"Bruce Chambers" wrote in message
...
Michael D. Ober wrote:


None of those answers are correct. A knowledgeable administrator will
never give "Full Control" to an ordinary user. At the most, one one
grant users "Modify" permissions.


--

Bruce Chambers


The problem with the "Modify" priv is that there are still a lot of
programs that require Full Control, even for non administrative users.


Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work
stations in both workgroup and domain environments for over a decade, and
never come across any application, no matter how poorly written, that
required the user to have full control. Have any specific examples?


Bruce,

Non and small-networked versions of packages, including older versions of
Quickbooks, Intel-a-Check (a check printing program), tend to require full
control. We have several of these where I work because only one person
needs the access, but in order to back up their databases we put them on a
mapped drive. We have also tried some newer, non-client/server, medical
billing applications that don't work without Full Control. Dumped all those
because of other problems with them.

That said, I always try Modify first and then only switch to full control if
Modify doesn't work. My strategy for these packages is to create a domain
security group for that application and put only the people who need these
applications in it. The application's security group has full control of
the directory structure the application is using, but isn't listed in the
higher level directory structure. Then I install the offending application
only on the workstations for those individuals. It causes a little
heartburn when a new employee can't do their job, but I always tell their
managers that if they run into access restrictions to call and we'll grant
the access. It's a small company so I know all the managers.

Mike.



--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand
Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

"Bruce Chambers" wrote in message
...
Michael D. Ober wrote:


None of those answers are correct. A knowledgeable administrator will
never give "Full Control" to an ordinary user. At the most, one one
grant users "Modify" permissions.


--

Bruce Chambers


The problem with the "Modify" priv is that there are still a lot of
programs that require Full Control, even for non administrative users.


Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work
stations in both workgroup and domain environments for over a decade, and
never come across any application, no matter how poorly written, that
required the user to have full control. Have any specific examples?


Bruce,

Non and small-networked versions of packages, including older versions of
Quickbooks, Intel-a-Check (a check printing program), tend to require full
control. We have several of these where I work because only one person
needs the access, but in order to back up their databases we put them on a
mapped drive. We have also tried some newer, non-client/server, medical
billing applications that don't work without Full Control. Dumped all those
because of other problems with them.

That said, I always try Modify first and then only switch to full control if
Modify doesn't work. My strategy for these packages is to create a domain
security group for that application and put only the people who need these
applications in it. The application's security group has full control of
the directory structure the application is using, but isn't listed in the
higher level directory structure. Then I install the offending application
only on the workstations for those individuals. It causes a little
heartburn when a new employee can't do their job, but I always tell their
managers that if they run into access restrictions to call and we'll grant
the access. It's a small company so I know all the managers.

Mike.



--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand
Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

Michael D. Ober wrote:


Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work
stations in both workgroup and domain environments for over a decade,
and never come across any application, no matter how poorly written,
that required the user to have full control. Have any specific examples?


Bruce,

Non and small-networked versions of packages, including older versions
of Quickbooks, Intel-a-Check (a check printing program), tend to require
full control.


I'm not familiar with Intel-a-Check, but I do recall that Intuit (maker
of Quickbooks) was very, very slow (glacial is the term I'd use) to
adapt their products to the increasingly secure, newer versions of
Windows. That's why I've always advised my clients to avoid them,
whenever possible. Still, I don't recall ever having to grant Full
Control to make it work. Might be a difference in network
infrastructure design?



We have several of these where I work because only one
person needs the access, but in order to back up their databases we put
them on a mapped drive. We have also tried some newer,
non-client/server, medical billing applications that don't work without
Full Control. Dumped all those because of other problems with them.



Part of your issue may be that these applications simply aren't
designed for use via a network share, and not just a permissions issue.
It's hard to say within delving into the depths of each application.
Are the program's executable's also located on the network share? It's
generally possible, with most applications, anyway, to have the program
reside on the local hard drive, but configured to store its data elsewhere.


That said, I always try Modify first and then only switch to full
control if Modify doesn't work.


Good. One should always start with the lowest privilege level, and
grant elevated privileges only where needed.


My strategy for these packages is to
create a domain security group for that application and put only the
people who need these applications in it. The application's security
group has full control of the directory structure the application is
using, but isn't listed in the higher level directory structure. Then I
install the offending application only on the workstations for those
individuals.



Again, good. A perfectly sensible approach, and much simpler to
administer than by granting by-name access to individual files/folders.
However, I'd still be concerned that some user, thinking he/she knows
better than you (and there's always at least one of those in any
organization), either locking *everyone* - think "Deny" - out of
something they need, or granting unauthorized access to one of their
buddies because it takes too long to "go through proper channels."


It causes a little heartburn when a new employee can't do
their job, but I always tell their managers that if they run into access
restrictions to call and we'll grant the access. It's a small company
so I know all the managers.


And once again, your approach is correct. I don't see why it would
cause any "heartburn." After all, as you've mentioned medical billing
software, I presume you're often dealing with extremely sensitive
personal information (HIPPA rules?); I don't see how anyone -
particularly "managers" - could object to your protecting that data and
simultaneously protecting your employer from potentially ruinous law suits.


