none
Server 2011 standard security issue

    Question

  • I have the following  situation: Windows server 2011 standard on Dell Power Edge T41 and 20 clients working fine. We have an application installed on the server (WinTotal) which requires the user to have full control over the work station including windows files. The users were configered on each work station  as local administrator. However the client for the application is unable to do any changes because the user or the local administrator does not have full control over system files. What changes should be done on Server 2011 Standard to enable the work station user (server's user) to have full control over the workstation to make WinTotal software to work. The vender informed us that it is our network problem not there software problem and for their software to work we shoud allow full control over windwos files and other files of the client workstation  it was working fine on SBS 2003. I can change the local user to have full control on any xp or Vista work station, it is grayed and does not allow changes.
    Wednesday, February 22, 2012 9:27 PM

Answers

  • But that really does not make any sense.

    Local Admin, yes.

    Run As Admin, yes.

    Full Control over every folder - no.

    I would raise a support case with the vendor to confirm their actual requirements, because this _must_ be a mistake.


    Robert Pearman SBS MVP (2011) | www.titlerequired.com | www.itauthority.co.uk

    Thursday, March 01, 2012 10:28 AM

All replies

  • Please clarify as there is no Server 2011. There is SBS 2011 standard so that is probably what you mean? It's also not clear what your workstation OSs are that you must give full control to windows system files? You should also tell your WinTotal vendor to move into the current world and update their software so it doesn't need that full control.

    Steve

    <John246> wrote in message news:6a2cc7d4-377e-4336-b620-f4ef9036902c@communitybridge.codeplex.com...

    I have the following situation: Windows server 2011 standard on Dell Power Edge T41 and 20 clients working fine. We have an application installed on the server (WinTotal) which requires the user to have full control over the work station including windows files. The users were configered on each work station as local administrator. However the client for the application is unable to do any changes because the user or the local administrator does not have full control over system files. What changes should be done on Server 2011 Standard to enable the work station user (server's user) to have full control over the workstation to make WinTotal software to work. The vender informed us that it is our network problem not there software problem and for their software to work we shoud allow full control over windwos files and other files of the client workstation it was working fine on SBS 2003. I can change the local user to have full control on any xp or Vista work station, it is grayed and does not allow changes.

    Wednesday, February 22, 2012 10:03 PM
  • Hi Steve

    Thank you. It is sbs 2011 Standard. the workstations are Wondows xp pro and Windows Vista Business both 64 and 32 bit (all these info are included in my message)

    Thursday, February 23, 2012 12:23 AM
  • Hi,

    Considering security, local administrator does not have full control permissions for all the files by design, such as system files. Although administrator can change ownership and permissions settings, but it is not recommended. If you change these settings for the system files, the system is vulnerable. I don’t think the solution WinTOTAL provided is reasonable. This mostly can be a compatibility issue.

    Based on the current situation, I would like to suggest you update the version of WinTOTAL to compatible with your current installed operating systems. Otherwise, please continue ask them troubleshoot the issue with their software. Please understand that Microsoft has less information regarding the third party products.

    Thanks for your understanding!

    Regards,


    Arthur Li

    TechNet Community Support

    Thursday, February 23, 2012 2:56 AM
  • Hi Arthur, thank you for your time. However I mentioned WinTotal as an example but my question was regardless of any  third party software. I am asking if there are any setting or configuration in sbs 2011stanard that can enable a local user on a work station to have a full control over the system?
    Thursday, February 23, 2012 3:05 AM


  • Hi,





    Domain and local administrators can change
    anything as they want. They can change the security settings to allow them have
    full control permissions although they have not by default.





    Regards,



    Arthur Li

    TechNet Community Support

    Wednesday, February 29, 2012 2:03 PM
  • Does it really require full control over the whole system, or just one directory?

    Robert Pearman SBS MVP (2011) | www.titlerequired.com | www.itauthority.co.uk



    Wednesday, February 29, 2012 8:46 PM
  • Hi,

    How can an admim change these settings in SBS  2011 standard

    Wednesday, February 29, 2012 9:35 PM
  • Hi Robert

    The application is WinTotal Auroua. They are asking for full user's control of the work station.

    Wednesday, February 29, 2012 9:41 PM
  • But that really does not make any sense.

    Local Admin, yes.

    Run As Admin, yes.

    Full Control over every folder - no.

    I would raise a support case with the vendor to confirm their actual requirements, because this _must_ be a mistake.


    Robert Pearman SBS MVP (2011) | www.titlerequired.com | www.itauthority.co.uk

    Thursday, March 01, 2012 10:28 AM
  • NOTE: Except to changes in group policy (none of which have an effect in this situation, TTBOMK) there is no difference in the behaviour of XP/Vista/Win7 connected to SBS11 vs SBS08/03/00.

    Concerning access to local files or registry a Domain User that is a member of the 'Administrators' Local Group has full access to the machine (UAC withstanding, for Vista/Win7).

    _IS_ the WinTotal application executing and manipulating files local to the workstation? OR is it instead some form of network install where the executables (as well as data) reside on a server share? If the executables are on a server share we need to make a simple change to permission of the share and/or NTFS permissions

    There is a 'complication' involving UAC (so Vista/Win7, but not XP) where a application stored on a network share must 'Run as Admin'. 'Run as Admin' has no drive mapping to the share whereas you may be executing the application from such drive mapping. Such application must instead, due purely to the security context of 'Run as Admin' (ie. _nothing_ to do with SBS), be instead run from a UNC Path (\\server\share\executable.exe rather than X:\executable.exe, were X: is mapped to \\server\share) because 'Run as Admin' can see the UNC path but not the drive mapping.

    _IF_ this proves to be the case, there is a very simple answer. WinTotal being a useless piece of carp.

    Monday, March 05, 2012 12:01 AM