Focus on Microsoft
Re: NTFS default special permissions Sep 05 2007 03:43PM
Megan Kielman (megan kielman gmail com) (2 replies)
Authenticating with TLS against Active Directory Sep 06 2007 01:38PM
James D. Stallard (james leafgrove com) (4 replies)
RE: Authenticating with TLS against Active Directory Sep 10 2007 04:46PM
James D. Stallard (james leafgrove com)
Re: Authenticating with TLS against Active Directory Sep 06 2007 04:23PM
Christoph Gruber (list guru at)
Re: Authenticating with TLS against Active Directory Sep 06 2007 04:11PM
ManInWhite (maninwhite tpg com au)
RE: Authenticating with TLS against Active Directory Sep 06 2007 03:14PM
Depp, Dennis M. (deppdm ornl gov)
Re: NTFS default special permissions Sep 05 2007 04:00PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
On 2007-09-05 Megan Kielman wrote:
> On 9/4/07, Geekwench <geekwench (at) hotmail (dot) com [email concealed]> wrote:
>> Note, again, that the original post referenced a VOLUME. As in a
>> partition. A drive. An entire chunk of space allocated on a disk. NOT
>> A FOLDER. It is fairly rare for somebody to want an entire volume to
>> be read-only (in fact, creating a volume and then disallowing any
>> writes to the volume would be pretty, well, dumb), which is why the
>> default permissions allow users to create and store data on the
>> volume. Don't confuse your choosing to manually designate a folder as
>> "read only" with the operating system setting the default permissions
>> on an entire volume to allow data to be created and stored on that
>> volume. That is what a volume is *for*- to store data of some kind.
>
> You continue to refer to the volume as a "data" volume but the default
> permissions apply to ALL volumes, including system volumes. Users do
> not need any write permission to system volumes.

You hardly ever create a new system volume from within a running Windows
system, thus a newly created volume is most likely a data volume, in
which case the default permissions are just fine. Besides, since Windows
by default creates the user profiles on the system volume users do need
write permissions to at least some directories on the volume.

I do, however, agree that it was a bad decision for Microsoft to allow
normal users to create files/folders in the root directory of the system
volume, and removing those special permissions from the root directory
is one of the first things I do on all my Windows installations.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus