RE: Bypassing NTFS ACL

From: Thomas Brennan (tbrennan_at_datasafeservices.com)
Date: 02/22/05

  • Next message: James Riden: "Re: TR: Mapping Class A network ( any easy trick?)" 
    Date: Tue, 22 Feb 2005 06:20:19 -0500
To: <chris@compucounts.com>

    Sure.

    My Computer --> %DRIVE/FOLDER --> right click --> properties -->
    security tab --> advanced --> permissions or owner depending on what you
    need to do long term.

    /*
    Thomas J. Brennan, CISSP, MCSA, C|EH
    DATA SAFE SERVICES
    T:(888)663-0079 | F:(973)428-0293 | PGP Key Id: 0x96924C97
    Web: www.datasafeservices.com
    */
     

    > -----Original Message-----
    > From: chris@compucounts.com [mailto:chris@compucounts.com]
    > Sent: Friday, February 18, 2005 3:49 PM
    > To: pen-test@securityfocus.com
    > Subject: Bypassing NTFS ACL
    >
    > I've got domain admin access to a Windows 2003 server, and
    > have encountered a series of directories that are protected
    > by custom ACLs which do not include any group I am a member
    > of and are not inheriting the ACL of their parent directory.
    >
    > I know there are plenty of simple solutions to this problem
    > such as joining the group, taking ownership of the directory,
    > etc, however I'm looking for a slightly more difficult
    > solution that wouldn't be noticed.
    > I want to bypass the ACL.
    >
    > I figured that if root can do it in UNIX, SYSTEM could do it
    > in Windows, but it looks like I'm wrong:
    > --
    > C:\> whoami
    > nt authority\system
    >
    > C:\> cd somedir
    > Access is denied.
    > --
    >
    > Is there any means of bypassing the ACL while the system is
    > online without rewriting it?
    >
    > I'm going to reiterate: Yes there are plenty of other ways to
    > do this, but I want to be difficult :) This could come in
    > handy later on.
    >
    > Thanks,
    >
    > - Chris
    >

    DATA SAFE SERVICES: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by email or telephone and destroy all copies of the original message.

  • Next message: James Riden: "Re: TR: Mapping Class A network ( any easy trick?)"

    Relevant Pages

    • Re: Minimum NTFS Permissions on the SystemDrive
      ... File system and registry access control list modifications ... Microsoft Windows XP and Microsoft Windows Server 2003 have considerably ... You can no longer use the Anonymous security ... Additional ACL changes may invalidate all or most of the application ...
      (microsoft.public.windows.server.security)
    • Re: Newbie security programming questions
      ... > I am trying to get to the GUI described in this page to change the ACL ... > Is GUI ACL viewer not available with all versions of Windows? ... How to disable simplified sharing and set permissions on a shared folder ...
      (microsoft.public.platformsdk.security)
    • Re: Pricing ACL / 2 royalties?
      ... > YOu could price your Allegro Lisp application as, ... If my company sells product X, built with ACL then a customer Z who buy ... X would have to pay: ... > $500 for Windows XX + Adobe ...
      (comp.lang.lisp)
    • Re: More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS
      ... > When you manually specify all of the ACL flags, it seems to work as though ... >> Do you only support english versions of Windows? ... > specify it in a template. ... I'd also rip off USB connectors. ...
      (microsoft.public.security)
    • Documentation of proper NTFS ACLs
      ... Has Microsoft documented proper NTFS ACL listings ... for system folders in Windows 2000 and Windows XP? ... know what the proper ACL settings should be. ...
      (microsoft.public.win2000.security)