Full Disclosure mailing list archives
Re: Microsoft Windows Vista/2003/XP/2000 file management security issues
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Fri, 9 Mar 2007 19:55:45 +0300
Dear Roger A. Grimes, --Friday, March 9, 2007, 6:49:13 PM, you wrote to 3APA3A () SECURITY NNOV RU: RAG> For one, I've been a sys admin for 20 years and NEVER created a RAG> private folder under a public folder. Nice. What about creating "Sales Reports" folder only head of Sales department has access inside "Sales" folder? RAG> I mean let's debate why users get Full Control to their own RAG> folders in the first place. That's a common scenario (it's on RAG> nearly every network) and its almost always too many permissions. RAG> Do I want my regular end-users changing their folder's security RAG> permissions? No. Should any regular end-user have Full Control to RAG> any share? No, for the same reason. These are valid, common, RAG> security points that really do beg further discussion. There is no actual difference between "Change" and "Full Control" permissions for NTFS. "Change" give you ability to delete and create objects. An ability to delete some object and create it again give you a way to become object owner, like if you have "Take ownership" individual permission. As an owner you always have implicit "Change permissions" individual permission. So, you have your "Full control" without having it. There is simply nothing more to debate here. Ownership problem was debated for ages. RAG> You're just making up crap up that isn't overly realistic in RAG> the world, then going further to assume that a bonehead RAG> administrator compounds the problem by making further insecure RAG> decisions. RAG> You are essentially say, "If you misconfigure your system and RAG> make further insecure choices, someone can hack you." Duh. Who can tell me, creating "Sales reports" inside "Sales" is insecure choice? RAG> There's a reason why your "announcements" aren't making the news RAG> media...because it isn't news. If I want to "make news media", I write article on Russian cyberterrorism and it's connection with Ukraine, Germany and US. Not an article on enterprise file management best security practices. RAG> With that said, you have something valid to say, but so far RAG> it just isn't a "security vulnerability" that people need to be RAG> aware of. Roger, please read "Intro" section, it's rather small. RAG> You're a smart person, concentrate on issues that will really RAG> give us bang for the buck discussions and issues. Are not we discussing? RAG> Roger RAG> ***************************************************************** RAG> *Roger A. Grimes, InfoWorld, Security Columnist RAG> *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... RAG> *email: roger_grimes () infoworld com or roger () banneretcs com RAG> *Author of Professional Windows Desktop and Server Hardening (Wrox) RAG> *http://www.amazon.com/gp/product/0764599909 RAG> ***************************************************************** -- ~/ZARAZA http://securityvulns.com/ Да, ему чертовски повезло. Эх и паршиво б ему пришлось если бы он выжил! (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues, (continued)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Laundrup, Jens (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Tim (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 09)
- Message not available
- Message not available
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 10)
- Message not available
- Message not available
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 10)
- Message not available
- Message not available
- Message not available
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues KJKHyperion (Mar 10)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues czino2 (Mar 11)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Message not available
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues steven (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues M. Burnett (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)