What security token is used when using UNC path remotely under domain admin context?

5 pts.
Tags:
Security
UAC
UNC
Windows 7 security
I came across what I deemed a strange behavior while trying to automate a file copy on Windows 7. Perhaps someone could shed some light. Environment: Windows 2008 domain with Windows 7 clients. Scenario and facts: Goal is to copy/replace a single file in the Default profile. Because of newly implemented security configuration on the Default profile folder in Win 7 even the local admin is denied permission to override anything under that folder; not unless the copy operation is being executed under the elevated admin security token or (from my research) under the local SYSTEM account’s security context. This behavior is true when the copy operation is executed locally using either the UNC path or standard path. However the copy/override operation succeeds when it originates from a remote Windows 7 machine via UNC path (ex: \TargetWin7C$UsersDefault...TargetFolder) and this copy operation is executed using the Domain Admin account under standard, non-elevated token (note: Domain Admin account is a Local Admin on the target PC). All of the above is true when using any CLI or programmatical approach – ex: xCopy, VBS FileSystemObject.copyFile method. Question: What is the difference between executing the operation locally and doing so remotely in this case? It seems that when doing it over the network the session is treated as being with UAC “HIGHEST Privileges”. Note: THis is not a question about the missing "Copy To" button in the Profiles of Windows 7. The Default Profile is used as example - I'm only interested in the security aspect of the above.

Software/Hardware used:
Windows 7, Windows 2008 Domain
ASKED: November 5, 2011  1:33 PM
UPDATED: November 7, 2011  7:39 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Basically when you access files remotely UAC is bypassed. The UAC on the location system that your copy process is running on doesn’t know if UAC is supposed to be enforced on the remote file system and even if it did, it wouldn’t know if the files that you were looking at were supposed to be protected by UAC or not as that isn’t the local system.

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • RDTOO
    [...] A member runs into an odd security behavior with Windows User Access Control. MrDenny provides an [...]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following