Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
Security and Windows Vista A forum for discussion on security issues with Windows Vista. (microsoft.public.windows.vista.security) |
|
LinkBack | Thread Tools | Display Modes |
|
|||
Please help with this NTFS question...
"Bruce Chambers" wrote in message
... Michael D. Ober wrote: None of those answers are correct. A knowledgeable administrator will never give "Full Control" to an ordinary user. At the most, one one grant users "Modify" permissions. -- Bruce Chambers The problem with the "Modify" priv is that there are still a lot of programs that require Full Control, even for non administrative users. Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work stations in both workgroup and domain environments for over a decade, and never come across any application, no matter how poorly written, that required the user to have full control. Have any specific examples? Bruce, Non and small-networked versions of packages, including older versions of Quickbooks, Intel-a-Check (a check printing program), tend to require full control. We have several of these where I work because only one person needs the access, but in order to back up their databases we put them on a mapped drive. We have also tried some newer, non-client/server, medical billing applications that don't work without Full Control. Dumped all those because of other problems with them. That said, I always try Modify first and then only switch to full control if Modify doesn't work. My strategy for these packages is to create a domain security group for that application and put only the people who need these applications in it. The application's security group has full control of the directory structure the application is using, but isn't listed in the higher level directory structure. Then I install the offending application only on the workstations for those individuals. It causes a little heartburn when a new employee can't do their job, but I always tell their managers that if they run into access restrictions to call and we'll grant the access. It's a small company so I know all the managers. Mike. -- Bruce Chambers Help us help you: http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/default.aspx/kb/555375 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin Many people would rather die than think; in fact, most do. ~Bertrand Russell The philosopher has never killed any priests, whereas the priest has killed a great many philosophers. ~ Denis Diderot |
|
|||
Please help with this NTFS question...
"Bruce Chambers" wrote in message
... Michael D. Ober wrote: None of those answers are correct. A knowledgeable administrator will never give "Full Control" to an ordinary user. At the most, one one grant users "Modify" permissions. -- Bruce Chambers The problem with the "Modify" priv is that there are still a lot of programs that require Full Control, even for non administrative users. Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work stations in both workgroup and domain environments for over a decade, and never come across any application, no matter how poorly written, that required the user to have full control. Have any specific examples? Bruce, Non and small-networked versions of packages, including older versions of Quickbooks, Intel-a-Check (a check printing program), tend to require full control. We have several of these where I work because only one person needs the access, but in order to back up their databases we put them on a mapped drive. We have also tried some newer, non-client/server, medical billing applications that don't work without Full Control. Dumped all those because of other problems with them. That said, I always try Modify first and then only switch to full control if Modify doesn't work. My strategy for these packages is to create a domain security group for that application and put only the people who need these applications in it. The application's security group has full control of the directory structure the application is using, but isn't listed in the higher level directory structure. Then I install the offending application only on the workstations for those individuals. It causes a little heartburn when a new employee can't do their job, but I always tell their managers that if they run into access restrictions to call and we'll grant the access. It's a small company so I know all the managers. Mike. -- Bruce Chambers Help us help you: http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/default.aspx/kb/555375 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin Many people would rather die than think; in fact, most do. ~Bertrand Russell The philosopher has never killed any priests, whereas the priest has killed a great many philosophers. ~ Denis Diderot |
|
|||
Please help with this NTFS question...
