 | "Tae Song" <tae | | NewsGroup User |
| Re: Please help with this NTFS question... | 10/15/2009 10:53:49 AM |
 Reply
| 0 |   |
|
"LTCstudent" <guest@unknown-email.com> wrote in message
news:c1c924a6bfa9e0a128bfe6dc42a6bccf@nntp-gateway.com...
>
> Ok... When I checked the forum for responses to my question this morning
> before school, I had 2 responses: One saying the answer was *E* and the
> other saying the answer was *B*. That kind of sucked, but I wasn't
> worried because I figured I would just ask one of the teachers at
> school.
>
> Well, I asked Teacher #1 who is really knowledgeable about Server and
> permissions (he teaches Server, Exchange, etc at the school) and he said
> the answer was *B*. But then I mentioned it to Teacher #2 (who actually
> teaches the class where this question arose) and he said the answer was
> *E*. I guess 'street smarts' would say just go with the teacher who is
> teaching the class and be done with it, but i really want to understand
> this stuff.
>
> So now I've returned from school and it looks like the consensus on
> this forum is that the correct answer is *E* which is fine. BUT Teacher
> #1 made a convincing point to me. He stated that the _only_ permission
> assigned to a folder (c:\accounting\forms) that can override the
> inheritance permission is the 'Deny' permission unless you -block the
> permission inheritance-.
>
OK, now you're just trying to come up with a scenario where answer B might
work better and misinterpreted what Teacher #1 is saying to fit your
argument.
There's three states of access control.
Expressly granted access
If your name is on the guest list you get in.
The host knows you and you been invited.
No access permission granted
Your name is not on the guest list, you are not getting in.
The host does not know you and you're not invited in.
Expressly denied access
You name appears on list of people forbidden to enter, you're not getting
in.
The host knows you and told the guards to keep you out.
It seems to me, you're confusing "No access permission granted" with
"Expressly denied access." In the original scenario, it does not mention
"deny" at all. Not being granted access is not the same as expressly denied
access, although the net result is the same.
If you are expressly denied access to the party, but want to use the
port-a-potty outback and the guard at the port-a-potty is told to let you
use it, you can. In this case, Teacher
#1 is wrong. Block permission inheritance doesn't do any good here.
Expressly granted permission overrides denied inherited permission. As long
as you bypass the party and go directly to the port-a-potty.
Using the Command Prompt, you can CD (change directory) to
/Party/Port-a-Potty, but you can't CD to /Party.
Only "Expressly granted access" will get you in. "No permissions granted"
means you aren't granted access and "Expressly denied access" means you are
denied access by name. The latter two denies you permission.
Block permission inheritance is used when you want the subfolder to have
tighter restrictions than the parent folder. You want to grant full access
to ACCOUNTING, but only READ access to FORMS. So you use block permission
inheritance so the user doesn't get full access to FORMS, because they
inherited full access from ACCOUNTING.
> If the answer is *E* that would mean that 'Full Control' can also
> override the 'Read' permission. I'm assuming you guys say this because
> assigning 'Full Control' permission is giving the user more control
> therefore it will take precedence?
>
I strongly disagree with the usage of "override".
It's a logical AND, you have Read access AND Full Control, net permission
access is Full Control. Now, if you had inherited Expressly denied read
access and receive Full access control THEN that would override the
inherited expressly denied read access.
Blocking permission inheritance so the user doesn't get Read access makes no
sense if the net permission access is going to be Full Control. It doesn't
hurt, but it's a pointless gesture.
You want to block permission inheritance if you want to limit the access to
subfolders. It resets the access permissions, so you start with no access
granted. Then access permissions are added from there, rather than
inherited from the parent.
>
> I don't know. I'm not trying to aggravate anyone here and I'm not
> trying to insult anyone's knowledge in NTFS security, I'm just trying to
> understand why the answer is *E* and not *B* and why there are so many
> professionals giving different answers. Thanks again.
>
>
> --
> LTCstudent
Well, I haven't seen anyone pick B and you misinterpreted Teacher #1 and he
is also wrong about usage of block permission inheritance.
I would stick with what Teacher #2 says, he seems to know what he is talking
about. He IS the one teaching the class and you can do your own tests to
verify what he says is true.
But that's just my opinion.
