Sign in with
Sign up | Sign in
Your question

Volume Shadow Copy

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
May 6, 2005 5:06:28 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Is there a way to limit some users of rolling back to a previous version?
Although the users have access to the shared drive, we just don't want them
to have the option of restoring a previous version.

Jeffrey L

More about : volume shadow copy

Anonymous
a b 8 Security
May 6, 2005 5:06:29 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Rollback what?? If you mean they are accessing a share on a Windows 2003
Server that has Volume Shadow Copy I don't know of a way to selectively
prevent users from using it unless you do not install the client on there
Windows 2000/XP Pro computers. --- Steve




"Jeffrey L" <jeffrey@nowhere.com> wrote in message
news:ubxU60lUFHA.3572@TK2MSFTNGP12.phx.gbl...
> Is there a way to limit some users of rolling back to a previous version?
> Although the users have access to the shared drive, we just don't want
> them to have the option of restoring a previous version.
>
> Jeffrey L
>
Anonymous
a b 8 Security
May 6, 2005 5:09:53 PM

Archived from groups: microsoft.public.win2000.security (More info?)

> "Jeffrey L" <jeffrey@nowhere.com> wrote in message
> news:ubxU60lUFHA.3572@TK2MSFTNGP12.phx.gbl...
> > Is there a way to limit some users of rolling back to a previous
version?
> > Although the users have access to the shared drive, we just don't want
> > them to have the option of restoring a previous version.

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:exqR6BmUFHA.1044@TK2MSFTNGP10.phx.gbl...
> Rollback what?? If you mean they are accessing a share on a Windows 2003
> Server that has Volume Shadow Copy I don't know of a way to selectively
> prevent users from using it unless you do not install the client on there
> Windows 2000/XP Pro computers. --- Steve


Steven is correct -- that is the main point of Shadow Copy
so you either disable it or you don't give the client software
to the users.

Why every would you want people not to be able to recover
a file?

If they are recovering "other people's files" then that should be
dealt with through permissions.

A user must have READ on the original to copy the shadow
version, and Modify/Change on the original to overwrite it.

Since each person almost always has this on their own files,
they are going to be able to recover those file that belong to
them, and any others that meet these requirements.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Related resources
Anonymous
a b 8 Security
May 6, 2005 6:55:18 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Several users involved in billing are connected to share for BillingData.
Only one of these users should have the authority to restore a previous
version (such as an admin.)

"Herb Martin" <news@LearnQuick.com> wrote in message
news:o v6jDemUFHA.2768@tk2msftngp13.phx.gbl...
>> "Jeffrey L" <jeffrey@nowhere.com> wrote in message
>> news:ubxU60lUFHA.3572@TK2MSFTNGP12.phx.gbl...
>> > Is there a way to limit some users of rolling back to a previous
> version?
>> > Although the users have access to the shared drive, we just don't want
>> > them to have the option of restoring a previous version.
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:exqR6BmUFHA.1044@TK2MSFTNGP10.phx.gbl...
>> Rollback what?? If you mean they are accessing a share on a Windows 2003
>> Server that has Volume Shadow Copy I don't know of a way to selectively
>> prevent users from using it unless you do not install the client on there
>> Windows 2000/XP Pro computers. --- Steve
>
>
> Steven is correct -- that is the main point of Shadow Copy
> so you either disable it or you don't give the client software
> to the users.
>
> Why every would you want people not to be able to recover
> a file?
>
> If they are recovering "other people's files" then that should be
> dealt with through permissions.
>
> A user must have READ on the original to copy the shadow
> version, and Modify/Change on the original to overwrite it.
>
> Since each person almost always has this on their own files,
> they are going to be able to recover those file that belong to
> them, and any others that meet these requirements.
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
>
Anonymous
a b 8 Security
May 7, 2005 11:02:04 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Jeffrey L" <jeffrey@nowhere.com> wrote in message
news:#BBfuxmUFHA.2616@TK2MSFTNGP14.phx.gbl...
> Several users involved in billing are connected to share for BillingData.
> Only one of these users should have the authority to restore a previous
> version (such as an admin.)

Then those 'other users' should not have the authority to
WRITE to the main file or shouldn't even have the authority
to READ that file (make copies.)

Notice that shadow copy is NOT the problem here, but rather
the permissions given to the users is the real issue.

