Re: Where does permissions for new devices came from?
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Sat, 12 Aug 2006 08:11:31 -0700
"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:OUoc9m5uGHA.3496@xxxxxxxxxxxxxxxxxxxxxxx
You can define NTFS ACLs in the security policy but that applies to drive
letters and not to removable storage. The default permissions for any
drive would be Admins+system+creator owner = full control, users = RWX
(subsequently full control over new directories and files), anyone = RX.
Most removable media has FAT32 file system where there's no file security.
The best approach is to assign permissions after converting to NTFS.
Yes, but as to just where the default NTFS perms are stored, at first
I suspected it would be a registry blob, which I did not however locate.
The component for making partitions seems to have a reference to a
file with db in its extension (?) . . . Seems like this is one where you
have to just bit the bullet and sit down to read some code to find out.
"Eric Chaves" <eric.dot.chaves@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%235V9DaiuGHA.2392@xxxxxxxxxxxxxxxxxxxxxxx
Hi Pidgorny,
Thanks for the answer, but I think I didn't make myself clear. What
I'd like to find out is how Windows decide which permissions should apply
in new drives/devices upon attachment. Are those NTFS permissions
hardcoded or do they came from some template? I know that during
installation of either a Windows XP or Windows Server, a security
template located at "c:\windows\security\templates\setup security.inf" is
applied setting up, among other things, default NTFS permissions on both
system folders and registry.
I know I can customize this template to attribute a custom permission
an especific drive, for example give "Authenticated Users" a "read &
write only" on "D:\". But how can I set this up to drives whose assigned
letter I don't know yet? Is it possible?
How could I allow users to read & write from pendrives, but not
execute anything, for example? Since it's removable storage it could gat
any letter path.
Cheers,
"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:ugUi0mHuGHA.2224@xxxxxxxxxxxxxxxxxxxxxxx
Hi Eric:
"Eric Chaves" <eric.dot.chaves@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23MNXDY9tGHA.4208@xxxxxxxxxxxxxxxxxxxxxxx
When we add a new device drive (like a USB, or new HD) in either
Windows XP or Windows 2003 Server, where does default permissions came
from?
Stored in the filesystem on the device.
Is it possible to to customize Security Policy with custom
permissions for on *any* new storage device attached?
Don't think so.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
.
- References:
- Where does permissions for new devices came from?
- From: Eric Chaves
- Re: Where does permissions for new devices came from?
- From: Eric Chaves
- Where does permissions for new devices came from?
- Prev by Date: Re: MS06-040
- Next by Date: Smartcards for Windows
- Previous by thread: Re: Where does permissions for new devices came from?
- Next by thread: Re: Where does permissions for new devices came from?
- Index(es):
Relevant Pages
|
