--This is getting boring. Let's take this offline, just between you and me. --You sound like many Linux/Unix guys I know who think they know Windows security, but really don't. You're still acting like Windows security is represented by Windows 95 without a firewall. You're mixing up your security permissions, acting like you've never heard of the Creator Owner SID, or the ability to change subfolder and file inheritance. Either you don't know about them or you're purposefully ignoring them to make your unlikely argument. Windows has incredibly security granularity. You expect me to assume that the Windows administrator makes bonehead configuration mistakes and I'm just supposed to accept that as a Windows problem? You can argue that some Windows administrators may not configure something correctly based upon perceived risks...but I'm not blaming Windows for that. --If make a public folder in Linux and give all users RWX, it automatically flows down to the subfolders and objects, too. You can configure Umask, but I can do exactly the same thing in Windows, using the Creator Owner SID. So, you make additional change in Linux to make it more secure, but I can't do the same in Windows...and that makes it a Windows problem?? --See my other replies below. Roger ******************************************************************* *Roger A. Grimes, Senior Security Consultant *Microsoft Application Consulting and Engineering (ACE) Services *http://blogs.msdn.com/ace_team/default.aspx *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger@xxxxxxxxxxxxxx or rogrim@xxxxxxxxxxxxx ******************************************************************* -----Original Message----- From: 3APA3A [mailto:3APA3A@xxxxxxxxxxxxxxxx] Sent: Friday, March 09, 2007 11:56 AM To: Roger A. Grimes Cc: full-disclosure@xxxxxxxxxxxxxxxxx Subject: Re[4]: Microsoft Windows Vista/2003/XP/2000 file management security issues Nice. What about creating "Sales Reports" folder only head of Sales department has access inside "Sales" folder? --Poor security practice. Never done it. If it is for head of Sales only, make it under the head of Sales' normal user folder. Easy. No security problem. There is no actual difference between "Change" and "Full Control" permissions for NTFS. --First, Change is a share permission, not an NTFS permission. Are you talking Shares or NTFS permissions? In either case, there is a two major differences between Change/Modify and Full Control. Those differences are the ability to change permissions and taking ownership. "Change" give you ability to delete and create objects. An ability to delete some object and create it again give you a way to become object owner, like if you have "Take ownership" individual permission. As an owner you always have implicit "Change permissions" individual permission. So, you have your "Full control" without having it. There is simply nothing more to debate here. Ownership problem was debated for ages. --If you delete and re-create the object, it's a new object. Jeez! So, the administrator intentionaly set up the folder or share so other people could delete other people's objects, and this is a Windows problem? Alice gets Full Control on her new object, not Bob's old folder. If you want to prevent Bob from accidentally putting his personal, private files into Alice's newly created folder...if that's a concern, don't allow public users to have Change/Modify permissions to subfolders in the public folder. In Windows you can easily choose what objects inherit what permissions. If that is your concern, turn off inheritance to subfolders and files. Microsoft put those options in the Security tab GUI for a reason. RAG> You're just making up crap up that isn't overly realistic in the RAG> world, then going further to assume that a bonehead administrator RAG> compounds the problem by making further insecure decisions. RAG> You are essentially say, "If you misconfigure your system and make RAG> further insecure choices, someone can hack you." Duh. Who can tell me, creating "Sales reports" inside "Sales" is insecure choice? --Yes, absolutely. RAG> There's a reason why your "announcements" aren't making the news RAG> media...because it isn't news. If I want to "make news media", I write article on Russian cyberterrorism and it's connection with Ukraine, Germany and US. Not an article on enterprise file management best security practices. --At least that is a real problem.
