Security Basics mailing list archives
RE: Win NT Permission question ?
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Thu, 9 Sep 2004 18:24:29 -0400
There are about 12 different things that create a user's effective permissions, including OS version, file system subsystem type, NTFS permissions (inherited and explicit), folder inheritance status, share permissions (if accessing over a network), group membership (both explicit and built-in), EFS, user privileges, etc, so without complete information I can only give you the text book answer for the scenario you proposed. Also, to really understand the effects of permissions you need to tell me what Special permissions each user has, that makes up Full Control, RX, etc. Oftentimes you might think that a person has certain permissions, only to find out with further investigation that the underlying Special permissions (the 13 special permissions make up the other higher level permissions that you see) actually gives something slightly different. For instance, often I'll give only Read permissions, only to find out that the lower level Special permissions defaulted to Read and Execute, which is not what I intended. So, if you are confused about a particular permissions outcome, investigate the Special permissions. But given the scenario you proposed below it might be possible for User2 to delete the Info folder and its contents because of a Special permission called Delete subfiles and folders. This permissions if given to a user (i.e. User2 probably has because of the Full Control permission) would allow them to delete child file and folder objects. The best permissions are to give only the explicit permissions needed by someone at a particular level and turn off inheritance on that folder. Enable and use EFS if your Windows versions supports it. And maybe you don't want to be so quick to criticize your admin until you've walked in their shoes. The job is harder than it looks and we all suck at something sometime. Roger ************************************************************************ *** *Roger A. Grimes, Banneret Computer Security, Computer Security Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), A+ *email: roger () banneretcs com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of upcoming Honeypots for Windows (Apress) ************************************************************************ **** -----Original Message----- From: yfs us [mailto:yfs_168us () yahoo com] Sent: Wednesday, September 08, 2004 8:46 PM To: security-basics () securityfocus com Subject: Win NT Permission question ? Hi All, Just want to check with u guys here how does these Win NT Permission works.My admin had setup a directory with the following permission :- C:\detail\ was own by user1 and had Full Control (All) (All) user2 had Full Control (All) (All) user3 had Full Control (All) (All) C:\detail\data\ was own by user2 and had Full Control (All) (All) user1 had no access user3 had add & read (rwx) (rwx) C:\detail\data\info\ was own by user3 and had Full Control (All) (All) user1 had no access user2 had no access I'm user3 and I just want to know can user1 & user2 delete my file ? Can user2 delete the info folder ? If I create a folder in info directory eg. C:\detail\data\info\secret , so can user1 & user2 delete it and also the file inside the secret folder ? I'm not a admin and my admin sucks ? If I want to secure my info folder what permission should be given to user2 & user1 ? All help r welcome. Cheers __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail ------------------------------------------------------------------------ --- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- Win NT Permission question ? yfs us (Sep 09)
- <Possible follow-ups>
- RE: Win NT Permission question ? Prasanna M (Sep 10)
- Re: Win NT Permission question ? Ansgar -59cobalt- Wiechers (Sep 13)
- RE: Win NT Permission question ? Roger A. Grimes (Sep 12)
- RE: Win NT Permission question ? David Schenz (Sep 13)
- FW: Win NT Permission question ? David Schenz (Sep 15)
- RE: Win NT Permission question ? Roger A. Grimes (Sep 15)
- Re: Win NT Permission question ? yfs us (Sep 15)
- RE: Win NT Permission question ? Robert McIntyre (Sep 17)
- RE: Win NT Permission question ? Prasanna M (Sep 17)