Error in Microsoft bulletin MS02-064
From: Christopher Hill (minkus@NTLWORLD.COM)
Date: 02/08/03
- Previous message: NTBUGTRAQ: "Some questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 8 Feb 2003 13:50:36 -0000 From: Christopher Hill <minkus@NTLWORLD.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I sent this on to Microsoft on the 4/2/2003 - as yet no response - and I
thought it would be helpful for administrators to be aware of this issue as
well.
The bulletin in question is MS02-064 - available here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-064.asp
One of the fixes provided on this page is incorrect.
Under 'What’s a good baseline set of permissions?' the article states that
the default Windows XP root permissions for the system drive are:
Administrators: Full (This Folder, Subfolder and Files)
Creators Owners: Full (Subfolders and Files)
System: Full (This Folder, Subfolder and Files)
Everyone: Read and Execute (This Folder Only)
However, if you check a Windows XP machine, the root permissions also
include:
Users: Create Folders / Append Data (This folder and subfolders)
Users: Read and Execute (This folder, subfolders and files)
Users: Create Files / Write Data (Subfolders only)
If the security template data also supplied in the article is used, the
above Users entries *are* included. That is, the template data supplied to
create the baseline set of permissions and the permissions listed are NOT
the same.
If a new folder is created after the system root permissions are changed,
and the Users entries are not added, only Administrators have access to the
new folder. Lots of legacy software expects to be able to put folders in the
system root, and this generally breaks the software for non-administrators.
As far as I can see, folders that have already been created are unaffected
by the problem.
The article should be republished to include the three 'Users' entries
mentioned above, so that it is consistent in its advice. If (like me) you
did NOT use the security template to apply changes but did it manually or
using the Group Policy security UI, you need to add these entries.
-- 'Therefore, if anyone is in Christ, he is a new creation; the old has gone, the new has come!" - 2 Corinthians 5v17 minkus@ntlworld.com ICQ: 18705430 (Friends and family only please!) oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Delivery co-sponsored by TruSecure Corporation oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo TICSA - Anniversary Special - Limited Time Become TICSA certified for just $221.25 US when you register before 3/31/03 with PROMO "TS0103" at www.2test.com. NO membership fees, certification good for 2 years. Price for international delivery just $296.25 US, with this offer. Offer cannot be combined with any other special and expires 3/31/03. Visit www.trusecure.com/ticsa for full details. oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Next message: Daniel Dočekal: "Windows Update (again) unavailable for non Internet Explorer users"
- Previous message: NTBUGTRAQ: "Some questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
