Re: 2003 home folder security problem

From: Dmitry Korolyov [MVP] (d__k_at_removethispart.mail.ru)
Date: 08/09/04

• Next message: pat: "worm plexus.b"
• Previous message: markwell99_at_yahoo.com: "Test Post"
• In reply to: Dan King: "Re: 2003 home folder security problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 9 Aug 2004 17:23:46 +0400

Well, in fact for me, cancelling permissions inheritance is what I call a
security fly. With cancelled inheritance, you can forget about permissions
defined at the child level. Then you apply additional (or modify existing)
permissions to the parent container and think that everything is ok. But it
is not, and as a result you may get lots of user complaints, and potential
security problems.

I feel more secure with inherited permissions. They just feel more
consistent this way. And note also that there are very very very rare cases
when a certain security scheme cannot be implemented without cancelling
inheritance at container levels. Both NTFS and AD security models allow you
to manipulate permissions very precisely, and you can do almost everything
with this model - without cancelling inheritance.

-- 
Dmitry Korolyov [d__k@removethispart.mail.ru]
MVP: Windows Server - Active Directory
  "Dan King" <danking65@earthlink.net> wrote in message
news:uGY70o8eEHA.4068@TK2MSFTNGP11.phx.gbl...
  Thanks for the response Dmitry,
  When creating a users home folder ADUC does not ask if you want to grant
  full rights, unless the folder already exists. In which case, it still
does
  not prevent inheritance from the parent.
  Your second point about applying rights only to the parent folder is a
good
  one.
  It just seems to me that by allowing permissions to be inherited by
default
  could be a potential security hole. If rights get applied incorrectly at
the
  parent folder, you could open up access to very private/confidential
  information.
  Dan

• Next message: pat: "worm plexus.b"
• Previous message: markwell99_at_yahoo.com: "Test Post"
• In reply to: Dan King: "Re: 2003 home folder security problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: File permissons ... here since the mdb is marked to block inheritance. ... Microsoft MVP (Windows Security) ... > MyDocuments folder and then moves it to the C:\MyApp folder. ... >> Moving a file within a partition takes the permissions ... (microsoft.public.win2000.security) Re: Moving files and security permissions, when you dont have permission ... move allows inheritance, or forms a new top-level inheritance ... What will happen to security on the restored files if they are restored ... into a directory which is set to propagate security permissions to ... How can I move the files/folders as domain admin and still retain the ... (microsoft.public.win2000.security) Re: Cant change file permissions in XP Pro ... security dialog open of any file or folder, ... I can't change file permissions anymore in XP Pro. ... >> have something to do with inheritance of rights? ... (microsoft.public.windowsxp.security_admin) Re: permissions fouled up on user folder ... root folder of the user's profile, access the NTFS security ... permissions on all subordinate files and folders. ... having permissions set purely by inheritance. ... (microsoft.public.win2000.security) RE: What server hardening are you doing these days? ... permissions on their data, and Microsoft encourages ISVs to minimize ... I've been able to discuss ACLs and other security issues in Windows with ... Control or DAC (which is what you're referring to by the "stupid ... (Focus-Microsoft)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint