NAV2009R2 - New domain user, by default has Admin Rights

eYe · 2013-11-26

Hi,

Came across this today, a domain user that does not even exist in SQL, is able to open up the production database and has admin rights on everything.
Apparently some (but not all users) are also now having extra permissions.

I checked the Roles and permissions, and as mentioned earlier, the user does not even exist in SQL...

Any idea on where I can even start looking for the cause, never seen this before.

Kind Regards,

Ewald

eYe · 2013-11-26

Marking this as solved though it isn't yet.

Seems it is a SQL permission issue. Group Permission somewhere that just allows anything and everything. Scary...

eYe · 2013-11-26

Out of interest sake,

On a machine running Windows Server 2012, the login (as previously mentioned, not implicitly listed in SQL, nor in listed in NAV's Windows Logins) is able to open the database and modify data.

On Windows Server 2008 however, with the same login, NAV gives the expected "The User ID and password are invalid" error.

So from an access point of view there would appear that there is a loophole somehow using Server 2012.

Suppose setting Security Model to Enhanced might be a short term solution?

Juha · 2013-11-27

Are you sure the user isn't member of a domain group with SUPER permission?

eYe · 2013-11-28

Yes, like I mentioned it is in a domain group. But no domain groups are listed in NAV under the Windows logins.

Using the same login, on Windows Server 2012 I can open NAV and modify any table, but Windows Server 2008 (accessing the same database) it gives you the incorrect login message as one would expect.

The elevated permissions for existing users I can understand because they are assigned to the "Super" Domain group. Actually I don't understand, because after a synchronise no error messages present themselves, does it not then replace the database level security in SQL?

NAV2009R2 - New domain user, by default has Admin Rights

Answers

Categories