There are about 12 different things that create a user's effective
permissions, including OS version, file system subsystem type, NTFS
permissions (inherited and explicit), folder inheritance status, share
permissions (if accessing over a network), group membership (both
explicit and built-in), EFS, user privileges, etc, so without complete
information I can only give you the text book answer for the scenario
you proposed.
Also, to really understand the effects of permissions you need to tell
me what Special permissions each user has, that makes up Full Control,
RX, etc. Oftentimes you might think that a person has certain
permissions, only to find out with further investigation that the
underlying Special permissions (the 13 special permissions make up the
other higher level permissions that you see) actually gives something
slightly different. For instance, often I'll give only Read
permissions, only to find out that the lower level Special permissions
defaulted to Read and Execute, which is not what I intended. So, if you
are confused about a particular permissions outcome, investigate the
Special permissions.
But given the scenario you proposed below it might be possible for User2
to delete the Info folder and its contents because of a Special
permission called Delete subfiles and folders. This permissions if
given to a user (i.e. User2 probably has because of the Full Control
permission) would allow them to delete child file and folder objects.
The best permissions are to give only the explicit permissions needed by
someone at a particular level and turn off inheritance on that folder.
Enable and use EFS if your Windows versions supports it.
And maybe you don't want to be so quick to criticize your admin until
you've walked in their shoes. The job is harder than it looks and we
all suck at something sometime.
Roger
************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), A+
*email: roger@banneretcs.com
*cell: 757-615-3355
*Author of Malicious Mobile Code: Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
************************************************************************
****
-----Original Message-----
From: yfs us [mailto:yfs_168us@yahoo.com]
Sent: Wednesday, September 08, 2004 8:46 PM
To: security-basics@securityfocus.com
Subject: Win NT Permission question ?
Hi All,
Just want to check with u guys here how does these Win NT Permission
works.My admin had setup a directory with the following permission :-
C:\detail\ was own by user1 and had Full Control
(All) (All)
user2 had Full Control (All) (All)
user3 had Full Control (All) (All)
C:\detail\data\ was own by user2 and had Full Control (All) (All)
user1 had no access
user3 had add & read (rwx)
(rwx)
C:\detail\data\info\ was own by user3 and had Full Control (All) (All)
user1 had no access
user2 had no access
I'm user3 and I just want to know can user1 & user2 delete my file ?
Can user2 delete the info folder ? If I create a folder in info
directory eg. C:\detail\data\info\secret , so can
user1 & user2
delete it and also the file inside the secret folder ?
I'm not a
admin and my admin sucks ? If I want to secure my info folder what
permission should be given to user2 & user1 ?
All help r welcome.
Cheers
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
------------------------------------------------------------------------
---
Computer Forensics Training at the InfoSec Institute. All of our class
sizes are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand
skills of a certified computer examiner, learn to recover trace data
left behind by fraud, theft, and cybercrime perpetrators. Discover the
source of computer crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
