure for managing shares the ‘old fashion’ way.  I’ll resort to this approach.

I will report this matter to Microsoft a second time and see what it has to say.

Thanks,

Ian

October 2, 2010 at 5:12 am #89686
Avatar of winstonterr
winstonterr
Member

Hi,
Hello everyone, i have a question concerning windows 7 ultimate. I just recently installed the OS on my laptop and everything seemed to work great. I could access my WD 1TB network drive with no problems. So before going bed, i let the computer download the usual windows updates.However, when i woke up this morning and went to access my network drive, i am now prompt to enter an admin user name and password. I do not know what these are because i never had to use them before. I do not know if the windows updates added some new network security or what?Is there a way to disable the prompt from asking me to provide an admin user name and password.

October 3, 2010 at 6:53 am #89687
Avatar of kokiks87
kokiks87
Member

This may help you with your network problem [url=http://"http://blog.caneja.com/must-have-software/winmtr-7-for-windows-vista-and-windows-7/"WinMTR for windows 7 can be found here.[/url]

Viewing 9 posts - 11 through 19 (of 19 total)

You must be logged in to reply to this topic.