Please help with this NTFS question...

Discussion in 'Windows Vista Security' started by LTCstudent, Oct 13, 2009.

  1. LTCstudent

    LTCstudent Guest

    This is a question from my book that me my friend and I are struggling
    with.



    ::*A user is assigned Read permission to the NTFS folder C:\ACCOUNTING.
    They require full access to C:\ACCOUNTING\FORMS. This can be
    accomplished by:*
    ::
    *A)* not possible

    *B)* blocking permission inheritance at C:\ACCOUNTING\FORMS and
    assigning the user Full control to C:\ACCOUNTING\FORMS

    *C)* assigning the user Full control to C:\ACCOUNTING

    *D)* blocking permission inheritance at C:\ACCOUNTING and assigning the
    user Full control to C:\ACCOUNTING\FORMS

    *E)* assigning the user Full control to C:\ACCOUNTING\FORMS



    My friend believes the answer is *E*. I believe that may give you the
    same end result that you are looking for, but that would be assuming
    that the _Full_Control_ permission would override the _Read_ permission
    (which may be true, but our book doesn't specifically state anything
    like that).

    I personally believe the answer is *B* because when you deny the
    permission inheritance, it will (as stated in the book) prompt you to
    clarify whether the permissions should be copied or just removed
    entirely. Then you can clarify what permission the C:\ACCOUNTING\FORMS
    folder should have.



    His reasoning is (I think this is crap by the way) that the book wants
    us to go the "shortest" route possible, similar to computer programming.
    The analogy he used was that when you are writing a program you try to
    write the program as small and use as few steps as possible in order to
    make the program as efficient as possible and that is the same with this
    question and that is why E is right. :sarc:

    My reasoning is that the book explains permissions as though you should
    remove the inheritance from the folder then assign the permission the
    way you want the person to have them. Period.

    Please help us figure this out. We have a mid-term Wednesday (in 2
    days) and I'm beginning to get confused. TIA
     
    LTCstudent, Oct 13, 2009
    #1
    1. Advertisements

  2. LTCstudent

    Beckett Guest

     
    Beckett, Oct 13, 2009
    #2
    1. Advertisements

  3. Does the book actually refer to both the singular "user" and "they" as
    equivalent entities?
    (okay - it's not an English studies book)

    I think the answer expected is *B)* - you break the inheritance of the
    parent/child directory relationship and set the desired permissions on
    the child. Using *D)* you will have blocked inheritance to
    C:\ACCOUNTING\<all children> as well as the "FORMS" child directory.

    Get an XP machine and use the help system's search function to search
    for "inheritance".
     
    FromTheRafters, Oct 13, 2009
    #3
  4. LTCstudent

    Tae Song Guest


    I picked E)


    User only has read access to ACCOUNTING, so blocking inherited rights is
    pointless since you're giving the user full access to the sub-directory
    FORMS.

    Now, if you wanted the user to have full access to ACCOUNTING and limited
    access to FORMS, then you would want to block inherited rights and set
    permission accordingly, like read access.

    B) would accomplish the same results, but it has an unnecessary step and
    therefore not the best answer.
     
    Tae Song, Oct 13, 2009
    #4
  5. LTCstudent

    Peter Foldes Guest

    E
     
    Peter Foldes, Oct 13, 2009
    #5
  6. LTCstudent

    LTCstudent Guest

    Ok... When I checked the forum for responses to my question this mornin
    before school, I had 2 responses: One saying the answer was *E* and th
    other saying the answer was *B*. That kind of sucked, but I wasn'
    worried because I figured I would just ask one of the teachers a
    school

    Well, I asked Teacher #1 who is really knowledgeable about Server an
    permissions (he teaches Server, Exchange, etc at the school) and he sai
    the answer was *B*. But then I mentioned it to Teacher #2 (who actuall
    teaches the class where this question arose) and he said the answer wa
    *E*. I guess 'street smarts' would say just go with the teacher who i
    teaching the class and be done with it, but i really want to understan
    this stuff

    So now I've returned from school and it looks like the consensus o
    this forum is that the correct answer is *E* which is fine. BUT Teache
    #1 made a convincing point to me. He stated that the _only_ permissio
    assigned to a folder (c:\accounting\forms) that can override th
    inheritance permission is the 'Deny' permission unless you -block th
    permission inheritance-.

    If the answer is *E* that would mean that 'Full Control' can als
    override the 'Read' permission. I'm assuming you guys say this becaus
    assigning 'Full Control' permission is giving the user more contro
    therefore it will take precedence?

    I don't know. I'm not trying to aggravate anyone here and I'm no
    trying to insult anyone's knowledge in NTFS security, I'm just trying t
    understand why the answer is *E* and not *B* and why there are so man
    professionals giving different answers. Thanks again
     
    LTCstudent, Oct 13, 2009
    #6
  7. LTCstudent

    Beckett Guest

    Both methods would work but why bother with B when E will suffice?
     
    Beckett, Oct 14, 2009
    #7
  8. LTCstudent

    Tae Song Guest

    OK, now you're just trying to come up with a scenario where answer B might
    work better and misinterpreted what Teacher #1 is saying to fit your
    argument.

    There's three states of access control.

    Expressly granted access
    If your name is on the guest list you get in.
    The host knows you and you been invited.

    No access permission granted
    Your name is not on the guest list, you are not getting in.
    The host does not know you and you're not invited in.

    Expressly denied access
    You name appears on list of people forbidden to enter, you're not getting
    in.
    The host knows you and told the guards to keep you out.


    It seems to me, you're confusing "No access permission granted" with
    "Expressly denied access." In the original scenario, it does not mention
    "deny" at all. Not being granted access is not the same as expressly denied
    access, although the net result is the same.

    If you are expressly denied access to the party, but want to use the
    port-a-potty outback and the guard at the port-a-potty is told to let you
    use it, you can. In this case, Teacher
    #1 is wrong. Block permission inheritance doesn't do any good here.
    Expressly granted permission overrides denied inherited permission. As long
    as you bypass the party and go directly to the port-a-potty.

    Using the Command Prompt, you can CD (change directory) to
    /Party/Port-a-Potty, but you can't CD to /Party.


    Only "Expressly granted access" will get you in. "No permissions granted"
    means you aren't granted access and "Expressly denied access" means you are
    denied access by name. The latter two denies you permission.

    Block permission inheritance is used when you want the subfolder to have
    tighter restrictions than the parent folder. You want to grant full access
    to ACCOUNTING, but only READ access to FORMS. So you use block permission
    inheritance so the user doesn't get full access to FORMS, because they
    inherited full access from ACCOUNTING.

    I strongly disagree with the usage of "override".

    It's a logical AND, you have Read access AND Full Control, net permission
    access is Full Control. Now, if you had inherited Expressly denied read
    access and receive Full access control THEN that would override the
    inherited expressly denied read access.

    Blocking permission inheritance so the user doesn't get Read access makes no
    sense if the net permission access is going to be Full Control. It doesn't
    hurt, but it's a pointless gesture.

    You want to block permission inheritance if you want to limit the access to
    subfolders. It resets the access permissions, so you start with no access
    granted. Then access permissions are added from there, rather than
    inherited from the parent.


    Well, I haven't seen anyone pick B and you misinterpreted Teacher #1 and he
    is also wrong about usage of block permission inheritance.


    I would stick with what Teacher #2 says, he seems to know what he is talking
    about. He IS the one teaching the class and you can do your own tests to
    verify what he says is true.

    But that's just my opinion.

    Thanks to your post, I had to do some investigating and I ended up learning
    a thing or two about NTFS security.
     
    Tae Song, Oct 15, 2009
    #8
  9. What I said was that I thought the "expected answer" was *B*, not that
    it was the *right* answer. Often what is taught in schools is not
    *right*. My thinking was that the teacher may be stressing a point to be
    considered during your current level of understanding. I didn't like any
    of the choices given. I thought (and it might be stressed later on) that
    creating a group with the desired permissions and placing that *user* in
    that group would be best (occam's razor be damned) for manageability.
    Then, is the user's need to have full access truly correct - does he or
    she *need* "take ownership" or "change permissions" - perhaps "modify"
    rights would be sufficient (least privilege). Is it really desired that
    some permissions for that subfolder be contingent upon whatever changes
    to the parent folder are made in the future? If so, you would want
    inheritance to remain intact.

    They probably stress "Occam's razor" and have the simplest solution
    being the *correct* solution.

    Can you forsee the mess created by adding more individual users and and
    their desired permissions by explicit deny or allow on an object? When
    (and if) there comes a time to rescind access, will you be able to keep
    track of who has access to what?

    Teacher two (teaching the class in question) will give you the *correct*
    answer for that class, so go with it.

    He is wrong. A specific allow will take precedence over an inherited
    deny.

    The first check (after any Mandatory Label check) is the first ACE entry
    which "should be" the explicit deny, then the explicit allow, then the
    inherited deny, then the inherited allow (followed by grandparent
    inheritance etcetera as required).
    If teacher #1 really said that specific allow won't take precendence
    over inherited deny, I think he is wrong.

