Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues

Dear Roger A. Grimes,

--Friday, March 9, 2007, 6:49:13 PM, you wrote to 3APA3A@xxxxxxxxxxxxxxxx:

RAG> For one, I've been a sys admin for 20 years and NEVER created a
RAG> private folder under a public folder.

Nice. What about creating "Sales Reports" folder only head of Sales
department has access inside "Sales" folder?

RAG> I mean let's debate why users get Full Control to their own
RAG> folders in the first place. That's a common scenario (it's on
RAG> nearly every network) and its almost always too many permissions.
RAG> Do I want my regular end-users changing their folder's security
RAG> permissions? No. Should any regular end-user have Full Control to
RAG> any share? No, for the same reason. These are valid, common,
RAG> security points that really do beg further discussion.

There is no actual difference between "Change" and "Full Control"
permissions for NTFS. "Change" give you ability to delete and create
objects. An ability to delete some object and create it again give you a
way to become object owner, like if you have "Take ownership" individual
permission. As an owner you always have implicit "Change permissions"
individual permission. So, you have your "Full control" without having
it. There is simply nothing more to debate here. Ownership problem was
debated for ages.

RAG> You're just making up crap up that isn't overly realistic in
RAG> the world, then going further to assume that a bonehead
RAG> administrator compounds the problem by making further insecure
RAG> decisions.

RAG> You are essentially say, "If you misconfigure your system and
RAG> make further insecure choices, someone can hack you." Duh.

Who can tell me, creating "Sales reports" inside "Sales" is insecure

RAG> There's a reason why your "announcements" aren't making the news
RAG> media...because it isn't news.

If I want to "make news media", I write article on Russian
cyberterrorism and it's connection with Ukraine, Germany and US. Not an
article on enterprise file management best security practices.

RAG> With that said, you have something valid to say, but so far
RAG> it just isn't a "security vulnerability" that people need to be
RAG> aware of.

Roger, please read "Intro" section, it's rather small.

RAG> You're a smart person, concentrate on issues that will really
RAG> give us bang for the buck discussions and issues.

Are not we discussing?

RAG> Roger

RAG> *****************************************************************
RAG> *Roger A. Grimes, InfoWorld, Security Columnist
RAG> *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
RAG> *email: roger_grimes@xxxxxxxxxxxxx or roger@xxxxxxxxxxxxxx
RAG> *Author of Professional Windows Desktop and Server Hardening (Wrox)
RAG> *
RAG> *****************************************************************

Да, ему чертовски повезло. Эх и паршиво б ему пришлось если бы он выжил! (Твен)

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -