Re: Windows 2000's Everyone permission

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 08/23/01 

Message-ID: <01d001c12c06$cb4817d0$0b00010a@lauradominion.com>
From: "Laura A. Robinson" <larobins@bellatlantic.net>
To: "Chris Davis" <chris.davis@computerjobs.com>, <FOCUS-MS@securityfocus.com>
Subject: Re: Windows 2000's Everyone permission
Date: Thu, 23 Aug 2001 15:07:02 -0400

Chris has sent me very gracious e-mail regarding our differing opinions on
the original subject; the posts did, indeed, appear out of order.

Now, on to the second issue:

The Security tab applies to NTFS permissions only. Share permissions, by
definition, do not propagate, as they are applied to the *share*, not to the
underlying folder. With that said, anytime modifications are made to NTFS
permissions, inheritance is an important factor to consider. One thing I
generally recommend to people is that when they set NTFS permissions, they
click the "Advanced" button and take a look at the options therein. With
advanced settings, you can set permissions just on that object, on that
object and all child objects, or even on specific types of child objects
(this applies to objects at the file system level and to objects in Active
Directory). The degree of granularity offered by NTFS permissions is
*phenomenal* in Windows 2000.

Laura

----- Original Message -----
From: "Chris Davis" <chris.davis@computerjobs.com>
To: "'Laura A. Robinson'" <larobins@bellatlantic.net>;
<FOCUS-MS@securityfocus.com>
Sent: Thursday, August 23, 2001 3:00 PM
Subject: RE: Windows 2000's Everyone permission

> I have admitted I am incorrect regarding the share issues. I think my
> e-mails got out of order somewhere between here and there, much like my
> thoughts often do.
>
> Because Laura is a convincing debater, I ran a test case scenario to
> evaluate her statements, in order to verify to myself that it is not her
> convincing manner that convinced me, but rather her facts that convinced
me.
> I remain convinced!
>
> Next issue on this topic-
>
> When removing the "Everyone Full Access" share permission, Windows 2000
> informed me that I had to disable "Allow inheritable permissions from
parent
> to propagate to this object." This seems to me like it could be a very
good
> reason NOT to disable "Everyone full access" share permissions. When it
> speaks of this inheritance that is being disabled, does it speak only of
> share permissions, or does this affect NTFS permissions as well? Since I
> find this checkbox on the "security" tab of the file properties, I suspect
> it applies to both share and NTFS permissions.
>
> Chris
>
> -----Original Message-----
> From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
> Sent: Thursday, August 23, 2001 2:34 PM
> To: Chris Davis; 'John Wienand'; FOCUS-MS@securityfocus.com
> Subject: Re: Windows 2000's Everyone permission
>
>
> Inline responses.
> ----- Original Message -----
> From: "Chris Davis" <chris.davis@computerjobs.com>
> To: "'John Wienand'" <JWienand@bna.com>; <FOCUS-MS@securityfocus.com>
> Sent: Thursday, August 23, 2001 1:19 PM
> Subject: RE: Windows 2000's Everyone permission
>
>
> > "What added security measure do you get from this extra administrative
> > task?"
> >
> > This one: If a user cannot connect to a share at all, that user does not
> > know what's in the share.
>
> The user cannot see the contents of the share if permissions are set
> correctly at the NTFS level. Period. In fact, using NTFS permissions
> (traverse directory permission granted), you can even give a user access
to
> a single document in a share without letting the user view any other
> contents of the share. The user connects to the document via explicit path
> or shortcut that you create that uses an explicit path to the share. Try
it.
> >
> > If that reason doesn't work for you, how about philosophical: If share
> > permissions are not to be used, why do they exist?
>
> For FAT volumes. There was life before NTFS.
> >
> > Lots of documentation is wrong lots of times. This is one of those
times.
>
> Actually, it isn't.
>
> >
> > Let's say your NT file server is attached to the internet and has
> "Everyone
> > Full Access" shares defined, but you have perfectly secure NTFS
> permissions.
> > You do not run any services other than file sharing. By your logic, you
> do
> > not need a firewall. You can leave ports 137-139 and 445 wide open?
NTFS
> > will secure everything, right? A firewall would add no protection,
since
> > NTFS is perfectly secure, right?
>
> This is an enormous leap in logic. I do not think that anybody has even
come
> close to claiming that there is no need for a firewall, nor has anybody's
> logic indicated such. Additionally, you are discounting way too many
factors
> in securing machines.
>
> The end result is this: share permissions are not necessary in the
presence
> of properly implemented NTFS permissions.
>
> Laura