Re: IIS Services Stop if Virtual Root Deleted on Disk
From: Tony Chow (tchow@BLUETENTACLE.COM)Date: 02/07/02
- Previous message: obscure: "Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA)"
- Maybe in reply to: Greg Chatten - St. Louis Internet: "IIS Services Stop if Virtual Root Deleted on Disk"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 6 Feb 2002 19:18:20 -0800 From: Tony Chow <tchow@BLUETENTACLE.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
BTW,
Someone pointed out to me that in NT4 you can accomplishing the
same thing by clearing the delete permission checkbox on a folder and
choose not to apply the change to subfolders and files.
In a sense, you *could* indeed deny delete permission and allow
access full access to its contents to a user in NT4, but the reason that
you could is not that you didn't propagate the new ACL, because after
all, should the user create new files or subfolders in this folder
afterwards, those files or subfolders would inherit the no-delete ACL,
resulting in the user being able to create stuff but not delete them.
Rather, this method seemingly works owing to the fact that by
default, the CREATOR OWNER special group has full permissions to any
folder, and this default ACE is inherited by files/subfolderes within
it, so that the user has full permissions to those files/subfolders even
if his/her account or groups to which he/she explicitly belongs have not
been assigned the Delete permission, as long as he/she is the
creator/owner of those files/subfolders.
So, as long as the administrator remembers to take over the
ownership of the root folder (otherwise the user will be able to delete
it,) you can indeed use the creator owner group to give a client full
access to subfolders and files within the root folder but without
allowing them to delete the root folder. However, editing the ACL
through Win2K is still the more robust approach, because 1) ownership
management in NT/2K is not very flexible, and more importantly 2) you
run into trouble as soon as two or more accounts need equal access to
the same root folder, in which case each account will not be able to
delete the files that other accounts have created (the CREATOR GROUP
special group would seem to be the answer, but unfortunately it is not
available through the NT4 interface.)
Corrections are welcome.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper
Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: obscure: "Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA)"
- Maybe in reply to: Greg Chatten - St. Louis Internet: "IIS Services Stop if Virtual Root Deleted on Disk"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
