RE: Win NT Permission question ?

["David Schenz" <schenz.9 () dps ohio-state edu>]

Nope.... let's evaluate closely....

I'm going to assume 1) Share level permissions are set to Everyone: FC
and are therefore only messing with NTFS permissions (which is a much
simpler method of working with permissions and is the way recommended by
Microsoft) 2) All users are regular domain users, not admins 3) detail,
data, and info folders are not inheriting permissions, otherwise user1,
user2, and user3 would have full control to detail, data, and info.
4) The files in each folder have the same permissions as the folder it
is in (i.e. the files are inheriting the permissions from the folder)

C:\
|
|
-----detail\ (user1: FC; user2: FC; user3: FC)
        |
        |
        |
        --------data\ (user1: None; user2: FC; user3: FC)
                    |
                    |
                    |
                    --------info\ (user1: None; user2: None; User3: FC)

Remember... every object has an individual ACL, if there is no
inheritance, no other ACL should matter most of the time. 

If user1 tried to delete the detail folder, he would be able to delete
all the files in the detail folder, but not the data or info folder (and
therefore not the detail folder since he'd get a "Folder is not empty"
message). If user2 tried to delete the detail folder, he would be able
to delete all of the files in the detail and data, but not the info
folder. If user3 tried to delete the detail folder, he would be
successful.  

User1 cannot access the data folder and could not delete it. If user2
tried to delete the data folder, he would be able to delete all the
files in the folder, but not the info folder (and therefore not the data
folder since he'd get a "Folder is not empty" message). If user3 tried
to delete the data folder, he'd be successful.

The assumption that inheritance is turned off for each of the folders
here is very important. Otherwise all of this flies out the window and
user1,2,3 have full control to all three folders. I also emphasize
giving everyone Full control for share level permissions otherwise the
permissions get _very_ hairy.

Good luck
David


-----Original Message-----
From: Prasanna M [mailto:PrasannaM () catsglobal co in] 
Sent: Friday, September 10, 2004 3:46 AM
To: 'yfs us '; 'security-basics () securityfocus com '
Subject: RE: Win NT Permission question ?

user1 & user2 are they admins? or normal users?

your file would be safe only if users 1&2 dont know how to tinker with
win
nt much.
if they do kno their way around win nt, then ur data isnt safe.

basically if someone has ownership access to the parent folder, then
they
can definitely access the subfolders, no matter wat permissions you set.


hth,
Prasanna
-----Original Message-----
From: yfs us
To: security-basics () securityfocus com
Sent: 9/9/2004 6:16 AM
Subject: Win NT Permission question ?

Hi All,

   Just want to check with u guys here how does these
Win NT 
Permission works.My admin had setup a directory with
the following 
permission :-

C:\detail\  was own by user1 and had Full Control 
(All) (All)
                  user2 had Full Control (All) (All)
                  user3 had Full Control (All) (All)

C:\detail\data\  was own by user2  and had Full
Control (All) (All)
                        user1 had no access
                        user3 had add & read (rwx)
(rwx)

C:\detail\data\info\ was own by user3 and had Full
Control (All) (All)
                                user1 had no access
                                 user2 had no access

I'm user3 and I just want to know can user1 & user2
delete my file ? 
Can user2 delete the info folder ? If I create a
folder in info 
directory eg. C:\detail\data\info\secret , so can
user1 & user2 
delete it and also the file inside the secret folder ?
I'm not a 
admin and my admin sucks ? If I want to secure my info
folder
what permission should be given to user2 & user1 ?

All help r welcome.

Cheers



        
                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

------------------------------------------------------------------------
---
Computer Forensics Training at the InfoSec Institute. All of our class
sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand
skills of
a certified computer examiner, learn to recover trace data left behind
by
fraud, theft, and cybercrime perpetrators. Discover the source of
computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------
----

------------------------------------------------------------------------
---
Computer Forensics Training at the InfoSec Institute. All of our class
sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand
skills of
a certified computer examiner, learn to recover trace data left behind
by
fraud, theft, and cybercrime perpetrators. Discover the source of
computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------
----

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------