Thanks to your post, I had to do some investigating and I ended up learning
a thing or two about NTFS security.
|
| "FromTheRafters | | NewsGroup User |
| Re: Please help with this NTFS question... | 10/15/2009 3:55:05 PM |
Reply
| 0 | |
| "Tae Song" <tae_song@hotmail.com> wrote in message
news:406C5B33-706A-4168-9109-3CC68139303E@microsoft.com...
>
> "LTCstudent" <guest@unknown-email.com> wrote in message
> news:c1c924a6bfa9e0a128bfe6dc42a6bccf@nntp-gateway.com...
>>
>> Ok... When I checked the forum for responses to my question this
>> morning
>> before school, I had 2 responses: One saying the answer was *E* and
>> the
>> other saying the answer was *B*.
What I said was that I thought the "expected answer" was *B*, not that
it was the *right* answer. Often what is taught in schools is not
*right*. My thinking was that the teacher may be stressing a point to be
considered during your current level of understanding. I didn't like any
of the choices given. I thought (and it might be stressed later on) that
creating a group with the desired permissions and placing that *user* in
that group would be best (occam's razor be damned) for manageability.
Then, is the user's need to have full access truly correct - does he or
she *need* "take ownership" or "change permissions" - perhaps "modify"
rights would be sufficient (least privilege). Is it really desired that
some permissions for that subfolder be contingent upon whatever changes
to the parent folder are made in the future? If so, you would want
inheritance to remain intact.
>> That kind of sucked, but I wasn't
>> worried because I figured I would just ask one of the teachers at
>> school.
They probably stress "Occam's razor" and have the simplest solution
being the *correct* solution.
Can you forsee the mess created by adding more individual users and and
their desired permissions by explicit deny or allow on an object? When
(and if) there comes a time to rescind access, will you be able to keep
track of who has access to what?
>> Well, I asked Teacher #1 who is really knowledgeable about Server and
>> permissions (he teaches Server, Exchange, etc at the school) and he
>> said
>> the answer was *B*. But then I mentioned it to Teacher #2 (who
>> actually
>> teaches the class where this question arose) and he said the answer
>> was
>> *E*. I guess 'street smarts' would say just go with the teacher who
>> is
>> teaching the class and be done with it, but i really want to
>> understand
>> this stuff.
Teacher two (teaching the class in question) will give you the *correct*
answer for that class, so go with it.
>> So now I've returned from school and it looks like the consensus on
>> this forum is that the correct answer is *E* which is fine. BUT
>> Teacher
>> #1 made a convincing point to me. He stated that the _only_
>> permission
>> assigned to a folder (c:\accounting\forms) that can override the
>> inheritance permission is the 'Deny' permission unless you -block the
>> permission inheritance-.
He is wrong. A specific allow will take precedence over an inherited
deny.
The first check (after any Mandatory Label check) is the first ACE entry
which "should be" the explicit deny, then the explicit allow, then the
inherited deny, then the inherited allow (followed by grandparent
inheritance etcetera as required).
> OK, now you're just trying to come up with a scenario where answer B
> might work better and misinterpreted what Teacher #1 is saying to fit
> your argument.
If teacher #1 really said that specific allow won't take precendence
over inherited deny, I think he is wrong.
If *both* an allow and a deny appear at the same tier, the deny will
take precedence however.
> There's three states of access control.
>
> Expressly granted access
> If your name is on the guest list you get in.
> The host knows you and you been invited.
>
> No access permission granted
> Your name is not on the guest list, you are not getting in.
> The host does not know you and you're not invited in.
Please mister bouncer, check your *other* list if no specific deny or
allow is found on *this* list.
(I'm in the "bartender" and "firewatch" groups - so if you want drinks
and fire extinguishers at the ready....)
[...]
|
| "Michael D. Obe | | NewsGroup User |
| Re: Please help with this NTFS question... | 10/18/2009 2:40:20 PM |
Reply
| 0 | |
| "Bruce Chambers" <bchambers@cable0ne.n3t> wrote in message
news:unQ1mQ6TKHA.2836@TK2MSFTNGP04.phx.gbl...
> Michael D. Ober wrote:
>>
>>>
>>> None of those answers are correct. A knowledgeable administrator will
>>> never give "Full Control" to an ordinary user. At the most, one one
>>> grant users "Modify" permissions.
>>>
>>>
>>> --
>>>
>>> Bruce Chambers
>>>
>>
>> The problem with the "Modify" priv is that there are still a lot of
>> programs that require Full Control, even for non administrative users.