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

Michael D. Ober wrote:


Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work
stations in both workgroup and domain environments for over a decade,
and never come across any application, no matter how poorly written,
that required the user to have full control. Have any specific examples?


Bruce,

Non and small-networked versions of packages, including older versions
of Quickbooks, Intel-a-Check (a check printing program), tend to require
full control.


I'm not familiar with Intel-a-Check, but I do recall that Intuit (maker
of Quickbooks) was very, very slow (glacial is the term I'd use) to
adapt their products to the increasingly secure, newer versions of
Windows. That's why I've always advised my clients to avoid them,
whenever possible. Still, I don't recall ever having to grant Full
Control to make it work. Might be a difference in network
infrastructure design?



We have several of these where I work because only one
person needs the access, but in order to back up their databases we put
them on a mapped drive. We have also tried some newer,
non-client/server, medical billing applications that don't work without
Full Control. Dumped all those because of other problems with them.



Part of your issue may be that these applications simply aren't
designed for use via a network share, and not just a permissions issue.
It's hard to say within delving into the depths of each application.
Are the program's executable's also located on the network share? It's
generally possible, with most applications, anyway, to have the program
reside on the local hard drive, but configured to store its data elsewhere.


That said, I always try Modify first and then only switch to full
control if Modify doesn't work.


Good. One should always start with the lowest privilege level, and
grant elevated privileges only where needed.


My strategy for these packages is to
create a domain security group for that application and put only the
people who need these applications in it. The application's security
group has full control of the directory structure the application is
using, but isn't listed in the higher level directory structure. Then I
install the offending application only on the workstations for those
individuals.



Again, good. A perfectly sensible approach, and much simpler to
administer than by granting by-name access to individual files/folders.
However, I'd still be concerned that some user, thinking he/she knows
better than you (and there's always at least one of those in any
organization), either locking *everyone* - think "Deny" - out of
something they need, or granting unauthorized access to one of their
buddies because it takes too long to "go through proper channels."


It causes a little heartburn when a new employee can't do
their job, but I always tell their managers that if they run into access
restrictions to call and we'll grant the access. It's a small company
so I know all the managers.


And once again, your approach is correct. I don't see why it would
cause any "heartburn." After all, as you've mentioned medical billing
software, I presume you're often dealing with extremely sensitive
personal information (HIPPA rules?); I don't see how anyone -
particularly "managers" - could object to your protecting that data and
simultaneously protecting your employer from potentially ruinous law suits.


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

"Bruce Chambers" wrote in message
...

Michael D. Ober wrote:


Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work
stations in both workgroup and domain environments for over a decade,
and never come across any application, no matter how poorly written,
that required the user to have full control. Have any specific
examples?


Bruce,

Non and small-networked versions of packages, including older versions of
Quickbooks, Intel-a-Check (a check printing program), tend to require
full control.


I'm not familiar with Intel-a-Check, but I do recall that Intuit (maker of
Quickbooks) was very, very slow (glacial is the term I'd use) to adapt
their products to the increasingly secure, newer versions of Windows.
That's why I've always advised my clients to avoid them, whenever
possible. Still, I don't recall ever having to grant Full Control to make
it work. Might be a difference in network infrastructure design?



Personally, I can't stand Intuit products, but our corporate standard as
well as third party auditors is for Quickbooks. The current version of
Quickbooks, while still file oriented, is at least network aware and doesn't
require Full Control anymore. We dumped Intel-a-Check late last year for a
custom developed system that integrates with our mainframe.


We have several of these where I work because only one person needs the
access, but in order to back up their databases we put them on a mapped
drive. We have also tried some newer,
non-client/server, medical billing applications that don't work without
Full Control. Dumped all those because of other problems with them.



Part of your issue may be that these applications simply aren't designed
for use via a network share, and not just a permissions issue. It's hard
to say within delving into the depths of each application. Are the
program's executable's also located on the network share? It's generally
possible, with most applications, anyway, to have the program reside on
the local hard drive, but configured to store its data elsewhere.



A lot of smaller vendors claim network capable, but on testing it turns out
that many aren't security aware. Once again "Full Control" is needed.

That said, I always try Modify first and then only switch to full control
if Modify doesn't work.


Good. One should always start with the lowest privilege level, and grant
elevated privileges only where needed.


My strategy for these packages is to create a domain security group for
that application and put only the people who need these applications in
it. The application's security
group has full control of the directory structure the application is
using, but isn't listed in the higher level directory structure. Then I
install the offending application only on the workstations for those
individuals.



Again, good. A perfectly sensible approach, and much simpler to
administer than by granting by-name access to individual files/folders.
However, I'd still be concerned that some user, thinking he/she knows
better than you (and there's always at least one of those in any
organization), either locking *everyone* - think "Deny" - out of something
they need, or granting unauthorized access to one of their buddies because
it takes too long to "go through proper channels."



We occassionally have a lock out issue, usually by our former company owner.
The rest of our users don't even want to know what IT does when it comes to
security. The permissions are only open on the folders the application
needs. As for trashed folders, we do a full backup every Friday night and
incrementals Monday - Thursday nights. We have had to occassionally restore
data.