Michael D. Ober wrote:
Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work stations in both workgroup and domain environments for over a decade, and never come across any application, no matter how poorly written, that required the user to have full control. Have any specific examples? Bruce, Non and small-networked versions of packages, including older versions of Quickbooks, Intel-a-Check (a check printing program), tend to require full control. I'm not familiar with Intel-a-Check, but I do recall that Intuit (maker of Quickbooks) was very, very slow (glacial is the term I'd use) to adapt their products to the increasingly secure, newer versions of Windows. That's why I've always advised my clients to avoid them, whenever possible. Still, I don't recall ever having to grant Full Control to make it work. Might be a difference in network infrastructure design? We have several of these where I work because only one person needs the access, but in order to back up their databases we put them on a mapped drive. We have also tried some newer, non-client/server, medical billing applications that don't work without Full Control. Dumped all those because of other problems with them. Part of your issue may be that these applications simply aren't designed for use via a network share, and not just a permissions issue. It's hard to say within delving into the depths of each application. Are the program's executable's also located on the network share? It's generally possible, with most applications, anyway, to have the program reside on the local hard drive, but configured to store its data elsewhere. That said, I always try Modify first and then only switch to full control if Modify doesn't work. Good. One should always start with the lowest privilege level, and grant elevated privileges only where needed. My strategy for these packages is to create a domain security group for that application and put only the people who need these applications in it. The application's security group has full control of the directory structure the application is using, but isn't listed in the higher level directory structure. Then I install the offending application only on the workstations for those individuals. Again, good. A perfectly sensible approach, and much simpler to administer than by granting by-name access to individual files/folders. However, I'd still be concerned that some user, thinking he/she knows better than you (and there's always at least one of those in any organization), either locking *everyone* - think "Deny" - out of something they need, or granting unauthorized access to one of their buddies because it takes too long to "go through proper channels." It causes a little heartburn when a new employee can't do their job, but I always tell their managers that if they run into access restrictions to call and we'll grant the access. It's a small company so I know all the managers. And once again, your approach is correct. I don't see why it would cause any "heartburn." After all, as you've mentioned medical billing software, I presume you're often dealing with extremely sensitive personal information (HIPPA rules?); I don't see how anyone - particularly "managers" - could object to your protecting that data and simultaneously protecting your employer from potentially ruinous law suits. -- Bruce Chambers Help us help you: http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/default.aspx/kb/555375 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin Many people would rather die than think; in fact, most do. ~Bertrand Russell The philosopher has never killed any priests, whereas the priest has killed a great many philosophers. ~ Denis Diderot |
|
|||
Please help with this NTFS question...
Michael D. Ober wrote: Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work stations in both workgroup and domain environments for over a decade, and never come across any application, no matter how poorly written, that required the user to have full control. Have any specific examples? Bruce, Non and small-networked versions of packages, including older versions of Quickbooks, Intel-a-Check (a check printing program), tend to require full control. I'm not familiar with Intel-a-Check, but I do recall that Intuit (maker of Quickbooks) was very, very slow (glacial is the term I'd use) to adapt their products to the increasingly secure, newer versions of Windows. That's why I've always advised my clients to avoid them, whenever possible. Still, I don't recall ever having to grant Full Control to make it work. Might be a difference in network infrastructure design? We have several of these where I work because only one person needs the access, but in order to back up their databases we put them on a mapped drive. We have also tried some newer, non-client/server, medical billing applications that don't work without Full Control. Dumped all those because of other problems with them. Part of your issue may be that these applications simply aren't designed for use via a network share, and not just a permissions issue. It's hard to say within delving into the depths of each application. Are the program's executable's also located on the network share? It's generally possible, with most applications, anyway, to have the program reside on the local hard drive, but configured to store its data elsewhere. That said, I always try Modify first and then only switch to full control if Modify doesn't work. Good. One should always start with the lowest privilege level, and grant elevated privileges only where needed. My strategy for these packages is to create a domain security group for that application and put only the people who need these applications in it. The application's security group has full control of the directory structure the application is using, but isn't listed in the higher level directory structure. Then I install the offending application only on the workstations for those individuals. Again, good. A perfectly sensible approach, and much simpler to administer than by granting by-name access to individual files/folders. However, I'd still be concerned that some user, thinking he/she knows better than you (and there's always at least one of those in any organization), either locking *everyone* - think "Deny" - out of something they need, or granting unauthorized access to one of their buddies because it takes too long to "go through proper channels." It causes a little heartburn when a new employee can't do their job, but I always tell their managers that if they run into access restrictions to call and we'll grant the access. It's a small company so I know all the managers. And once again, your approach is correct. I don't see why it would cause any "heartburn." After all, as you've mentioned medical billing software, I presume you're often dealing with extremely sensitive personal information (HIPPA rules?); I don't see how anyone - particularly "managers" - could object to your protecting that data and simultaneously protecting your employer from potentially ruinous law suits. -- Bruce Chambers Help us help you: http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/default.aspx/kb/555375 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin Many people would rather die than think; in fact, most do. ~Bertrand Russell The philosopher has never killed any priests, whereas the priest has killed a great many philosophers. ~ Denis Diderot |
|
|||
Please help with this NTFS question...