>
>
> Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work
> stations in both workgroup and domain environments for over a decade, and
> never come across any application, no matter how poorly written, that
> required the user to have full control. Have any specific examples?
>
Bruce,
Non and small-networked versions of packages, including older versions of
Quickbooks, Intel-a-Check (a check printing program), tend to require full
control. We have several of these where I work because only one person
needs the access, but in order to back up their databases we put them on a
mapped drive. We have also tried some newer, non-client/server, medical
billing applications that don't work without Full Control. Dumped all those
because of other problems with them.
That said, I always try Modify first and then only switch to full control if
Modify doesn't work. My strategy for these packages is to create a domain
security group for that application and put only the people who need these
applications in it. The application's security group has full control of
the directory structure the application is using, but isn't listed in the
higher level directory structure. Then I install the offending application
only on the workstations for those individuals. It causes a little
heartburn when a new employee can't do their job, but I always tell their
managers that if they run into access restrictions to call and we'll grant
the access. It's a small company so I know all the managers.
Mike.
>
> --
>
> Bruce Chambers
>
> Help us help you:
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> http://support.microsoft.com/default.aspx/kb/555375
>
> They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety. ~Benjamin Franklin
>
> Many people would rather die than think; in fact, most do. ~Bertrand
> Russell
>
> The philosopher has never killed any priests, whereas the priest has
> killed a great many philosophers.
> ~ Denis Diderot
|
| Bruce Chambers | | NewsGroup User |
| Re: Please help with this NTFS question... | 10/18/2009 4:56:24 PM |
Reply
| 0 | |
| Michael D. Ober wrote:
>
>>
>> Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work
>> stations in both workgroup and domain environments for over a decade,
>> and never come across any application, no matter how poorly written,
>> that required the user to have full control. Have any specific examples?
>>
>
> Bruce,
>
> Non and small-networked versions of packages, including older versions
> of Quickbooks, Intel-a-Check (a check printing program), tend to require
> full control.
I'm not familiar with Intel-a-Check, but I do recall that Intuit (maker
of Quickbooks) was very, very slow (glacial is the term I'd use) to
adapt their products to the increasingly secure, newer versions of
Windows. That's why I've always advised my clients to avoid them,
whenever possible. Still, I don't recall ever having to grant Full
Control to make it work. Might be a difference in network
infrastructure design?
> We have several of these where I work because only one
> person needs the access, but in order to back up their databases we put
> them on a mapped drive. We have also tried some newer,
> non-client/server, medical billing applications that don't work without
> Full Control. Dumped all those because of other problems with them.
>
Part of your issue may be that these applications simply aren't
designed for use via a network share, and not just a permissions issue.
It's hard to say within delving into the depths of each application.
Are the program's executable's also located on the network share? It's
generally possible, with most applications, anyway, to have the program
reside on the local hard drive, but configured to store its data elsewhere.
> That said, I always try Modify first and then only switch to full
> control if Modify doesn't work.
Good. One should always start with the lowest privilege level, and
grant elevated privileges only where needed.
> My strategy for these packages is to
> create a domain security group for that application and put only the
> people who need these applications in it. The application's security
> group has full control of the directory structure the application is
> using, but isn't listed in the higher level directory structure. Then I
> install the offending application only on the workstations for those
> individuals.
Again, good. A perfectly sensible approach, and much simpler to
administer than by granting by-name access to individual files/folders.
However, I'd still be concerned that some user, thinking he/she knows
better than you (and there's always at least one of those in any
organization), either locking *everyone* - think "Deny" - out of
something they need, or granting unauthorized access to one of their
buddies because it takes too long to "go through proper channels."
> It causes a little heartburn when a new employee can't do
> their job, but I always tell their managers that if they run into access
> restrictions to call and we'll grant the access. It's a small company
> so I know all the managers.
>
And once again, your approach is correct. I don't see why it would
cause any "heartburn." After all, as you've mentioned medical billing
software, I presume you're often dealing with extremely sensitive
personal information (HIPPA rules?); I don't see how anyone -
particularly "managers" - could object to your protecting that data and
simultaneously protecting your employer from potentially ruinous law suits.
--
Bruce Chambers
Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/default.aspx/kb/555375
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin
Many people would rather die than think; in fact, most do. ~Bertrand Russell
The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
|
| "Michael D. Obe | | NewsGroup User |
| Re: Please help with this NTFS question... | 10/19/2009 12:11:45 AM |
Reply
| 0 | |
| "Bruce Chambers" <bchambers@cable0ne.n3t> wrote in message
news:eLa8tPBUKHA.508@TK2MSFTNGP06.phx.gbl...
