Security improvement for local OneDrive folder
When I select a different OneDrive location than the default c:/users folder then my files become visible for other users on the same PC. On my PC there are two discs - one for the OS and the other for Data. Upon selecting to store my OneDrive folder on the Data drive (d:) - the files become readable for all users.
Olafur
shared this idea
1 comment
-
Jerry
commented
This problem is actually bigger and needs to be picked up fast by Microsoft. Ive already notified microsoft by creating a ticket but the Office365 team couldnt help me as its a design (flaw?)
Ill explain why its such a issue by sketching a situation which ive tested :
------------------
OneDrive Version 2019 Build 19.103.0527.0003 FilesOnDemand enabled. Local admins have permissions on profiles or general permissions on the location where the OneDrive libaries/SharePoint Online libraries are located at.User A: Logged on to the PC, and has access to confidential SharePoint Online libraries through OneDrive.
User B: Is a (local) user on the computer with Administrative priviledges and has access to all user profiles on the computer of User A.
When User A isnt on his computer, User B logs on as a different user and goes into the profile of User A. He can go into all folders and files which User A has permissions on, even the one's in the Cloud and open them as if he was User A. Even creating files in folders results in them being created as if he was user A. If you have UNC access to the computer of the pc you can even do this when the main user is logged in to the computer, without the main user suspecting a thing.
Helpdesk admins can get to confidential files of Management/HR by simply logging in with their own credentials and/or local installation administrator accounts and its not showing up in the audit log of Office365 as suspicious behaviour
----------------One upside is that Windows 10 version 1903 brings a feature with Storage Sense which can clean up Onedrive files within a day without being used. So that could be helpful in a situation where computers are shared (eventhough the directories would still be visible and files that are kept on the device in question)