If they choose to make their "own" backup of a readable
file today, you could not stop them. If they choose to over-write
a WRITABLE file tomorrow from that backup -- for even
from some junk -- you could not stop them.

You have a permission problem, not a shadow copy
problem.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:o v6jDemUFHA.2768@tk2msftngp13.phx.gbl...
> >> "Jeffrey L" <jeffrey@nowhere.com> wrote in message
> >> news:ubxU60lUFHA.3572@TK2MSFTNGP12.phx.gbl...
> >> > Is there a way to limit some users of rolling back to a previous
> > version?
> >> > Although the users have access to the shared drive, we just don't
want
> >> > them to have the option of restoring a previous version.
> >
> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > news:exqR6BmUFHA.1044@TK2MSFTNGP10.phx.gbl...
> >> Rollback what?? If you mean they are accessing a share on a Windows
2003
> >> Server that has Volume Shadow Copy I don't know of a way to selectively
> >> prevent users from using it unless you do not install the client on
there
> >> Windows 2000/XP Pro computers. --- Steve
> >
> >
> > Steven is correct -- that is the main point of Shadow Copy
> > so you either disable it or you don't give the client software
> > to the users.
> >
> > Why every would you want people not to be able to recover
> > a file?
> >
> > If they are recovering "other people's files" then that should be
> > dealt with through permissions.
> >
> > A user must have READ on the original to copy the shadow
> > version, and Modify/Change on the original to overwrite it.
> >
> > Since each person almost always has this on their own files,
> > they are going to be able to recover those file that belong to
> > them, and any others that meet these requirements.
> >
> > --
> > Herb Martin, MCSE, MVP
> > Accelerated MCSE
> > http://www.LearnQuick.Com
> > [phone number on web site]
> >
> >
>
>
Anonymous
a b 8 Security
May 8, 2005 6:43:00 AM

Archived from groups: microsoft.public.win2000.security (More info?)

On Fri, 6 May 2005 14:55:18 -0400, "Jeffrey L" <jeffrey@nowhere.com>
wrote:

>Several users involved in billing are connected to share for BillingData.
>Only one of these users should have the authority to restore a previous
>version (such as an admin.)

We have similar situations, and we simply don't deploy the client to
those systems.

But in a billing environment shadow copies can be even more dangerous.
I accept your money and list your bill as paid. I roll back to the
previous version. I pocket the cash.

I'm surprised auditors would allow anyone in the department the
authority.

Jeff

>
>"Herb Martin" <news@LearnQuick.com> wrote in message
>news:o v6jDemUFHA.2768@tk2msftngp13.phx.gbl...
>>> "Jeffrey L" <jeffrey@nowhere.com> wrote in message
>>> news:ubxU60lUFHA.3572@TK2MSFTNGP12.phx.gbl...
>>> > Is there a way to limit some users of rolling back to a previous
>> version?
>>> > Although the users have access to the shared drive, we just don't want
>>> > them to have the option of restoring a previous version.
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:exqR6BmUFHA.1044@TK2MSFTNGP10.phx.gbl...
>>> Rollback what?? If you mean they are accessing a share on a Windows 2003
>>> Server that has Volume Shadow Copy I don't know of a way to selectively
>>> prevent users from using it unless you do not install the client on there
>>> Windows 2000/XP Pro computers. --- Steve
>>
>>
>> Steven is correct -- that is the main point of Shadow Copy
>> so you either disable it or you don't give the client software
>> to the users.
>>
>> Why every would you want people not to be able to recover
>> a file?
>>
>> If they are recovering "other people's files" then that should be
>> dealt with through permissions.
>>
>> A user must have READ on the original to copy the shadow
>> version, and Modify/Change on the original to overwrite it.
>>
>> Since each person almost always has this on their own files,
>> they are going to be able to recover those file that belong to
>> them, and any others that meet these requirements.
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>>
>
Anonymous
a b 8 Security
May 8, 2005 9:53:47 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:427d7c44.541632987@msnews.microsoft.com...
> On Fri, 6 May 2005 14:55:18 -0400, "Jeffrey L" <jeffrey@nowhere.com>
> wrote:
>
> >Several users involved in billing are connected to share for BillingData.
> >Only one of these users should have the authority to restore a previous
> >version (such as an admin.)
>
> We have similar situations, and we simply don't deploy the client to
> those systems.
>
> But in a billing environment shadow copies can be even more dangerous.
> I accept your money and list your bill as paid. I roll back to the
> previous version. I pocket the cash.
>
> I'm surprised auditors would allow anyone in the department the
> authority.

