Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
Security and Windows Vista A forum for discussion on security issues with Windows Vista. (microsoft.public.windows.vista.security) |
|
LinkBack | Thread Tools | Display Modes |
|
|||
Please help with this NTFS question...
"Tae Song" wrote in message
... "LTCstudent" wrote in message ... Ok... When I checked the forum for responses to my question this morning before school, I had 2 responses: One saying the answer was *E* and the other saying the answer was *B*. What I said was that I thought the "expected answer" was *B*, not that it was the *right* answer. Often what is taught in schools is not *right*. My thinking was that the teacher may be stressing a point to be considered during your current level of understanding. I didn't like any of the choices given. I thought (and it might be stressed later on) that creating a group with the desired permissions and placing that *user* in that group would be best (occam's razor be damned) for manageability. Then, is the user's need to have full access truly correct - does he or she *need* "take ownership" or "change permissions" - perhaps "modify" rights would be sufficient (least privilege). Is it really desired that some permissions for that subfolder be contingent upon whatever changes to the parent folder are made in the future? If so, you would want inheritance to remain intact. That kind of sucked, but I wasn't worried because I figured I would just ask one of the teachers at school. They probably stress "Occam's razor" and have the simplest solution being the *correct* solution. Can you forsee the mess created by adding more individual users and and their desired permissions by explicit deny or allow on an object? When (and if) there comes a time to rescind access, will you be able to keep track of who has access to what? Well, I asked Teacher #1 who is really knowledgeable about Server and permissions (he teaches Server, Exchange, etc at the school) and he said the answer was *B*. But then I mentioned it to Teacher #2 (who actually teaches the class where this question arose) and he said the answer was *E*. I guess 'street smarts' would say just go with the teacher who is teaching the class and be done with it, but i really want to understand this stuff. Teacher two (teaching the class in question) will give you the *correct* answer for that class, so go with it. So now I've returned from school and it looks like the consensus on this forum is that the correct answer is *E* which is fine. BUT Teacher #1 made a convincing point to me. He stated that the _only_ permission assigned to a folder (c:\accounting\forms) that can override the inheritance permission is the 'Deny' permission unless you -block the permission inheritance-. He is wrong. A specific allow will take precedence over an inherited deny. The first check (after any Mandatory Label check) is the first ACE entry which "should be" the explicit deny, then the explicit allow, then the inherited deny, then the inherited allow (followed by grandparent inheritance etcetera as required). OK, now you're just trying to come up with a scenario where answer B might work better and misinterpreted what Teacher #1 is saying to fit your argument. If teacher #1 really said that specific allow won't take precendence over inherited deny, I think he is wrong. If *both* an allow and a deny appear at the same tier, the deny will take precedence however. There's three states of access control. Expressly granted access If your name is on the guest list you get in. The host knows you and you been invited. No access permission granted Your name is not on the guest list, you are not getting in. The host does not know you and you're not invited in. Please mister bouncer, check your *other* list if no specific deny or allow is found on *this* list. (I'm in the "bartender" and "firewatch" groups - so if you want drinks and fire extinguishers at the ready....) [...] |
|
|||
Please help with this NTFS question...
"Tae Song" wrote in message
... "LTCstudent" wrote in message ... Ok... When I checked the forum for responses to my question this morning before school, I had 2 responses: One saying the answer was *E* and the other saying the answer was *B*. What I said was that I thought the "expected answer" was *B*, not that it was the *right* answer. Often what is taught in schools is not *right*. My thinking was that the teacher may be stressing a point to be considered during your current level of understanding. I didn't like any of the choices given. I thought (and it might be stressed later on) that creating a group with the desired permissions and placing that *user* in that group would be best (occam's razor be damned) for manageability. Then, is the user's need to have full access truly correct - does he or she *need* "take ownership" or "change permissions" - perhaps "modify" rights would be sufficient (least privilege). Is it really desired that some permissions for that subfolder be contingent upon whatever changes to the parent folder are made in the future? If so, you would want inheritance to remain intact. That kind of sucked, but I wasn't worried because I figured I would just ask one of the teachers at school. They probably stress "Occam's razor" and have the simplest solution being the *correct* solution. Can you forsee the mess created by adding more individual users and and their desired permissions by explicit deny or allow on an object? When (and if) there comes a time to rescind access, will you be able to keep track of who has access to what? Well, I asked Teacher #1 who is really knowledgeable about Server and permissions (he teaches Server, Exchange, etc at the school) and he said the answer was *B*. But then I mentioned it to Teacher #2 (who actually teaches the class where this question arose) and he said the answer was *E*. I guess 'street smarts' would say just go with the teacher who is teaching the class and be done with it, but i really want to understand this stuff. Teacher two (teaching the class in question) will give you the *correct* answer for that class, so go with it. So now I've returned from school and it looks like the consensus on this forum is that the correct answer is *E* which is fine. BUT Teacher #1 made a convincing point to me. He stated that the _only_ permission assigned to a folder (c:\accounting\forms) that can override the inheritance permission is the 'Deny' permission unless you -block the permission inheritance-. He is wrong. A specific allow will take precedence over an inherited deny. The first check (after any Mandatory Label check) is the first ACE entry which "should be" the explicit deny, then the explicit allow, then the inherited deny, then the inherited allow (followed by grandparent inheritance etcetera as required). OK, now you're just trying to come up with a scenario where answer B might work better and misinterpreted what Teacher #1 is saying to fit your argument. If teacher #1 really said that specific allow won't take precendence over inherited deny, I think he is wrong. If *both* an allow and a deny appear at the same tier, the deny will take precedence however. There's three states of access control. Expressly granted access If your name is on the guest list you get in. The host knows you and you been invited. No access permission granted Your name is not on the guest list, you are not getting in. The host does not know you and you're not invited in. Please mister bouncer, check your *other* list if no specific deny or allow is found on *this* list. (I'm in the "bartender" and "firewatch" groups - so if you want drinks and fire extinguishers at the ready....) [...] |
|
|||
Please help with this NTFS question...
Thanks for the feedback and the microscopic details I asked for. I don't really care which answer was correct, but *B* seemed more thorough so I was convinced it was correct and was confused as to why someone would just do *E*. If it is possible to have a NTFS permission (that is directly assigned) override the inherited permission... then so be it. It just didn't "feel" right to me and the book didn't specifically state it. But like I said... thanks guys for clarifying it. -- LTCstudent |
|
|||
Please help with this NTFS question...
Thanks for the feedback and the microscopic details I asked for. I don't really care which answer was correct, but *B* seemed more thorough so I was convinced it was correct and was confused as to why someone would just do *E*. If it is possible to have a NTFS permission (that is directly assigned) override the inherited permission... then so be it. It just didn't "feel" right to me and the book didn't specifically state it. But like I said... thanks guys for clarifying it. -- LTCstudent |
|
|||
Please help with this NTFS question...
LTCstudent wrote:
This is a question from my book that me my friend and I are struggling with. ::*A user is assigned Read permission to the NTFS folder C:\ACCOUNTING. They require full access to C:\ACCOUNTING\FORMS. This can be accomplished by:* :: *A)* not possible *B)* blocking permission inheritance at C:\ACCOUNTING\FORMS and assigning the user Full control to C:\ACCOUNTING\FORMS *C)* assigning the user Full control to C:\ACCOUNTING *D)* blocking permission inheritance at C:\ACCOUNTING and assigning the user Full control to C:\ACCOUNTING\FORMS *E)* assigning the user Full control to C:\ACCOUNTING\FORMS None of those answers are correct. A knowledgeable administrator will never give "Full Control" to an ordinary user. At the most, one one grant users "Modify" permissions. -- Bruce Chambers Help us help you: http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/default.aspx/kb/555375 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin Many people would rather die than think; in fact, most do. ~Bertrand Russell The philosopher has never killed any priests, whereas the priest has killed a great many philosophers. ~ Denis Diderot |
|
|||
Please help with this NTFS question...
LTCstudent wrote:
This is a question from my book that me my friend and I are struggling with. ::*A user is assigned Read permission to the NTFS folder C:\ACCOUNTING. They require full access to C:\ACCOUNTING\FORMS. This can be accomplished by:* :: *A)* not possible *B)* blocking permission inheritance at C:\ACCOUNTING\FORMS and assigning the user Full control to C:\ACCOUNTING\FORMS *C)* assigning the user Full control to C:\ACCOUNTING *D)* blocking permission inheritance at C:\ACCOUNTING and assigning the user Full control to C:\ACCOUNTING\FORMS *E)* assigning the user Full control to C:\ACCOUNTING\FORMS None of those answers are correct. A knowledgeable administrator will never give "Full Control" to an ordinary user. At the most, one one grant users "Modify" permissions. -- Bruce Chambers Help us help you: http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/default.aspx/kb/555375 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin Many people would rather die than think; in fact, most do. ~Bertrand Russell The philosopher has never killed any priests, whereas the priest has killed a great many philosophers. ~ Denis Diderot |
|
|||
Please help with this NTFS question...
"Bruce Chambers" wrote in message
... LTCstudent wrote: This is a question from my book that me my friend and I are struggling with. ::*A user is assigned Read permission to the NTFS folder C:\ACCOUNTING. They require full access to C:\ACCOUNTING\FORMS. This can be accomplished by:* :: *A)* not possible *B)* blocking permission inheritance at C:\ACCOUNTING\FORMS and assigning the user Full control to C:\ACCOUNTING\FORMS *C)* assigning the user Full control to C:\ACCOUNTING *D)* blocking permission inheritance at C:\ACCOUNTING and assigning the user Full control to C:\ACCOUNTING\FORMS *E)* assigning the user Full control to C:\ACCOUNTING\FORMS None of those answers are correct. A knowledgeable administrator will never give "Full Control" to an ordinary user. At the most, one one grant users "Modify" permissions. -- Bruce Chambers The problem with the "Modify" priv is that there are still a lot of programs that require Full Control, even for non administrative users. Given this real world restriction, E is the best answer. Mike Ober. |
|
|||
Please help with this NTFS question...
"Bruce Chambers" wrote in message
... LTCstudent wrote: This is a question from my book that me my friend and I are struggling with. ::*A user is assigned Read permission to the NTFS folder C:\ACCOUNTING. They require full access to C:\ACCOUNTING\FORMS. This can be accomplished by:* :: *A)* not possible *B)* blocking permission inheritance at C:\ACCOUNTING\FORMS and assigning the user Full control to C:\ACCOUNTING\FORMS *C)* assigning the user Full control to C:\ACCOUNTING *D)* blocking permission inheritance at C:\ACCOUNTING and assigning the user Full control to C:\ACCOUNTING\FORMS *E)* assigning the user Full control to C:\ACCOUNTING\FORMS None of those answers are correct. A knowledgeable administrator will never give "Full Control" to an ordinary user. At the most, one one grant users "Modify" permissions. -- Bruce Chambers The problem with the "Modify" priv is that there are still a lot of programs that require Full Control, even for non administrative users. Given this real world restriction, E is the best answer. Mike Ober. |
|
|||
Please help with this NTFS question...
Michael D. Ober wrote:
None of those answers are correct. A knowledgeable administrator will never give "Full Control" to an ordinary user. At the most, one one grant users "Modify" permissions. -- Bruce Chambers The problem with the "Modify" priv is that there are still a lot of programs that require Full Control, even for non administrative users. Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work stations in both workgroup and domain environments for over a decade, and never come across any application, no matter how poorly written, that required the user to have full control. Have any specific examples? -- Bruce Chambers Help us help you: http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/default.aspx/kb/555375 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin Many people would rather die than think; in fact, most do. ~Bertrand Russell The philosopher has never killed any priests, whereas the priest has killed a great many philosophers. ~ Denis Diderot |
|
|||
Please help with this NTFS question...
Michael D. Ober wrote:
None of those answers are correct. A knowledgeable administrator will never give "Full Control" to an ordinary user. At the most, one one grant users "Modify" permissions. -- Bruce Chambers The problem with the "Modify" priv is that there are still a lot of programs that require Full Control, even for non administrative users. Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work stations in both workgroup and domain environments for over a decade, and never come across any application, no matter how poorly written, that required the user to have full control. Have any specific examples? -- Bruce Chambers Help us help you: http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/default.aspx/kb/555375 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin Many people would rather die than think; in fact, most do. ~Bertrand Russell The philosopher has never killed any priests, whereas the priest has killed a great many philosophers. ~ Denis Diderot |
Thread Tools | |
Display Modes | |
|
|