COMMAND

    kernel (ntfs+quota)

SYSTEMS AFFECTED

    NT 4.0 with SP4

PROBLEM

    Tonino Lucca found following.   File system full in  %systemdrive%
    in Terminal Server  can easily be  reached by an  ordinary user by
    growing  his  own   profile  so  denying  the logon to all roaming
    profiles users who don't have locally cached stored copy of  their
    own profile.

    Such result can  also be reached  by growing D:\temp  dir, but you
    can prevent that modifing TEMP and TMP through system policies  or
    modifing TEMP and TMP ntuser.dat hive HKCU\environment values.

    Quota profile in SP4 are not effective to prevent growing of  user
    profile, and  so %systemdrive%  can't be  protected from  growing,
    and logon for roaming user can  be denied by anyone.  The  profile
    quota in SP4 is supposed to give to administrators the ability  to
    deny, through system policies, the ability to log off to any  user
    who exceeds a specified quota until he/she make profile below  the
    estabilshed quota.  In fact article Q185561  says:

        Remember that the user will not be able to log off if the user
        profile quota is exceeded.

    But the user can  still log off exceeding  the quota, if he  kills
    his  own  process  proquota.exe.    *He*  is  the  owner  of   the
    proquota.exe process, and not the system.  It's very simple to do,
    unless the task manager is disabled  through system policies  too.
    This was tested on NT Terminal Server edition.

    The problem in Terminal Server may be seriuos because in case of a
    system  full  on  %systemdrive%  drive  (which  stores the locally
    cached copies of  actually logged users  profiles) the logon  will
    be denied to everyone who doesn't have locally cached copy of  his
    own  user  profile  (virtually  all  roaming profiles, if deleting
    locally stored cached  copy of user  profiles policy is  applied).
    Nevertheless such kind of problems still remains if there will  be
    simply changed the  proquota.exe process security environment from
    user to system, because it comes up only in logoff.  So, Sp4 quota
    profiles  through  system  policies  is  not so effective to solve
    profiles quota and security related problems in NT, and  specially
    in NT Terminal Server Edition.

    BTW: this leads to an even bigger problem I believe: combine  this
    with  the  filling/growing  of  the  MFT  as  reported by Vladimir
    Dubrovin.   This means  that any  user can  make the %systemdrive%
    drive (and/or  the drive  with roaming  profiles) inusable  (as in
    'reformat needed'!), just by putting a zillion empty files in it!


SOLUTION

    There are  apparent solutions  to this  (like MS  changing how  or
    when the profile directories are created):

        #1. Place  a quota  system on  the system  drive or just don't
            let users access it at all.
        #2. Put the profiles on a non-booting partition or drive.
        #3. Don't  use roaming  profiles or  use them  only where they
            are needed.  You can do this on a per-user basis.
        #4. Build  a  home  grow  convoluted  system for creating  the
            user's profile directory on  the share, while leaving  the
            root of the share Everyone:R.   There is also no need  for
            this to be convoluted.  You  can do it with a batch  file.
            For example:

             net user %1 /add /domain
             md \\server\profiles\%1
             cacls \\server\profiles\%1 /g administrators:F system:F %1:F