Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > USERS group has the ability to change security permissions..

USERS group has the ability to change security permissions..

Forum Windows 2000/NT : Windows 2000/NT General Discussion - USERS group has the ability to change security permissions..

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
Anonymous   05-05-2005 at 10:19:26 PM

Archived from groups: microsoft.public.win2000.security (More info?)

 

hi all,

i've just learned today that if a user can get access to computer management
console, he/she can go to the "logical drives" and change the NTFS
permissions set on local hard disks. Besides remove permissions set on the
"compmgmt.msc" for users, power users, and everyone groups, is there any
other way that i can set or disable so that the user won't have the ability
to mess up with permissions again.

i am still really confused that the user can just have the ability to change
NTFS permissions like that. please help!!!

Add a reply
Sponsored Links
Register or log in to remove.
Anonymous   05-06-2005 at 05:37:30 AM
- 0 +

Archived from groups: microsoft.public.win2000.security (More info?)

 

Are the users local administrators?? If so you will not be able to
effectively stop them from changing permissions. Assuming they are not you
can modify permissions so that the user can not change permissions. A user
needs change permissions, full control, or be owner to change permissions.
You should check the permissions of an XP Pro or Windows 2003 Server
computer to get an idea of good default ntfs permissions where by default a
regular user can change permissions only on their profile folder. --- Steve


"Silly" <Silly@discussions.microsoft.com> wrote in message
news:C1199C1D-15D2-4F41-9A01-818C7BDE0302@microsoft.com...
> hi all,
>
> i've just learned today that if a user can get access to computer
> management
> console, he/she can go to the "logical drives" and change the NTFS
> permissions set on local hard disks. Besides remove permissions set on
> the
> "compmgmt.msc" for users, power users, and everyone groups, is there any
> other way that i can set or disable so that the user won't have the
> ability
> to mess up with permissions again.
>
> i am still really confused that the user can just have the ability to
> change
> NTFS permissions like that. please help!!!

Reply to Anonymous
Anonymous   05-06-2005 at 05:37:31 AM
- 0 +

Archived from groups: microsoft.public.win2000.security (More info?)

 

no, the users are not belong to any of the power users or administrators, AND
the NTFS permissions are set on local disks using those of Windows XP as the
followings:

- Administrators: Full Control
- Creator Owner: Full Control (Subfolders and Files)
- System: Full Control
- Users: Read & Execute (This Folder, Subfolders, and Files)
- Users: Create Folders / Append Date (This Folder and Subfolders)
- Users: Create Files / Write Data (Subfolders Only)
- Everyone: Read & Execute

I'll set up a clean machine tomorrow and test it against what I found today,
and will keep you posted. Thanks for checking this.

"Steven L Umbach" wrote:

> Are the users local administrators?? If so you will not be able to
> effectively stop them from changing permissions. Assuming they are not you
> can modify permissions so that the user can not change permissions. A user
> needs change permissions, full control, or be owner to change permissions.
> You should check the permissions of an XP Pro or Windows 2003 Server
> computer to get an idea of good default ntfs permissions where by default a
> regular user can change permissions only on their profile folder. --- Steve
>
>
> "Silly" <Silly@discussions.microsoft.com> wrote in message
> news:C1199C1D-15D2-4F41-9A01-818C7BDE0302@microsoft.com...
> > hi all,
> >
> > i've just learned today that if a user can get access to computer
> > management
> > console, he/she can go to the "logical drives" and change the NTFS
> > permissions set on local hard disks. Besides remove permissions set on
> > the
> > "compmgmt.msc" for users, power users, and everyone groups, is there any
> > other way that i can set or disable so that the user won't have the
> > ability
> > to mess up with permissions again.
> >
> > i am still really confused that the user can just have the ability to
> > change
> > NTFS permissions like that. please help!!!
>
>
>

Reply to Anonymous
Anonymous   05-06-2005 at 03:45:46 PM
- 0 +

Archived from groups: microsoft.public.win2000.security (More info?)

 

I would be interested in the results on a clean machine. I would also verify
that the user is indeed not a local administrator which can be easily done
with the " net user username " command on the local computer. Another thing
I would consider doing on a computer where a user is doing such is enabling
auditing of object access and then auditing that folders in question for
just "change permission" to see if the user name that is changing the
permission is indeed who you think they are - IE not using other credentials
by viewing object access events in the security log though that is not a
real user friendly procedure the info is usually there. Users that have
physical access to a computer can easily use utilities to make themselves
local administrators if steps are not taken to disallow them to boot from
floppy, cdrom, etc. Often when confronted about how they are able to do
tasks that only administrators can do they act stupid rather than admit they
hacked the computer. --- Steve

http://support.microsoft.com/defau [...] -us;301640

"Silly" <Silly@discussions.microsoft.com> wrote in message
news:BC5E9146-841C-4325-87F3-8E50B130D446@microsoft.com...
> no, the users are not belong to any of the power users or administrators,
> AND
> the NTFS permissions are set on local disks using those of Windows XP as
> the
> followings:
>
> - Administrators: Full Control
> - Creator Owner: Full Control (Subfolders and Files)
> - System: Full Control
> - Users: Read & Execute (This Folder, Subfolders, and Files)
> - Users: Create Folders / Append Date (This Folder and Subfolders)
> - Users: Create Files / Write Data (Subfolders Only)
> - Everyone: Read & Execute
>
> I'll set up a clean machine tomorrow and test it against what I found
> today,
> and will keep you posted. Thanks for checking this.
>
> "Steven L Umbach" wrote:
>
>> Are the users local administrators?? If so you will not be able to
>> effectively stop them from changing permissions. Assuming they are not
>> you
>> can modify permissions so that the user can not change permissions. A
>> user
>> needs change permissions, full control, or be owner to change
>> permissions.
>> You should check the permissions of an XP Pro or Windows 2003 Server
>> computer to get an idea of good default ntfs permissions where by default
>> a
>> regular user can change permissions only on their profile folder. ---
>> Steve
>>
>>
>> "Silly" <Silly@discussions.microsoft.com> wrote in message
>> news:C1199C1D-15D2-4F41-9A01-818C7BDE0302@microsoft.com...
>> > hi all,
>> >
>> > i've just learned today that if a user can get access to computer
>> > management
>> > console, he/she can go to the "logical drives" and change the NTFS
>> > permissions set on local hard disks. Besides remove permissions set on
>> > the
>> > "compmgmt.msc" for users, power users, and everyone groups, is there
>> > any
>> > other way that i can set or disable so that the user won't have the
>> > ability
>> > to mess up with permissions again.
>> >
>> > i am still really confused that the user can just have the ability to
>> > change
>> > NTFS permissions like that. please help!!!
>>
>>
>>

Reply to Anonymous
Anonymous   05-06-2005 at 09:11:02 PM
- 0 +

Archived from groups: microsoft.public.win2000.security (More info?)

 

Have you used the Advanced view in the NTFS permisssions
dialog to make sure that there are no grants you have been
overlooking due to only viewing the generic grants ?

Please open a cmd window, navigate (cd) to the root folder of
such a location as ones you say Users are able to do this, but
NTFS is showing that they should not, and then run
cacls
and post the output.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Silly" <Silly@discussions.microsoft.com> wrote in message
news:BC5E9146-841C-4325-87F3-8E50B130D446@microsoft.com...
> no, the users are not belong to any of the power users or administrators,
AND
> the NTFS permissions are set on local disks using those of Windows XP as
the
> followings:
>
> - Administrators: Full Control
> - Creator Owner: Full Control (Subfolders and Files)
> - System: Full Control
> - Users: Read & Execute (This Folder, Subfolders, and Files)
> - Users: Create Folders / Append Date (This Folder and Subfolders)
> - Users: Create Files / Write Data (Subfolders Only)
> - Everyone: Read & Execute
>
> I'll set up a clean machine tomorrow and test it against what I found
today,
> and will keep you posted. Thanks for checking this.
>
> "Steven L Umbach" wrote:
>
> > Are the users local administrators?? If so you will not be able to
> > effectively stop them from changing permissions. Assuming they are not
you
> > can modify permissions so that the user can not change permissions. A
user
> > needs change permissions, full control, or be owner to change
permissions.
> > You should check the permissions of an XP Pro or Windows 2003 Server
> > computer to get an idea of good default ntfs permissions where by
default a
> > regular user can change permissions only on their profile folder. ---
Steve
> >
> >
> > "Silly" <Silly@discussions.microsoft.com> wrote in message
> > news:C1199C1D-15D2-4F41-9A01-818C7BDE0302@microsoft.com...
> > > hi all,
> > >
> > > i've just learned today that if a user can get access to computer
> > > management
> > > console, he/she can go to the "logical drives" and change the NTFS
> > > permissions set on local hard disks. Besides remove permissions set
on
> > > the
> > > "compmgmt.msc" for users, power users, and everyone groups, is there
any
> > > other way that i can set or disable so that the user won't have the
> > > ability
> > > to mess up with permissions again.
> > >
> > > i am still really confused that the user can just have the ability to
> > > change
> > > NTFS permissions like that. please help!!!
> >
> >
> >

Reply to Anonymous
Anonymous   05-08-2005 at 12:43:21 AM
- 0 +

Archived from groups: microsoft.public.win2000.security (More info?)

 

okay... it was my mistake. i found out that when reconfiguring the NTFS
permissions, the "Everyone" group had to be deleted and then re-added, in
order for the generic grants (i.e. delete subfolders and files, delete,
change permissions, take ownership, etc) to be removed. thanks again you all
for looking into this.

"Roger Abell" wrote:

> Have you used the Advanced view in the NTFS permisssions
> dialog to make sure that there are no grants you have been
> overlooking due to only viewing the generic grants ?
>
> Please open a cmd window, navigate (cd) to the root folder of
> such a location as ones you say Users are able to do this, but
> NTFS is showing that they should not, and then run
> cacls
> and post the output.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Silly" <Silly@discussions.microsoft.com> wrote in message
> news:BC5E9146-841C-4325-87F3-8E50B130D446@microsoft.com...
> > no, the users are not belong to any of the power users or administrators,
> AND
> > the NTFS permissions are set on local disks using those of Windows XP as
> the
> > followings:
> >
> > - Administrators: Full Control
> > - Creator Owner: Full Control (Subfolders and Files)
> > - System: Full Control
> > - Users: Read & Execute (This Folder, Subfolders, and Files)
> > - Users: Create Folders / Append Date (This Folder and Subfolders)
> > - Users: Create Files / Write Data (Subfolders Only)
> > - Everyone: Read & Execute
> >
> > I'll set up a clean machine tomorrow and test it against what I found
> today,
> > and will keep you posted. Thanks for checking this.
> >
> > "Steven L Umbach" wrote:
> >
> > > Are the users local administrators?? If so you will not be able to
> > > effectively stop them from changing permissions. Assuming they are not
> you
> > > can modify permissions so that the user can not change permissions. A
> user
> > > needs change permissions, full control, or be owner to change
> permissions.
> > > You should check the permissions of an XP Pro or Windows 2003 Server
> > > computer to get an idea of good default ntfs permissions where by
> default a
> > > regular user can change permissions only on their profile folder. ---
> Steve
> > >
> > >
> > > "Silly" <Silly@discussions.microsoft.com> wrote in message
> > > news:C1199C1D-15D2-4F41-9A01-818C7BDE0302@microsoft.com...
> > > > hi all,
> > > >
> > > > i've just learned today that if a user can get access to computer
> > > > management
> > > > console, he/she can go to the "logical drives" and change the NTFS
> > > > permissions set on local hard disks. Besides remove permissions set
> on
> > > > the
> > > > "compmgmt.msc" for users, power users, and everyone groups, is there
> any
> > > > other way that i can set or disable so that the user won't have the
> > > > ability
> > > > to mess up with permissions again.
> > > >
> > > > i am still really confused that the user can just have the ability to
> > > > change
> > > > NTFS permissions like that. please help!!!
> > >
> > >
> > >
>
>
>

Reply to Anonymous
Anonymous   05-08-2005 at 08:35:08 AM
- 0 +

Archived from groups: microsoft.public.win2000.security (More info?)

 

Good you have it sorted. Although per MS it was your mistake,
in my view it is MS's mistake that the ACL editor is now doing
this, unlike earlier versions of Windows, but so far I have not
found the right ear in MS to do something about it.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Silly" <Silly@discussions.microsoft.com> wrote in message
news:4CA99A4F-7CF0-41FE-B8B2-F5D1CC36D7E2@microsoft.com...
> okay... it was my mistake. i found out that when reconfiguring the NTFS
> permissions, the "Everyone" group had to be deleted and then re-added, in
> order for the generic grants (i.e. delete subfolders and files, delete,
> change permissions, take ownership, etc) to be removed. thanks again you
all
> for looking into this.
>
> "Roger Abell" wrote:
>
> > Have you used the Advanced view in the NTFS permisssions
> > dialog to make sure that there are no grants you have been
> > overlooking due to only viewing the generic grants ?
> >
> > Please open a cmd window, navigate (cd) to the root folder of
> > such a location as ones you say Users are able to do this, but
> > NTFS is showing that they should not, and then run
> > cacls
> > and post the output.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Silly" <Silly@discussions.microsoft.com> wrote in message
> > news:BC5E9146-841C-4325-87F3-8E50B130D446@microsoft.com...
> > > no, the users are not belong to any of the power users or
administrators,
> > AND
> > > the NTFS permissions are set on local disks using those of Windows XP
as
> > the
> > > followings:
> > >
> > > - Administrators: Full Control
> > > - Creator Owner: Full Control (Subfolders and Files)
> > > - System: Full Control
> > > - Users: Read & Execute (This Folder, Subfolders, and Files)
> > > - Users: Create Folders / Append Date (This Folder and Subfolders)
> > > - Users: Create Files / Write Data (Subfolders Only)
> > > - Everyone: Read & Execute
> > >
> > > I'll set up a clean machine tomorrow and test it against what I found
> > today,
> > > and will keep you posted. Thanks for checking this.
> > >
> > > "Steven L Umbach" wrote:
> > >
> > > > Are the users local administrators?? If so you will not be able to
> > > > effectively stop them from changing permissions. Assuming they are
not
> > you
> > > > can modify permissions so that the user can not change permissions.
A
> > user
> > > > needs change permissions, full control, or be owner to change
> > permissions.
> > > > You should check the permissions of an XP Pro or Windows 2003 Server
> > > > computer to get an idea of good default ntfs permissions where by
> > default a
> > > > regular user can change permissions only on their profile
older. ---
> > Steve
> > > >
> > > >
> > > > "Silly" <Silly@discussions.microsoft.com> wrote in message
> > > > news:C1199C1D-15D2-4F41-9A01-818C7BDE0302@microsoft.com...
> > > > > hi all,
> > > > >
> > > > > i've just learned today that if a user can get access to computer
> > > > > management
> > > > > console, he/she can go to the "logical drives" and change the NTFS
> > > > > permissions set on local hard disks. Besides remove permissions
set
> > on
> > > > > the
> > > > > "compmgmt.msc" for users, power users, and everyone groups, is
there
> > any
> > > > > other way that i can set or disable so that the user won't have
the
> > > > > ability
> > > > > to mess up with permissions again.
> > > > >
> > > > > i am still really confused that the user can just have the ability
to
> > > > > change
> > > > > NTFS permissions like that. please help!!!
> > > >
> > > >
> > > >
> >
> >
> >

Reply to Anonymous
Ask the community Add a reply
Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > USERS group has the ability to change security permissions..
Go to:

There are 1277 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.509 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them
How do I win badges?