Re: NTFS Security Question.



Thanks Steven. The advanced page did it - DOH!!!

Now, I'm still not sure why the "DENY" allowed this? My understanding (and
I've been an SE and MCT for over 20 years) is that DENY means exactly that.

In the NIX world, deny meand DENY as it does in NDS. Hmmm, perhaps I can get
rich off this and explain to the Gates Empire. NOT!

Anyway, I've been all over the web, and chatted with a lof of people. In
fact, I gave perms to a fellow in Boca Raton (whom I've know for years) to
vpn in and he checked. He was quite surprised as well.

Still looking into it, there must be something that I'm missing, but in the
meantime the Advanced Props fixed it.

Again, tx.

Wiley.

Wiley.
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ks-dndyyOoxa6nfZnZ2dnUVZ_oudnZ2d@xxxxxxxxxxxxxx
Hmm. You might also check the advanced page for special permissions and
remove the two special permissions for users there for creating folders
and files to see if that makes a difference. It should work just by making
sure users do not have write permissions which is an implicit deny. If you
are testing with a user account that you changed group membership on make
sure you logoff as that user so that the new logon will reflect changes in
group membership.

Steve


"Wiley Coyote - N2K" <mits_mvp@xxxxxxxx> wrote in message
news:%23gzxRgWxGHA.2448@xxxxxxxxxxxxxxxxxxxxxxx
I believe I posted this in the WRONG post - oops.

So:

I have set NTFS perms on the Root of my system volume to EVERYONE: Deny
Write. Yet, I can still create folders and files! I've been an SE for a
longggg time and never saw this before. The perms are at the Root, so
there
is nothing to inherit.

This acount that I am using is NOT a member of any supernumery group,
just
a plain Jane user account. I logged in with admin rights to check the
NTFS
perms and all seems to be OK as follows:

System: CHANGE (not FC),
Everyone Read & Exec, List, Read ((Deny Write),
C.O. : nada,
Administrators: Change,
Users: Read & Exec, List, Read (Deny Write)

One of the reasons for this level of security is to prevent certain web
sites from dropping VB apps in the root and other silly things.

Anyway, just curious as to why I can (as an ordinary user) do this.

If anyone know what is happending that would be good.

Thanks.







.