Full Disclosure mailing list archives
Re: Microsoft Windows Vista/2003/XP/2000 file management security issues
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 9 Mar 2007 13:01:19 -0500
--This is getting boring. Let's take this offline, just between you and me. --You sound like many Linux/Unix guys I know who think they know Windows security, but really don't. You're still acting like Windows security is represented by Windows 95 without a firewall. You're mixing up your security permissions, acting like you've never heard of the Creator Owner SID, or the ability to change subfolder and file inheritance. Either you don't know about them or you're purposefully ignoring them to make your unlikely argument. Windows has incredibly security granularity. You expect me to assume that the Windows administrator makes bonehead configuration mistakes and I'm just supposed to accept that as a Windows problem? You can argue that some Windows administrators may not configure something correctly based upon perceived risks...but I'm not blaming Windows for that. --If make a public folder in Linux and give all users RWX, it automatically flows down to the subfolders and objects, too. You can configure Umask, but I can do exactly the same thing in Windows, using the Creator Owner SID. So, you make additional change in Linux to make it more secure, but I can't do the same in Windows...and that makes it a Windows problem?? --See my other replies below. Roger ******************************************************************* *Roger A. Grimes, Senior Security Consultant *Microsoft Application Consulting and Engineering (ACE) Services *http://blogs.msdn.com/ace_team/default.aspx *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger () banneretcs com or rogrim () microsoft com ******************************************************************* -----Original Message----- From: 3APA3A [mailto:3APA3A () SECURITY NNOV RU] Sent: Friday, March 09, 2007 11:56 AM To: Roger A. Grimes Cc: full-disclosure () lists grok org uk Subject: Re[4]: Microsoft Windows Vista/2003/XP/2000 file management security issues Nice. What about creating "Sales Reports" folder only head of Sales department has access inside "Sales" folder? --Poor security practice. Never done it. If it is for head of Sales only, make it under the head of Sales' normal user folder. Easy. No security problem. There is no actual difference between "Change" and "Full Control" permissions for NTFS. --First, Change is a share permission, not an NTFS permission. Are you talking Shares or NTFS permissions? In either case, there is a two major differences between Change/Modify and Full Control. Those differences are the ability to change permissions and taking ownership. "Change" give you ability to delete and create objects. An ability to delete some object and create it again give you a way to become object owner, like if you have "Take ownership" individual permission. As an owner you always have implicit "Change permissions" individual permission. So, you have your "Full control" without having it. There is simply nothing more to debate here. Ownership problem was debated for ages. --If you delete and re-create the object, it's a new object. Jeez! So, the administrator intentionaly set up the folder or share so other people could delete other people's objects, and this is a Windows problem? Alice gets Full Control on her new object, not Bob's old folder. If you want to prevent Bob from accidentally putting his personal, private files into Alice's newly created folder...if that's a concern, don't allow public users to have Change/Modify permissions to subfolders in the public folder. In Windows you can easily choose what objects inherit what permissions. If that is your concern, turn off inheritance to subfolders and files. Microsoft put those options in the Security tab GUI for a reason. RAG> You're just making up crap up that isn't overly realistic in the RAG> world, then going further to assume that a bonehead administrator RAG> compounds the problem by making further insecure decisions. RAG> You are essentially say, "If you misconfigure your system and make RAG> further insecure choices, someone can hack you." Duh. Who can tell me, creating "Sales reports" inside "Sales" is insecure choice? --Yes, absolutely. RAG> There's a reason why your "announcements" aren't making the news RAG> media...because it isn't news. If I want to "make news media", I write article on Russian cyberterrorism and it's connection with Ukraine, Germany and US. Not an article on enterprise file management best security practices. --At least that is a real problem. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues, (continued)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Tim (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Laundrup, Jens (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Tim (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 09)
- Message not available
- Message not available
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 10)
- Message not available
- Message not available
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 10)
- Message not available
- Message not available
- Message not available
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues KJKHyperion (Mar 10)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues czino2 (Mar 11)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Message not available
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues steven (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues M. Burnett (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)