In a secure system, the accounting software would be the only "one"
allowed to actually touch the raw files or raw database.

Users are authenticated to the "accounting system" which grants them
the rights to do only certain functions -- all of the raw data are hidden
from them, along with illegal operations.
Anonymous
a b 8 Security
May 8, 2005 5:26:30 PM

Archived from groups: microsoft.public.win2000.security (More info?)

The users need WRITE access in order to enter payments, billing, etc. They
are trusted not be theives and there are checks and balances in place for
security purposes. We just didn't want anyone to have the ability to
restore older files if they thought that there was a file integrity problem
before IT gets involved and troubleshoots.


"Herb Martin" <news@LearnQuick.com> wrote in message
news:%23SoP8yvUFHA.2468@TK2MSFTNGP10.phx.gbl...
> "Jeffrey L" <jeffrey@nowhere.com> wrote in message
> news:#BBfuxmUFHA.2616@TK2MSFTNGP14.phx.gbl...
>> Several users involved in billing are connected to share for BillingData.
>> Only one of these users should have the authority to restore a previous
>> version (such as an admin.)
>
> Then those 'other users' should not have the authority to
> WRITE to the main file or shouldn't even have the authority
> to READ that file (make copies.)
>
> Notice that shadow copy is NOT the problem here, but rather
> the permissions given to the users is the real issue.
>
> If they choose to make their "own" backup of a readable
> file today, you could not stop them. If they choose to over-write
> a WRITABLE file tomorrow from that backup -- for even
> from some junk -- you could not stop them.
>
> You have a permission problem, not a shadow copy
> problem.
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
>>
>> "Herb Martin" <news@LearnQuick.com> wrote in message
>> news:o v6jDemUFHA.2768@tk2msftngp13.phx.gbl...
>> >> "Jeffrey L" <jeffrey@nowhere.com> wrote in message
>> >> news:ubxU60lUFHA.3572@TK2MSFTNGP12.phx.gbl...
>> >> > Is there a way to limit some users of rolling back to a previous
>> > version?
>> >> > Although the users have access to the shared drive, we just don't
> want
>> >> > them to have the option of restoring a previous version.
>> >
>> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> > news:exqR6BmUFHA.1044@TK2MSFTNGP10.phx.gbl...
>> >> Rollback what?? If you mean they are accessing a share on a Windows
> 2003
>> >> Server that has Volume Shadow Copy I don't know of a way to
>> >> selectively
>> >> prevent users from using it unless you do not install the client on
> there
>> >> Windows 2000/XP Pro computers. --- Steve
>> >
>> >
>> > Steven is correct -- that is the main point of Shadow Copy
>> > so you either disable it or you don't give the client software
>> > to the users.
>> >
>> > Why every would you want people not to be able to recover
>> > a file?
>> >
>> > If they are recovering "other people's files" then that should be
>> > dealt with through permissions.
>> >
>> > A user must have READ on the original to copy the shadow
>> > version, and Modify/Change on the original to overwrite it.
>> >
>> > Since each person almost always has this on their own files,
>> > they are going to be able to recover those file that belong to
>> > them, and any others that meet these requirements.
>> >
>> > --
>> > Herb Martin, MCSE, MVP
>> > Accelerated MCSE
>> > http://www.LearnQuick.Com
>> > [phone number on web site]
>> >
>> >
>>
>>
>
>
Anonymous
a b 8 Security
May 8, 2005 5:26:31 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Jeffrey L wrote:
> The users need WRITE access in order to enter payments, billing, etc. They
> are trusted not be theives and there are checks and balances in place for
> security purposes. We just didn't want anyone to have the ability to
> restore older files if they thought that there was a file integrity problem
> before IT gets involved and troubleshoots.
>
>
>
>


Then simply remove the Shadow Copy client from the computers of those
you don't or can't trust to follow company policy.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
Anonymous
a b 8 Security
May 8, 2005 10:19:26 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Jeffrey L" <jeffrey@nowhere.com> wrote in message
news:e$FVaJ$UFHA.2520@TK2MSFTNGP09.phx.gbl...
> The users need WRITE access in order to enter payments, billing, etc.
They
> are trusted not be theives and there are checks and balances in place for
> security purposes.

> We just didn't want anyone to have the ability to
> restore older files if they thought that there was a file integrity
problem
> before IT gets involved and troubleshoots.