"Bruce Chambers" wrote in message
... Michael D. Ober wrote: Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work stations in both workgroup and domain environments for over a decade, and never come across any application, no matter how poorly written, that required the user to have full control. Have any specific examples? Bruce, Non and small-networked versions of packages, including older versions of Quickbooks, Intel-a-Check (a check printing program), tend to require full control. I'm not familiar with Intel-a-Check, but I do recall that Intuit (maker of Quickbooks) was very, very slow (glacial is the term I'd use) to adapt their products to the increasingly secure, newer versions of Windows. That's why I've always advised my clients to avoid them, whenever possible. Still, I don't recall ever having to grant Full Control to make it work. Might be a difference in network infrastructure design? Personally, I can't stand Intuit products, but our corporate standard as well as third party auditors is for Quickbooks. The current version of Quickbooks, while still file oriented, is at least network aware and doesn't require Full Control anymore. We dumped Intel-a-Check late last year for a custom developed system that integrates with our mainframe. We have several of these where I work because only one person needs the access, but in order to back up their databases we put them on a mapped drive. We have also tried some newer, non-client/server, medical billing applications that don't work without Full Control. Dumped all those because of other problems with them. Part of your issue may be that these applications simply aren't designed for use via a network share, and not just a permissions issue. It's hard to say within delving into the depths of each application. Are the program's executable's also located on the network share? It's generally possible, with most applications, anyway, to have the program reside on the local hard drive, but configured to store its data elsewhere. A lot of smaller vendors claim network capable, but on testing it turns out that many aren't security aware. Once again "Full Control" is needed. That said, I always try Modify first and then only switch to full control if Modify doesn't work. Good. One should always start with the lowest privilege level, and grant elevated privileges only where needed. My strategy for these packages is to create a domain security group for that application and put only the people who need these applications in it. The application's security group has full control of the directory structure the application is using, but isn't listed in the higher level directory structure. Then I install the offending application only on the workstations for those individuals. Again, good. A perfectly sensible approach, and much simpler to administer than by granting by-name access to individual files/folders. However, I'd still be concerned that some user, thinking he/she knows better than you (and there's always at least one of those in any organization), either locking *everyone* - think "Deny" - out of something they need, or granting unauthorized access to one of their buddies because it takes too long to "go through proper channels." We occassionally have a lock out issue, usually by our former company owner. The rest of our users don't even want to know what IT does when it comes to security. The permissions are only open on the folders the application needs. As for trashed folders, we do a full backup every Friday night and incrementals Monday - Thursday nights. We have had to occassionally restore data. It causes a little heartburn when a new employee can't do their job, but I always tell their managers that if they run into access restrictions to call and we'll grant the access. It's a small company so I know all the managers. And once again, your approach is correct. I don't see why it would cause any "heartburn." After all, as you've mentioned medical billing software, I presume you're often dealing with extremely sensitive personal information (HIPPA rules?); I don't see how anyone - particularly "managers" - could object to your protecting that data and simultaneously protecting your employer from potentially ruinous law suits. The heartburn is that people are used to their computers at home where they have full access. It's taken quite a bit of training to deal with this. All our managers have finally learned that when we create new accounts, they are set with a standard set of privs and that they will need to request higher privs. I tell them that I don't want a new hire to accidentally damage something until they are ready to be trained on that function. -- Bruce Chambers Help us help you: http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/default.aspx/kb/555375 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin Many people would rather die than think; in fact, most do. ~Bertrand Russell The philosopher has never killed any priests, whereas the priest has killed a great many philosophers. ~ Denis Diderot I like and agree with all three statements in your signature. Mike. |
|
|||
Please help with this NTFS question...
