Re: Write Attributes and Write Extended Attributes

From: Will (DELETE_westes_at_earthbroadcast.com)
Date: 11/07/05

  • Next message: Andy: "Re: IIS5/COM permissions problem" 
    Date: Sun, 6 Nov 2005 20:48:39 -0800

    So what is the workaround to a badly behaved application? I assume it is
    setting some environment setting that is inherited whenever it starts some
    process? It really does pollute the event log to see constand security
    messages of this kind. 

    -- 
Will
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:OgW86Wu3FHA.636@TK2MSFTNGP10.phx.gbl...
> I do not believe that Windows does need such permissions, as you have
> stated.  When I enable logging similarly I do not get what you indicate
> in the event log.  Thus, I am thinking it is some other aspect of the
total
> system load, MS plus other software, that is operative here.  It used to
> be pretty common to see software developers being lazy and not using
> a minimal list of requested accesses when getting handles to things, and
> that is MS and third-party developers, so perhaps there is some such
> residual older software installed ??
>
> "Will" <westes-usc@noemail.nospam> wrote in message
> news:e4%23082f3FHA.4076@TK2MSFTNGP15.phx.gbl...
> > Can someone explain to me why many Windows 2000 applications appear to
> > require that anyone with read and execute permission has "write
> > attributes"
> > and "write extended attributes" permissions enabled?   When I turn on
> > auditing, I see hundreds of messages in the eventviewer security log for
> > nearly everyone in the Users group for failing to acquire needed
> > permissions
> > on cmd.exe, shell32.dll, etc.   In examining the permission list that
the
> > users need, the only permissions we have failed to enable for users are
> > "write attributes" and "write extended attributes".   Those permissions
> > don't seem like something you would want to give users for every file on
> > the
> > system, and I'm perplexed why Windows would need such permissions on
many
> > of
> > its applications.
> >
> > -- 
> > Will
> >
> >
>
>
  • Next message: Andy: "Re: IIS5/COM permissions problem"

    Relevant Pages

    • Re: WMI wouldnt start. My fix.
      ... Event Log initially showed (when I started ... are times when WMI needs Event Log and times when it doesn't... ... On the launch permissions, ... Oh wait, you mentioned Windows Firewall... ...
      (microsoft.public.windowsxp.wmi)
    • Re: Writing to the Event Log in Windows Service
      ... > exactly the same techniques that I've used for other apps (Web apps, windows ... I think this is most likely a permissions issue - have you ... >> windows event log by utilizing a custom event log class that inhertis from ...
      (microsoft.public.dotnet.framework)
    • Re: ASPNET cant write in event log on win XP
      ... > I didn't have this problem on windows 2000. ... I set full control to everyone on every drive of my ... Changing file and folder permissions isn't going to help anything. ... to change permissions for the Event Log. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Write Attributes and Write Extended Attributes
      ... At the API level an application can state what permissions ... Lazy authors just ask for everything, ... > setting some environment setting that is inherited whenever it starts some ... It really does pollute the event log to see constand security ...
      (microsoft.public.windows.server.security)
    • RE: What server hardening are you doing these days?
      ... permissions on their data, and Microsoft encourages ISVs to minimize ... I've been able to discuss ACLs and other security issues in Windows with ... Control or DAC (which is what you're referring to by the "stupid ...
      (Focus-Microsoft)
    • Quantcast