Re: NTFS Security

From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 01/12/05

Next message: Rasmus Rønlev: "RE: NTFS Security"

Previous message: Rasmus Rønlev: "RE: XP SP2 Blind install"
In reply to: Monrad.DC_at_forces.gc.ca: "NTFS Security"
Next in thread: Rasmus Rønlev: "RE: NTFS Security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 12 Jan 2005 21:35:13 +0100
To: focus-ms@securityfocus.com

On 2005-01-11 Monrad.DC@forces.gc.ca wrote:
> I am looking at securing some USB memory sticks, to allow all domain
> users access on domain networked computers, but to restrict access
> from non-domain computers (home/internet/etc).

Not sure if I'm reading you correctly. Are you asking if you can
restrict access to data on USB sticks to users of your domain by setting
NTFS permissions? That's not possible at all, since filesystem
permissions can be circumvented, e.g. by taking the ownership on any
other windows box or by mounting the stick on a linux box.

> Giving domain users full permission and removing everyone works to a
> small degree.
> Plugging the usb drive into an XP machine comes up with a message that
> the drive is unaccessible, but you can access it by taking ownership.
> As most home users are the local admin, this solves nothing.
>
> Going one step further and setting special permissions deny take
> ownership/deny change permissions for everyone does not seem to stop
> the local admin from another domain/workgroup from accessing the data.

Any local admin is *always* able to take the ownership of a file or
folder, except for when you remove that privilege from the
administrators group on the *local* machine. You cannot restrict this
through NTFS permissions.

> Is there a Microsoft or third party solution to this, without
> encrypting the data and restricting access to specified individuals?

No. Using encryption is the only way to (more or less) achieve what you
are asking for.

Regards
Ansgar Wiechers

-- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin
---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Rasmus Rønlev: "RE: NTFS Security"

Previous message: Rasmus Rønlev: "RE: XP SP2 Blind install"
In reply to: Monrad.DC_at_forces.gc.ca: "NTFS Security"
Next in thread: Rasmus Rønlev: "RE: NTFS Security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: BITS 2.0 Install Fails - Permission problem
... I just opened up a brand new Dell computer out of the box. ... domain and then logged in as local admin and tried to do the windowsupdate. ... Take ownership of files or other objects ... > If after enabling these permissions you still cannot install the update then ...
(microsoft.public.windowsupdate)
Re: Understanding XP file permissions ? (Application Programs not following standards ?)
... > I've been trying to understand how file permissions in Windows NT/XP ... > Administrator account only for administrative purposes as it is ... > I also have a question about changing ownership of folders/files. ...
(microsoft.public.windowsxp.security_admin)
Re: Adding XP in another partition users into Vi$ta
... not simply assign ownership to another (for auditing purposes ... When logged in as a standard user, when you elevate you are logging in ... be considered for deny permissions. ... I removed all accounts that could access folder X. ...
(microsoft.public.windows.vista.security)
Re: Device enumeration (was Re: CD writing in future Linux (stirring up a hornets nest))
... There's no ownership or permissions information in sysfs. ... the same interface two years from now given that the current interface ...
(Linux-Kernel)
Re: Transfer home directory to another box
... permissions file by file. ... I'd clean up ownership first with houghi's chown -R user:group / ... I am not sure if Samba gets the ownerships and the ... This also applies if you attach the old disc to the new ...
(alt.os.linux.suse)