"Bruce Chambers" wrote in message
... Michael D. Ober wrote: Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work stations in both workgroup and domain environments for over a decade, and never come across any application, no matter how poorly written, that required the user to have full control. Have any specific examples? Bruce, Non and small-networked versions of packages, including older versions of Quickbooks, Intel-a-Check (a check printing program), tend to require full control. I'm not familiar with Intel-a-Check, but I do recall that Intuit (maker of Quickbooks) was very, very slow (glacial is the term I'd use) to adapt their products to the increasingly secure, newer versions of Windows. That's why I've always advised my clients to avoid them, whenever possible. Still, I don't recall ever having to grant Full Control to make it work. Might be a difference in network infrastructure design? Personally, I can't stand Intuit products, but our corporate standard as well as third party auditors is for Quickbooks. The current version of Quickbooks, while still file oriented, is at least network aware and doesn't require Full Control anymore. We dumped Intel-a-Check late last year for a custom developed system that integrates with our mainframe. We have several of these where I work because only one person needs the access, but in order to back up their databases we put them on a mapped drive. We have also tried some newer, non-client/server, medical billing applications that don't work without Full Control. Dumped all those because of other problems with them. Part of your issue may be that these applications simply aren't designed for use via a network share, and not just a permissions issue. It's hard to say within delving into the depths of each application. Are the program's executable's also located on the network share? It's generally possible, with most applications, anyway, to have the program reside on the local hard drive, but configured to store its data elsewhere. A lot of smaller vendors claim network capable, but on testing it turns out that many aren't security aware. Once again "Full Control" is needed. That said, I always try Modify first and then only switch to full control if Modify doesn't work. Good. One should always start with the lowest privilege level, and grant elevated privileges only where needed. My strategy for these packages is to create a domain security group for that application and put only the people who need these applications in it. The application's security group has full control of the directory structure the application is using, but isn't listed in the higher level directory structure. Then I install the offending application only on the workstations for those individuals. Again, good. A perfectly sensible approach, and much simpler to administer than by granting by-name access to individual files/folders. However, I'd still be concerned that some user, thinking he/she knows better than you (and there's always at least one of those in any organization), either locking *everyone* - think "Deny" - out of something they need, or granting unauthorized access to one of their buddies because it takes too long to "go through proper channels." We occassionally have a lock out issue, usually by our former company owner. The rest of our users don't even want to know what IT does when it comes to security. The permissions are only open on the folders the application needs. As for trashed folders, we do a full backup every Friday night and incrementals Monday - Thursday nights. We have had to occassionally restore data. It causes a little heartburn when a new employee can't do their job, but I always tell their managers that if they run into access restrictions to call and we'll grant the access. It's a small company so I know all the managers. And once again, your approach is correct. I don't see why it would cause any "heartburn." After all, as you've mentioned medical billing software, I presume you're often dealing with extremely sensitive personal information (HIPPA rules?); I don't see how anyone - particularly "managers" - could object to your protecting that data and simultaneously protecting your employer from potentially ruinous law suits. The heartburn is that people are used to their computers at home where they have full access. It's taken quite a bit of training to deal with this. All our managers have finally learned that when we create new accounts, they are set with a standard set of privs and that they will need to request higher privs. I tell them that I don't want a new hire to accidentally damage something until they are ready to be trained on that function. -- Bruce Chambers Help us help you: http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/default.aspx/kb/555375 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin Many people would rather die than think; in fact, most do. ~Bertrand Russell The philosopher has never killed any priests, whereas the priest has killed a great many philosophers. ~ Denis Diderot I like and agree with all three statements in your signature. Mike. |
|
|||
Please help with this NTFS question...
Hi, I love working with NTFS permissions and you know how I get answers? I try the combinations out. Honestly, why debate when we can actually test things out very easily. I use a Win Server 2008 DC with a few ADC's and a mix of Win XP, Vista and now Win 7 clients in a virtual environment to play with. Believe me, you'll get more answers than you actually hoped to find. In fact, questions just answer themselves without any effort when you try things out yourself. Cheers! Ching -- Ching ------------------------------------------------------------------------ Ching's Profile: http://forums.techarena.in/members/48654.htm View this thread: http://forums.techarena.in/vista-security/1257889.htm http://forums.techarena.in |
Thread Tools | |
Display Modes | |
|
|