in

ASP.NET Weblogs

uber1024's WebLog

It's not hot wings and beer, but it's still okay

SPS2003 - Machine Administrators have full control over the site?

I noticed that my boss, who was not even listed as a reader on our SPS2003 development site, had the ability to create subareas, add webparts to them, add listings, and add users.  In fact, I think that he's the one that added me as a user to the site and made me an administrator.  We ran a few tests with people who were administrators to the MACHINE and they could do whatever they wanted to the whole portal site.  Then we took users that were not administrators to the machine and they could only do what we specifically provisioned them to do.

So, our current theory is that local administrators to the server are allowed to do whatever they want to our Portal.  Anyone notice this?  If so, any thoughts?

Published Apr 14 2004, 12:53 PM by uber1024
Filed under:

Comments

 

Lamont Harrington said:

Yes. I've run into this issue many times. What I have surmised is that local admins are deemed as "system adminstrators" in a sense that they fully administer the environment that SharePoint runs on, irregardless of whether they are a member of a SharePoint group or not.

Keep in mind that SharePoint (and Windows SharePoint Services as well) adhere to standard windows-based security and as such adhere to the fact that local security policy governs that local admins have full administrative power.

I believe if you alter the local security policy, or, if the server is a member of an Active Directory domain, create a new group policy to limit the capabilities of local machine admins, then you can might be able to circumvent SharePoint's out-of-the-box functionality. Mind you this is not at the security group level, but rather at the individuals who belong to the security group level.
April 14, 2004 1:15 PM
 

uber said:

That's pretty much what I was thinking. I'm glad I'm not crazy.
April 14, 2004 2:27 PM
 

Steve Clarke said:

Yes, this is by design. I've seen it mentioned in the documentation in several places. I use the local admin group to grant developers access to our dev sps servers.
April 14, 2004 2:51 PM
 

T.P. said:

you don't trust your admins?
April 14, 2004 8:56 PM
 

TrackBack said:

August 25, 2004 5:28 PM

Leave a Comment

(required)  
(optional)
(required)  
Add
Terms of Use