Sign in with
Sign up | Sign in
Your question

User can change folder permissions

Tags:
  • Security
  • Permissions
  • Windows XP
Last response: in Windows XP
Share
Anonymous
a b 8 Security
April 20, 2005 10:54:13 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I wanted to test whether I was able to protect a data backend from being
deleted, so I created a folder, "Test" with a subfolder "data". I am an
admin on the system, and created these folders on my machine. I set
permissions for "Everyone" to Deny Delete and Deny Folders and Subfolders
for
the "Data" folder. This did what I wanted. I tested it on a user machine
and was unable to delete files from the "Data" folder as well as use the
app.

Here is the issue. Logged on as a user "Sales", I was able to set the
permission of the "Data" folder to Deny Full Control. After making the
change, there were no security options available to reset the permissions
and
I could not open the folder or access the tables in the backend db. I
logged on as myself on that machine and was also denied access. I then went
to my machine, logged off and back on as myself and had to reset the
permissions as I was denied access to the folders and database.

Anyone know if this a quirk or normal security functionality? It seems odd
that a user is able to affect the permissions to someone elses folder.

Thanks for any info and God Bless,

Mark A. Sam

More about : user change folder permissions

Anonymous
a b 8 Security
April 22, 2005 3:25:53 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Mark A. Sam" <msam@Plan-It-Earth.Net> wrote in message
news:o be7EdZRFHA.2788@TK2MSFTNGP09.phx.gbl...
>I wanted to test whether I was able to protect a data backend from being
> deleted, so I created a folder, "Test" with a subfolder "data". I am an
> admin on the system, and created these folders on my machine. I set
> permissions for "Everyone" to Deny Delete and Deny Folders and Subfolders
> for
> the "Data" folder. This did what I wanted. I tested it on a user machine
> and was unable to delete files from the "Data" folder as well as use the
> app.
>
> Here is the issue. Logged on as a user "Sales", I was able to set the
> permission of the "Data" folder to Deny Full Control. After making the
> change, there were no security options available to reset the permissions
> and
> I could not open the folder or access the tables in the backend db. I
> logged on as myself on that machine and was also denied access. I then
> went
> to my machine, logged off and back on as myself and had to reset the
> permissions as I was denied access to the folders and database.
>
> Anyone know if this a quirk or normal security functionality? It seems
> odd
> that a user is able to affect the permissions to someone elses folder.
>
> Thanks for any info and God Bless,
>
> Mark A. Sam
>
>

I'm a little unclear on what you are describing but I'll do my best...

If you put a "Deny" entry for "Everyone" on Full Control, then yes you will
lock everyone out (administrators can use a privilege to reset permissions
regardless of anything you do, of course.)

Generally, you don't need to put any explicit "Deny" entries (it is fairly
rare to ever be in a situation that needs a "Deny." You just put "allow"
entries for users and groups that should have access and completely remove
entries for others... anyone not listed as "Allowed" will not have access.

If you put a "Deny", it will take precedence over everything else.
'Everyone' includes all users-- even administrators.

I'm also not sure what you mean by "someone else's folder" -- basically if a
user has Full Control on a folder, they can change permissions.
(Administrators can give themselves full control so it's never possible to
lock out an admin.)



--
Colin Nash
Microsoft MVP
Windows Shell/User
Anonymous
a b 8 Security
April 25, 2005 3:43:08 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello Colin,

My purpose is to disallow a user from deleting a data file. If you don't
deny delete, then any user has access to the folder and can trash the file.
I'm not clear why a user can deny the creator of the file access.

Thanks for your reply and God Bless,

Mark A. Sam


"Colin Nash [MVP]" <cnash x@x mvps.org> wrote in message
news:e2bQ$ruRFHA.2748@TK2MSFTNGP09.phx.gbl...
>
> "Mark A. Sam" <msam@Plan-It-Earth.Net> wrote in message
> news:o be7EdZRFHA.2788@TK2MSFTNGP09.phx.gbl...
> >I wanted to test whether I was able to protect a data backend from being
> > deleted, so I created a folder, "Test" with a subfolder "data". I am an
> > admin on the system, and created these folders on my machine. I set
> > permissions for "Everyone" to Deny Delete and Deny Folders and
Subfolders
> > for
> > the "Data" folder. This did what I wanted. I tested it on a user
machine
> > and was unable to delete files from the "Data" folder as well as use the
> > app.
> >
> > Here is the issue. Logged on as a user "Sales", I was able to set the
> > permission of the "Data" folder to Deny Full Control. After making the
> > change, there were no security options available to reset the
permissions
> > and
> > I could not open the folder or access the tables in the backend db. I
> > logged on as myself on that machine and was also denied access. I then
> > went
> > to my machine, logged off and back on as myself and had to reset the
> > permissions as I was denied access to the folders and database.
> >
> > Anyone know if this a quirk or normal security functionality? It seems
> > odd
> > that a user is able to affect the permissions to someone elses folder.
> >
> > Thanks for any info and God Bless,
> >
> > Mark A. Sam
> >
> >
>
> I'm a little unclear on what you are describing but I'll do my best...
>
> If you put a "Deny" entry for "Everyone" on Full Control, then yes you
will
> lock everyone out (administrators can use a privilege to reset permissions
> regardless of anything you do, of course.)
>
> Generally, you don't need to put any explicit "Deny" entries (it is fairly
> rare to ever be in a situation that needs a "Deny." You just put "allow"
> entries for users and groups that should have access and completely remove
> entries for others... anyone not listed as "Allowed" will not have access.
>
> If you put a "Deny", it will take precedence over everything else.
> 'Everyone' includes all users-- even administrators.
>
> I'm also not sure what you mean by "someone else's folder" -- basically if
a
> user has Full Control on a folder, they can change permissions.
> (Administrators can give themselves full control so it's never possible to
> lock out an admin.)
>
>
>
> --
> Colin Nash
> Microsoft MVP
> Windows Shell/User
>
>
>
!