They can do that now; Shadow copy is not the problem
other than it makes it easier -- so the answer is to either:

1) Take away the shadow copy client software
(doesn't really solve the real problem but it
will keep them from using shadow copy to do it.)

2) Fix the permissions -- which doesn't work with your
current processes but is the only true answer. So
this would imply putting a protective application
between the user and the files to limit their access to
only the necessary and approved function.

3) User education -- since you "trust" the users, perhaps
you can educate them to do the right thing and call
IT when they need help.

4) Making additional backups so that you can undo
any mistakes they do make due to the inherent lack
of security in your current systems.

Until you recognize that you have a permission/security
problem and not a shadow copy issue you probably won't
be able to address the situation fully.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Anonymous
a b 8 Security
May 9, 2005 3:30:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

On Sun, 8 May 2005 13:26:30 -0400, "Jeffrey L" <jeffrey@nowhere.com>
wrote:

>The users need WRITE access in order to enter payments, billing, etc. They
>are trusted not be theives and there are checks and balances in place for
>security purposes. We just didn't want anyone to have the ability to
>restore older files if they thought that there was a file integrity problem
>before IT gets involved and troubleshoots.

Then your only option is remove the shadow copy client from their
systems. Or, since they are trusted, simply tell them not to restore
shadow copies of those files/folders.

An alternative that may or may not be possible in your setup is to
have those files on different drive and not run shadow copy services
for that drive.

Jeff


>
>"Herb Martin" <news@LearnQuick.com> wrote in message
>news:%23SoP8yvUFHA.2468@TK2MSFTNGP10.phx.gbl...
>> "Jeffrey L" <jeffrey@nowhere.com> wrote in message
>> news:#BBfuxmUFHA.2616@TK2MSFTNGP14.phx.gbl...
>>> Several users involved in billing are connected to share for BillingData.
>>> Only one of these users should have the authority to restore a previous
>>> version (such as an admin.)
>>
>> Then those 'other users' should not have the authority to
>> WRITE to the main file or shouldn't even have the authority
>> to READ that file (make copies.)
>>
>> Notice that shadow copy is NOT the problem here, but rather
>> the permissions given to the users is the real issue.
>>
>> If they choose to make their "own" backup of a readable
>> file today, you could not stop them. If they choose to over-write
>> a WRITABLE file tomorrow from that backup -- for even
>> from some junk -- you could not stop them.
>>
>> You have a permission problem, not a shadow copy
>> problem.
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>>>
>>> "Herb Martin" <news@LearnQuick.com> wrote in message
>>> news:o v6jDemUFHA.2768@tk2msftngp13.phx.gbl...
>>> >> "Jeffrey L" <jeffrey@nowhere.com> wrote in message
>>> >> news:ubxU60lUFHA.3572@TK2MSFTNGP12.phx.gbl...
>>> >> > Is there a way to limit some users of rolling back to a previous
>>> > version?
>>> >> > Although the users have access to the shared drive, we just don't
>> want
>>> >> > them to have the option of restoring a previous version.
>>> >
>>> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>> > news:exqR6BmUFHA.1044@TK2MSFTNGP10.phx.gbl...
>>> >> Rollback what?? If you mean they are accessing a share on a Windows
>> 2003
>>> >> Server that has Volume Shadow Copy I don't know of a way to
>>> >> selectively
>>> >> prevent users from using it unless you do not install the client on
>> there
>>> >> Windows 2000/XP Pro computers. --- Steve
>>> >
>>> >
>>> > Steven is correct -- that is the main point of Shadow Copy
>>> > so you either disable it or you don't give the client software
>>> > to the users.
>>> >
>>> > Why every would you want people not to be able to recover
>>> > a file?
>>> >
>>> > If they are recovering "other people's files" then that should be
>>> > dealt with through permissions.
>>> >
>>> > A user must have READ on the original to copy the shadow
>>> > version, and Modify/Change on the original to overwrite it.
>>> >
>>> > Since each person almost always has this on their own files,
>>> > they are going to be able to recover those file that belong to
>>> > them, and any others that meet these requirements.
>>> >
>>> > --
>>> > Herb Martin, MCSE, MVP
>>> > Accelerated MCSE
>>> > http://www.LearnQuick.Com
>>> > [phone number on web site]
>>> >
>>> >
>>>
>>>
>>
>>
>
!