It causes a little heartburn when a new employee can't do their job, but
I always tell their managers that if they run into access restrictions to
call and we'll grant the access. It's a small company so I know all the
managers.


And once again, your approach is correct. I don't see why it would cause
any "heartburn." After all, as you've mentioned medical billing software,
I presume you're often dealing with extremely sensitive personal
information (HIPPA rules?); I don't see how anyone - particularly
"managers" - could object to your protecting that data and simultaneously
protecting your employer from potentially ruinous law suits.


The heartburn is that people are used to their computers at home where they
have full access. It's taken quite a bit of training to deal with this.
All our managers have finally learned that when we create new accounts, they
are set with a standard set of privs and that they will need to request
higher privs. I tell them that I don't want a new hire to accidentally
damage something until they are ready to be trained on that function.

--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand
Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

I like and agree with all three statements in your signature.

Mike.

"Bruce Chambers" wrote in message
...

Michael D. Ober wrote:


Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work
stations in both workgroup and domain environments for over a decade,
and never come across any application, no matter how poorly written,
that required the user to have full control. Have any specific
examples?


Bruce,

Non and small-networked versions of packages, including older versions of
Quickbooks, Intel-a-Check (a check printing program), tend to require
full control.


I'm not familiar with Intel-a-Check, but I do recall that Intuit (maker of
Quickbooks) was very, very slow (glacial is the term I'd use) to adapt
their products to the increasingly secure, newer versions of Windows.
That's why I've always advised my clients to avoid them, whenever
possible. Still, I don't recall ever having to grant Full Control to make
it work. Might be a difference in network infrastructure design?



Personally, I can't stand Intuit products, but our corporate standard as
well as third party auditors is for Quickbooks. The current version of
Quickbooks, while still file oriented, is at least network aware and doesn't
require Full Control anymore. We dumped Intel-a-Check late last year for a
custom developed system that integrates with our mainframe.


We have several of these where I work because only one person needs the
access, but in order to back up their databases we put them on a mapped
drive. We have also tried some newer,
non-client/server, medical billing applications that don't work without
Full Control. Dumped all those because of other problems with them.



Part of your issue may be that these applications simply aren't designed
for use via a network share, and not just a permissions issue. It's hard
to say within delving into the depths of each application. Are the
program's executable's also located on the network share? It's generally
possible, with most applications, anyway, to have the program reside on
the local hard drive, but configured to store its data elsewhere.



A lot of smaller vendors claim network capable, but on testing it turns out
that many aren't security aware. Once again "Full Control" is needed.

That said, I always try Modify first and then only switch to full control
if Modify doesn't work.


Good. One should always start with the lowest privilege level, and grant
elevated privileges only where needed.


My strategy for these packages is to create a domain security group for
that application and put only the people who need these applications in
it. The application's security
group has full control of the directory structure the application is
using, but isn't listed in the higher level directory structure. Then I
install the offending application only on the workstations for those
individuals.



Again, good. A perfectly sensible approach, and much simpler to
administer than by granting by-name access to individual files/folders.
However, I'd still be concerned that some user, thinking he/she knows
better than you (and there's always at least one of those in any
organization), either locking *everyone* - think "Deny" - out of something
they need, or granting unauthorized access to one of their buddies because
it takes too long to "go through proper channels."



We occassionally have a lock out issue, usually by our former company owner.
The rest of our users don't even want to know what IT does when it comes to
security. The permissions are only open on the folders the application
needs. As for trashed folders, we do a full backup every Friday night and
incrementals Monday - Thursday nights. We have had to occassionally restore
data.


It causes a little heartburn when a new employee can't do their job, but
I always tell their managers that if they run into access restrictions to
call and we'll grant the access. It's a small company so I know all the
managers.


And once again, your approach is correct. I don't see why it would cause
any "heartburn." After all, as you've mentioned medical billing software,
I presume you're often dealing with extremely sensitive personal
information (HIPPA rules?); I don't see how anyone - particularly
"managers" - could object to your protecting that data and simultaneously
protecting your employer from potentially ruinous law suits.


The heartburn is that people are used to their computers at home where they
have full access. It's taken quite a bit of training to deal with this.
All our managers have finally learned that when we create new accounts, they
are set with a standard set of privs and that they will need to request
higher privs. I tell them that I don't want a new hire to accidentally
damage something until they are ready to be trained on that function.

--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand
Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

I like and agree with all three statements in your signature.

Mike.

Hi,

I love working with NTFS permissions and you know how I get answers? I
try the combinations out. Honestly, why debate when we can actually test
things out very easily.

I use a Win Server 2008 DC with a few ADC's and a mix of Win XP, Vista
and now Win 7 clients in a virtual environment to play with. Believe me,
you'll get more answers than you actually hoped to find. In fact,
questions just answer themselves without any effort when you try things
out yourself.

Cheers!
Ching


--
Ching
------------------------------------------------------------------------
Ching's Profile: http://forums.techarena.in/members/48654.htm
View this thread: http://forums.techarena.in/vista-security/1257889.htm

http://forums.techarena.in