Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Share and NTFS permissions

from [M. Burnett] Network Security [Permanent Link]
Subject: RE: Share and NTFS permissions
Date: Wed, 10 Jan 2007 11:01:01 -0700 
Although the owner has full control by default, you can prevent owners from
changing permissions on files they create. Do this by denying the CREATOR
OWNER user from changing permissions on a folder and that will propagate to
any new files in that folder. 

But there's a trick to this. When you create this ACL, make sure it applies
to "Subfolders and files only" and not the folder itself so you don't
prevent yourself from changing permissions on that folder again (you would
need another administrator user to fix it for you).

I recently wrote about file ownership and other NTFS oddities on my blog:
http://xato.net/bl/2007/01/04/pointless-permissions/


Mark Burnett






-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Jim Harrison
Sent: Tuesday, January 09, 2007 7:14 AM
To: Monrad.DC@Forces.gc.ca; focus-ms@securityfocus.com
Subject: RE: Share and NTFS permissions

That's exactly what "owner" implies.
The resource belongs to them and they have the ability to do what they
will with it.

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Monrad.DC@Forces.gc.ca
Sent: Friday, January 05, 2007 10:24 AM
To: focus-ms@securityfocus.com
Subject: RE: Share and NTFS permissions

We have found an issue with giving full rights to the share:
        The NTFS file owner can still change permissions.

The creator of a file is the owner and has the ability to change NTFS
permissions on that file/folder, regardless of what the existing NTFS
rights are!
This allows the file creator to alter the permissions either blocking
access or giving excess permissions.

A solution in this case is to create the share with Everyone( or
Authenticated Users/Given group...) Change rights and Administrators
FULL Control.  NTFS is then set as desired.  Limiting the share to
Change prevents the owner from modifying NTFS rights if accessing the
file through the share, but leaves everything else.

Drew Monrad 

All mail to and from this domain is GFI-scanned.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Share and NTFS permissions, Jim Harrison
Next by Date:  SecurityFocus Microsoft Newsletter #324, mfossi
Previous by Thread:  RE: Share and NTFS permissions, Jim Harrison
Next by Thread:  Deploying Microsoft SMS in a DMZ, Securi Net
Indexes:  [Date] [Thread] [Top] [All Lists]