>
> Michael D. Ober wrote:
>>
>>>
>>> Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work
>>> stations in both workgroup and domain environments for over a decade,
>>> and never come across any application, no matter how poorly written,
>>> that required the user to have full control. Have any specific
>>> examples?
>>>
>>
>> Bruce,
>>
>> Non and small-networked versions of packages, including older versions of
>> Quickbooks, Intel-a-Check (a check printing program), tend to require
>> full control.
>
>
> I'm not familiar with Intel-a-Check, but I do recall that Intuit (maker of
> Quickbooks) was very, very slow (glacial is the term I'd use) to adapt
> their products to the increasingly secure, newer versions of Windows.
> That's why I've always advised my clients to avoid them, whenever
> possible. Still, I don't recall ever having to grant Full Control to make
> it work. Might be a difference in network infrastructure design?
>
>
Personally, I can't stand Intuit products, but our corporate standard as
well as third party auditors is for Quickbooks. The current version of
Quickbooks, while still file oriented, is at least network aware and doesn't
require Full Control anymore. We dumped Intel-a-Check late last year for a
custom developed system that integrates with our mainframe.
>
>> We have several of these where I work because only one person needs the
>> access, but in order to back up their databases we put them on a mapped
>> drive. We have also tried some newer,
>> non-client/server, medical billing applications that don't work without
>> Full Control. Dumped all those because of other problems with them.
>>
>
>
> Part of your issue may be that these applications simply aren't designed
> for use via a network share, and not just a permissions issue. It's hard
> to say within delving into the depths of each application. Are the
> program's executable's also located on the network share? It's generally
> possible, with most applications, anyway, to have the program reside on
> the local hard drive, but configured to store its data elsewhere.
>
>
A lot of smaller vendors claim network capable, but on testing it turns out
that many aren't security aware. Once again "Full Control" is needed.
>> That said, I always try Modify first and then only switch to full control
>> if Modify doesn't work.
>
>
> Good. One should always start with the lowest privilege level, and grant
> elevated privileges only where needed.
>
>
>> My strategy for these packages is to create a domain security group for
>> that application and put only the people who need these applications in
>> it. The application's security
>> group has full control of the directory structure the application is
>> using, but isn't listed in the higher level directory structure. Then I
>> install the offending application only on the workstations for those
>> individuals.
>
>
>
> Again, good. A perfectly sensible approach, and much simpler to
> administer than by granting by-name access to individual files/folders.
> However, I'd still be concerned that some user, thinking he/she knows
> better than you (and there's always at least one of those in any
> organization), either locking *everyone* - think "Deny" - out of something
> they need, or granting unauthorized access to one of their buddies because
> it takes too long to "go through proper channels."
>
>
We occassionally have a lock out issue, usually by our former company owner.
The rest of our users don't even want to know what IT does when it comes to
security. The permissions are only open on the folders the application
needs. As for trashed folders, we do a full backup every Friday night and
incrementals Monday - Thursday nights. We have had to occassionally restore
data.
>> It causes a little heartburn when a new employee can't do their job, but
>> I always tell their managers that if they run into access restrictions to
>> call and we'll grant the access. It's a small company so I know all the
>> managers.
>>
>
> And once again, your approach is correct. I don't see why it would cause
> any "heartburn." After all, as you've mentioned medical billing software,
> I presume you're often dealing with extremely sensitive personal
> information (HIPPA rules?); I don't see how anyone - particularly
> "managers" - could object to your protecting that data and simultaneously
> protecting your employer from potentially ruinous law suits.
>
The heartburn is that people are used to their computers at home where they
have full access. It's taken quite a bit of training to deal with this.
All our managers have finally learned that when we create new accounts, they
are set with a standard set of privs and that they will need to request
higher privs. I tell them that I don't want a new hire to accidentally
damage something until they are ready to be trained on that function.
> --
>
> Bruce Chambers
>
> Help us help you:
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> http://support.microsoft.com/default.aspx/kb/555375
>
> They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety. ~Benjamin Franklin
>
> Many people would rather die than think; in fact, most do. ~Bertrand
> Russell
>
> The philosopher has never killed any priests, whereas the priest has
> killed a great many philosophers.
> ~ Denis Diderot
I like and agree with all three statements in your signature.
Mike.
|
|