PRB: SAK Server Managers Group Security Issue (324396)
The information in this article applies to:
- Microsoft Server Appliance Kit (SAK) Add On Pack Version 2.0
This article was previously published under Q324396 SYMPTOMS
On systems with the Role-Based user interface (UI) installed, a user who is a member of the Server Managers group can run applications under the System account. This results in the administrative credentials of the user being elevated to local system administrator. Therefore, members of the Server Managers group must be treated as members of the Administrators group.
RESOLUTION
Administrators must not put users who are not trustworthy into the Server Managers group.
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. MORE INFORMATION
Server Managers have full access to the Microsoft Internet Information Services (IIS) Metabase through Active Directory Server Interfaces (ADSI) or Microsoft Windows Management Instrumentation (WMI) calls from Active Server Pages (ASP). Web sites can be configured to run with full System privileges. Therefore, members of the Server Managers group can gain Administrator access to the server.
The role of the Server Managers can be used to limit the Web UI for a group of users who must create Web sites and Web users. However, members of the Server Managers group must be treated as having full administrative credentials.
REFERENCESFor additional information, click the article number below
to view the article in the Microsoft Knowledge Base:
248187 HOWTO: Impersonate a User from the Active Server Pages
| Modification Type: | Minor | Last Reviewed: | 12/27/2003 |
|---|
| Keywords: | kbprb KB324396 |
|---|
|