Flutterby™! : Win 2k follies

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Win 2k follies

2003-12-19 18:56:13.084688+00 by Dan Lyke 4 comments

Wow. We're working on a fairly complex .NET app that uses lots of permissions and groups and services and... well... Windows 2000[Wiki] just sucks at distinguishing between local users and domain users and sometimes will log you in as one but grab a permission set from the other and... there have got to be a whole lot of security holes left in that bit of code. Windows XP[Wiki] seems to have fixed most of 'em, which surprises me.

[ related topics: Dan's Life Microsoft Software Engineering Work, productivity and environment ]

comments in ascending chronological order (reverse):

#Comment Re: Win 2k follies made: 2003-12-19 19:13:44.107918+00 by: aiworks

Just curious...

Is that determining if user1 means MYMACHINE\user1 vs. MYDOMAIN\user1 or is that specifying MYMACHINE\user1 and getting MYDOMAIN\user1 permissions?

There's a ton of stuff you can tweak that I suspect will have some effect through the group policy editor (gpedit.msc). Win2000 and WinXP local security policy has different defaults.

#Comment Re: Win 2k follies made: 2003-12-19 19:35:36.371701+00 by: Dan Lyke

The one I solved this morning by removing the local user from my machine was logging in as MYDOMAIN\user1 and getting MYMACHINE\user1's groups. We've also found situations where programatically switching to MYDOMAIN\serviceuser1 fails, but .\serviceuser1 succeeds as MYDOMAIN\serviceuser1 when the machine's domain is MYDOMAIN.

#Comment Re: Win 2k follies made: 2003-12-19 20:08:23.01038+00 by: aiworks

I am *far* from a fan of the NT security model, but that just doesn't sound right (espcially that first case).

In a way, that sounds like a cloned SID issue. Any chance that the domain server and the workstation were ghosted from the same image?

#Comment Re: Win 2k follies made: 2003-12-19 20:31:58.184691+00 by: Dan Lyke

Nope. All installed separately, compounded by the fact that the server is XP and this only seems to happen from Windows 2k clients. And the first case might not be so much getting MYMACHINE1\user1's groups as not picking up MYDOMAIN1\user1's groups. The problem went away when we deleted the user from the local machine, so my assumption was it was picking up the wrong groups. Obviously there'll be more testing to do on this.