Microsoft KB Archive/324396

= PRB: SAK Server Managers Group Security Issue =

Article ID: 324396

Article Last Modified on 12/27/2003

-

APPLIES TO


 * Microsoft Server Appliance Kit (SAK) Add On Pack Version 2.0

-



This article was previously published under Q324396



SYMPTOMS
On systems with the Role-Based user interface (UI) installed, a user who is a member of the Server Managers group can run applications under the System account. This results in the administrative credentials of the user being elevated to local system administrator. Therefore, members of the Server Managers group must be treated as members of the Administrators group.



RESOLUTION
Administrators must not put users who are not trustworthy into the Server Managers group.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
Server Managers have full access to the Microsoft Internet Information Services (IIS) Metabase through Active Directory Server Interfaces (ADSI) or Microsoft Windows Management Instrumentation (WMI) calls from Active Server Pages (ASP). Web sites can be configured to run with full System privileges. Therefore, members of the Server Managers group can gain Administrator access to the server.

The role of the Server Managers can be used to limit the Web UI for a group of users who must create Web sites and Web users. However, members of the Server Managers group must be treated as having full administrative credentials.