    If *both* an allow and a deny appear at the same tier, the deny will
    take precedence however.
    Please mister bouncer, check your *other* list if no specific deny or
    allow is found on *this* list.

    (I'm in the "bartender" and "firewatch" groups - so if you want drinks
    and fire extinguishers at the ready....)

    [...]
     
    FromTheRafters, Oct 15, 2009
    #9
  10. LTCstudent

    LTCstudent Guest

    Thanks for the feedback and the microscopic details I asked for. :) I
    don't really care which answer was correct, but *B* seemed more thorough
    so I was convinced it was correct and was confused as to why someone
    would just do *E*.

    If it is possible to have a NTFS permission (that is directly assigned)
    override the inherited permission... then so be it. It just didn't
    "feel" right to me and the book didn't specifically state it. But like I
    said... thanks guys for clarifying it.
     
    LTCstudent, Oct 16, 2009
    #10
  11. None of those answers are correct. A knowledgeable administrator will
    never give "Full Control" to an ordinary user. At the most, one one
    grant users "Modify" permissions.


    --

    Bruce Chambers

    Help us help you:
    http://www.catb.org/~esr/faqs/smart-questions.html

    http://support.microsoft.com/default.aspx/kb/555375

    They that can give up essential liberty to obtain a little temporary
    safety deserve neither liberty nor safety. ~Benjamin Franklin

    Many people would rather die than think; in fact, most do. ~Bertrand Russell

    The philosopher has never killed any priests, whereas the priest has
    killed a great many philosophers.
    ~ Denis Diderot
     
    Bruce Chambers, Oct 17, 2009
    #11

  12. Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work
    stations in both workgroup and domain environments for over a decade,
    and never come across any application, no matter how poorly written,
    that required the user to have full control. Have any specific examples?


    --

    Bruce Chambers

    Help us help you:
    http://www.catb.org/~esr/faqs/smart-questions.html

    http://support.microsoft.com/default.aspx/kb/555375

    They that can give up essential liberty to obtain a little temporary
    safety deserve neither liberty nor safety. ~Benjamin Franklin

    Many people would rather die than think; in fact, most do. ~Bertrand Russell

    The philosopher has never killed any priests, whereas the priest has
    killed a great many philosophers.
    ~ Denis Diderot
     
    Bruce Chambers, Oct 18, 2009
    #12

  13. I'm not familiar with Intel-a-Check, but I do recall that Intuit (maker
    of Quickbooks) was very, very slow (glacial is the term I'd use) to
    adapt their products to the increasingly secure, newer versions of
    Windows. That's why I've always advised my clients to avoid them,
    whenever possible. Still, I don't recall ever having to grant Full
    Control to make it work. Might be a difference in network
    infrastructure design?



    Part of your issue may be that these applications simply aren't
    designed for use via a network share, and not just a permissions issue.
    It's hard to say within delving into the depths of each application.
    Are the program's executable's also located on the network share? It's
    generally possible, with most applications, anyway, to have the program
    reside on the local hard drive, but configured to store its data elsewhere.


    Good. One should always start with the lowest privilege level, and
    grant elevated privileges only where needed.



    Again, good. A perfectly sensible approach, and much simpler to
    administer than by granting by-name access to individual files/folders.
    However, I'd still be concerned that some user, thinking he/she knows
    better than you (and there's always at least one of those in any
    organization), either locking *everyone* - think "Deny" - out of
    something they need, or granting unauthorized access to one of their
    buddies because it takes too long to "go through proper channels."

    And once again, your approach is correct. I don't see why it would
    cause any "heartburn." After all, as you've mentioned medical billing
    software, I presume you're often dealing with extremely sensitive
    personal information (HIPPA rules?); I don't see how anyone -
    particularly "managers" - could object to your protecting that data and
    simultaneously protecting your employer from potentially ruinous law suits.


    --

    Bruce Chambers

    Help us help you:
    http://www.catb.org/~esr/faqs/smart-questions.html

    http://support.microsoft.com/default.aspx/kb/555375

    They that can give up essential liberty to obtain a little temporary
    safety deserve neither liberty nor safety. ~Benjamin Franklin

    Many people would rather die than think; in fact, most do. ~Bertrand Russell

    The philosopher has never killed any priests, whereas the priest has
    killed a great many philosophers.
    ~ Denis Diderot
     
    Bruce Chambers, Oct 18, 2009
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.