Re: NTFS default special permissions

Geekwench -



On 9/4/07, Geekwench <geekwench@xxxxxxxxxxx> wrote:
I think we both understand the original question perfectly well, but I'm not
sure you noticed that the discussion is about a volume, not a folder.

As for the 'why', that has been answered several times now. Default
permissions do not assume that you want a read-only volume. Default
permissions assume that you want a volume that people can use for using,
accessing and *storing* data. That is why the default permissions include
the special permissions that are necessary for that to occur.


I disagree with MS's decision to grant users the ability to write by
default, especially in such a way where it isn't obvious that the
users have write. Granted it only takes a couple of clicks for someone
to see the special permissions but knowing how simple it is to
see/manage permissions in Unix/Linux, I find Windows implementation
combersome, but this is a different conversation altogether.



Note, again, that the original post referenced a VOLUME. As in a partition.
A drive. An entire chunk of space allocated on a disk. NOT A FOLDER. It is
fairly rare for somebody to want an entire volume to be read-only (in fact,
creating a volume and then disallowing any writes to the volume would be
pretty, well, dumb), which is why the default permissions allow users to
create and store data on the volume. Don't confuse your choosing to manually
designate a folder as "read only" with the operating system setting the
default permissions on an entire volume to allow data to be created and
stored on that volume. That is what a volume is *for*- to store data of some
kind.

You continue to refer to the volume as a "data" volume but the default
permissions apply to ALL volumes, including system volumes. Users do
not need any write permission to system volumes. Furthermore, no need
to define what a volume is as I am completely aware. We simply have
had a misunderstanding and your condescending tone is not appreciated.


So, again, the default permissions on a volume are configured to allow that
volume to actually be usable for data storage. Should an administrator wish
to reconfigure that, the administrator can, and should, do so. The default
permission set, however, sets what are essentially the minimum permissions
required for users to store data on that volume.

It might help you to understand if you pull up the permissions on an NTFS
volume and look not only at the permissions as they're described in the
original post- which, btw, is not a complete description and which it seems
you're misinterpreting a bit- you seem to be assuming that those special
permissions "came with" some other permissions that the OP set and that is
not the case. They were not magically set because of the OP setting read &
execute, etc., permissions. They are the DEFAULT PERMISSIONS for the NEWLY
CREATED volume. The OP didn't say he'd set a single permission, and those
special permissions don't magically appear because somebody sets read &
execute permissions on, say, a folder.

You should also look at what each of the permissions applies *onto* within
that volume. Then consider the typical user activities on a volume and what
permissions would be needed for users to do what they need to do to get
their work done, such as create folders to store documents in and then store
documents in those folders.

Finally, create a folder in the volume and add somebody to the ACL for that
folder. Note the default permissions for the newly-added user, which are
"Read and Execute", "List Folder Contents" and "Read". Then actually look at
the special permissions for that user. [no yelling, just capping for
emphasis:] THERE ARE NO SPECIAL PERMISSIONS ALLOWING USERS TO CREATE
FOLDERS/APPEND DATA AND CREATE FILES/WRITE DATA CREATED. To put this another
way, GRANTING "READ AND EXECUTE", "LIST FOLDER CONTENTS" AND "READ" DOES NOT
CREATE THE SPECIAL PERMISSIONS YOU THINK IT CREATES. You are confused about
the difference between the canned base permissions for the volume and the
default permissions on folders, as well as the difference between viewing a
default ACL and actually modifying an ACL, as well as what are the default
folder permissions for somebody added to the ACL on the folder.

Thank you for the all caps clarification.



Laura Robinson


-----Original Message-----
From: Megan Kielman [mailto:megan.kielman@xxxxxxxxx]
Sent: Wednesday, September 05, 2007 12:38 AM
To: Geekwench
Cc: Ansgar -59cobalt- Wiechers; focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: NTFS default special permissions

Ansgar/Geekwench -

I believe that both of you have misunderstood the original question.

The OP specifically asked what would happen if the Create
Folders/Append Data & Create Files/Write Data permission were removed
because he ONLY wants to provide Read and Execute permission to that
directory. I followed his question with another question about why
when Read and Execute, List Folder Contents, and Read are granted,
there is a "special" permission" allowing users to Create
Folders/Append Data and Create Files/Write Data. In my opinion that is
confusing and misleading.

You both keep mentioning that Create Folders/Append Data & Create
Files/Write data is needed so users can do their work but in my
experiences there are many cases where users only need to read for
certain directories. Is there some functional reason why read only on
directories is not sufficient? Is it temp files, as The OP asked
earlier?

Megan



On 9/4/07, Geekwench <geekwench@xxxxxxxxxxx> wrote:
I think the original question is being misunderstood. The OP wrote:

"The default permissions for Users are Read & Execute, List Folder
Contents,
and Read. This is what we want. But the Users account also gets the
special permissions Create Folders\Append Data and Create Files\Write
Data."

What I think you may be missing is that the default permissions are
not just
read permissions. They are read and *execute* permissions, plus
permissions
necessary for users to store content on the volume. Therefore, your
statement " It seems silly to me that when you grant someone read
access
they by default can also write" isn't a logical conclusion.

There was nothing in the original query indicating that the default
permissions are JUST read permissions. They are not. They are read,
execute
and "store content" permissions, so any conclusion drawn on the
assumption
that the inclusion of "read" in a permissions set implies "read only"
is
fallacious.

The reasons for the create/append permissions have been addressed
already.
In order to provide a functional default permissions set on volumes,
the
permissions are created the way they are. I'm not sure where you got
the
impression that there was anything in the default permissions that
provides
read-only functionality, but that would be a very poor default
permission
set given that most volumes are not intended to be read-only.

BTW, how come my legit e-mail got bumped off this list when we got a
new
moderator, but my spambox address is still getting the secfocus
posts? Grr.

Laura Robinson

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Megan Kielman
Sent: Tuesday, September 04, 2007 9:11 AM
To: Ansgar -59cobalt- Wiechers
Cc: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: NTFS default special permissions

No, I am asking for clarification on the original question. Why
when a
user is grated Read & Execute are they also granted the special
permission Create Folders\Append Data and Create Files\Write Data?
Is
it only so that a user can create temporary files? It seems silly
to
me that when you grant someone read access they by default can also
write.

On 9/4/07, Ansgar -59cobalt- Wiechers <bugtraq@xxxxxxxxxxxxxxxx>
wrote:
On 2007-09-03 Megan Kielman wrote:
On 8/24/07, Ansgar -59cobalt- Wiechers
<bugtraq@xxxxxxxxxxxxxxxx>
wrote:
On 2007-08-22 Robert McIntyre wrote:
On my Windows 2003 servers we create a data partition and
format
it
with NTFS. The default permissions for Users are Read &
Execute,
List Folder Contents, and Read. This is what we want. But
the
Users account also gets the special permissions Create
Folders\Append Data and Create Files\Write Data.

From the articles that I have seen on TechNet, the special
permissions are not needed if we only want read access. So
why
are
they there by default? What purpose do they serve? If we
remove
the special permissions will it cause problems?

The only thing that I could think of is that maybe it is
needed
to
create a temporary file when you open a document for reading.

If you remove those ACEs your users will be unable to create
files
and folders on that partition. That may cause problems e.g. in
cases
when they need to open files with progams like MS Word,
because
Word
creates temp files in the same directory as the document.

How is the Create Folders/Append Data and Create Files/Write
Data
permission different then Write?

The former two are subsets of the latter. "Write" permissions
consist
of
these four basic permissions:

- Create Files/Write Data
- Create Folders/Append Data
- Write Attributes
- Write Extended Attributes

How does it differentiate an action where the user intends to
create/write data versus creating a temp file as a byproduct of
opening a Word doc?

You aren't asking what the difference between writing to an
already
existing file and creating a new file is, are you?

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to
patches
becoming available."
--Jason Coombs on Bugtraq


No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.485 / Virus Database: 269.13.5/988 - Release Date:
9/4/2007 9:14 AM


No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.485 / Virus Database: 269.13.5/988 - Release Date:
9/4/2007
9:14 AM




No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.485 / Virus Database: 269.13.5/988 - Release Date:
9/4/2007 9:14 AM


No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.485 / Virus Database: 269.13.5/988 - Release Date: 9/4/2007
9:14 AM




Relevant Pages

  • Re: Minimum NTFS Permissions - Theres such a thing???
    ... ?2001 Microsoft Corporation. ... HOW TO: Set Minimum NTFS Permissions Required for IIS 5.0 to Work WGID:198 ... " List Folder Contents" ...
    (microsoft.public.inetserver.iis.security)
  • Re: Unable to delete orphaned 1.5 GB System Restore folder
    ... The fact that the tech support is based in India has nothing to do with the ... If so you may want to leave this folder alone. ... down to all children folders because i can set those permissions to ... try deleting from the command line using system by using the AT ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Unable to delete orphaned 1.5 GB System Restore folder
    ... The only computers i fix are my own. ... If so you may want to leave this folder alone. ... it includes all subdirectories with inherited permissions. ... try deleting from the command line using system by using the AT ...
    (microsoft.public.windowsxp.security_admin)
  • RE: no OWA
    ... have the correct permissions was the "inetpub" folder. ... Correct the settings in IIS: ... click to check the "Hide All Microsoft Services" ...
    (microsoft.public.windows.server.sbs)
  • Re: Help with File Security
    ... First if you do not understand special permissions that well take a look at ... folder is shared and the other where several parent folders are shared. ... I have a Shared folder on my server's C: ...
    (microsoft.public.security)