Volume Shadow Copy

Archived from groups: microsoft.public.win2000.security (More info?)

Is there a way to limit some users of rolling back to a previous version?
Although the users have access to the shared drive, we just don't want them
to have the option of restoring a previous version.

Jeffrey L
10 answers Last reply
More about volume shadow copy
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Rollback what?? If you mean they are accessing a share on a Windows 2003
    Server that has Volume Shadow Copy I don't know of a way to selectively
    prevent users from using it unless you do not install the client on there
    Windows 2000/XP Pro computers. --- Steve


    "Jeffrey L" <jeffrey@nowhere.com> wrote in message
    news:ubxU60lUFHA.3572@TK2MSFTNGP12.phx.gbl...
    > Is there a way to limit some users of rolling back to a previous version?
    > Although the users have access to the shared drive, we just don't want
    > them to have the option of restoring a previous version.
    >
    > Jeffrey L
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    > "Jeffrey L" <jeffrey@nowhere.com> wrote in message
    > news:ubxU60lUFHA.3572@TK2MSFTNGP12.phx.gbl...
    > > Is there a way to limit some users of rolling back to a previous
    version?
    > > Although the users have access to the shared drive, we just don't want
    > > them to have the option of restoring a previous version.

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:exqR6BmUFHA.1044@TK2MSFTNGP10.phx.gbl...
    > Rollback what?? If you mean they are accessing a share on a Windows 2003
    > Server that has Volume Shadow Copy I don't know of a way to selectively
    > prevent users from using it unless you do not install the client on there
    > Windows 2000/XP Pro computers. --- Steve


    Steven is correct -- that is the main point of Shadow Copy
    so you either disable it or you don't give the client software
    to the users.

    Why every would you want people not to be able to recover
    a file?

    If they are recovering "other people's files" then that should be
    dealt with through permissions.

    A user must have READ on the original to copy the shadow
    version, and Modify/Change on the original to overwrite it.

    Since each person almost always has this on their own files,
    they are going to be able to recover those file that belong to
    them, and any others that meet these requirements.

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Several users involved in billing are connected to share for BillingData.
    Only one of these users should have the authority to restore a previous
    version (such as an admin.)

    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:Ov6jDemUFHA.2768@tk2msftngp13.phx.gbl...
    >> "Jeffrey L" <jeffrey@nowhere.com> wrote in message
    >> news:ubxU60lUFHA.3572@TK2MSFTNGP12.phx.gbl...
    >> > Is there a way to limit some users of rolling back to a previous
    > version?
    >> > Although the users have access to the shared drive, we just don't want
    >> > them to have the option of restoring a previous version.
    >
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:exqR6BmUFHA.1044@TK2MSFTNGP10.phx.gbl...
    >> Rollback what?? If you mean they are accessing a share on a Windows 2003
    >> Server that has Volume Shadow Copy I don't know of a way to selectively
    >> prevent users from using it unless you do not install the client on there
    >> Windows 2000/XP Pro computers. --- Steve
    >
    >
    > Steven is correct -- that is the main point of Shadow Copy
    > so you either disable it or you don't give the client software
    > to the users.
    >
    > Why every would you want people not to be able to recover
    > a file?
    >
    > If they are recovering "other people's files" then that should be
    > dealt with through permissions.
    >
    > A user must have READ on the original to copy the shadow
    > version, and Modify/Change on the original to overwrite it.
    >
    > Since each person almost always has this on their own files,
    > they are going to be able to recover those file that belong to
    > them, and any others that meet these requirements.
    >
    > --
    > Herb Martin, MCSE, MVP
    > Accelerated MCSE
    > http://www.LearnQuick.Com
    > [phone number on web site]
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    "Jeffrey L" <jeffrey@nowhere.com> wrote in message
    news:#BBfuxmUFHA.2616@TK2MSFTNGP14.phx.gbl...
    > Several users involved in billing are connected to share for BillingData.
    > Only one of these users should have the authority to restore a previous
    > version (such as an admin.)

    Then those 'other users' should not have the authority to
    WRITE to the main file or shouldn't even have the authority
    to READ that file (make copies.)

    Notice that shadow copy is NOT the problem here, but rather
    the permissions given to the users is the real issue.

    If they choose to make their "own" backup of a readable
    file today, you could not stop them. If they choose to over-write
    a WRITABLE file tomorrow from that backup -- for even
    from some junk -- you could not stop them.

    You have a permission problem, not a shadow copy
    problem.

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:Ov6jDemUFHA.2768@tk2msftngp13.phx.gbl...
    > >> "Jeffrey L" <jeffrey@nowhere.com> wrote in message
    > >> news:ubxU60lUFHA.3572@TK2MSFTNGP12.phx.gbl...
    > >> > Is there a way to limit some users of rolling back to a previous
    > > version?
    > >> > Although the users have access to the shared drive, we just don't
    want
    > >> > them to have the option of restoring a previous version.
    > >
    > > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > > news:exqR6BmUFHA.1044@TK2MSFTNGP10.phx.gbl...
    > >> Rollback what?? If you mean they are accessing a share on a Windows
    2003
    > >> Server that has Volume Shadow Copy I don't know of a way to selectively
    > >> prevent users from using it unless you do not install the client on
    there
    > >> Windows 2000/XP Pro computers. --- Steve
    > >
    > >
    > > Steven is correct -- that is the main point of Shadow Copy
    > > so you either disable it or you don't give the client software
    > > to the users.
    > >
    > > Why every would you want people not to be able to recover
    > > a file?
    > >
    > > If they are recovering "other people's files" then that should be
    > > dealt with through permissions.
    > >
    > > A user must have READ on the original to copy the shadow
    > > version, and Modify/Change on the original to overwrite it.
    > >
    > > Since each person almost always has this on their own files,
    > > they are going to be able to recover those file that belong to
    > > them, and any others that meet these requirements.
    > >
    > > --
    > > Herb Martin, MCSE, MVP
    > > Accelerated MCSE
    > > http://www.LearnQuick.Com
    > > [phone number on web site]
    > >
    > >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    On Fri, 6 May 2005 14:55:18 -0400, "Jeffrey L" <jeffrey@nowhere.com>
    wrote:

    >Several users involved in billing are connected to share for BillingData.
    >Only one of these users should have the authority to restore a previous
    >version (such as an admin.)

    We have similar situations, and we simply don't deploy the client to
    those systems.

    But in a billing environment shadow copies can be even more dangerous.
    I accept your money and list your bill as paid. I roll back to the
    previous version. I pocket the cash.

    I'm surprised auditors would allow anyone in the department the
    authority.

    Jeff

    >
    >"Herb Martin" <news@LearnQuick.com> wrote in message
    >news:Ov6jDemUFHA.2768@tk2msftngp13.phx.gbl...
    >>> "Jeffrey L" <jeffrey@nowhere.com> wrote in message
    >>> news:ubxU60lUFHA.3572@TK2MSFTNGP12.phx.gbl...
    >>> > Is there a way to limit some users of rolling back to a previous
    >> version?
    >>> > Although the users have access to the shared drive, we just don't want
    >>> > them to have the option of restoring a previous version.
    >>
    >> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    >> news:exqR6BmUFHA.1044@TK2MSFTNGP10.phx.gbl...
    >>> Rollback what?? If you mean they are accessing a share on a Windows 2003
    >>> Server that has Volume Shadow Copy I don't know of a way to selectively
    >>> prevent users from using it unless you do not install the client on there
    >>> Windows 2000/XP Pro computers. --- Steve
    >>
    >>
    >> Steven is correct -- that is the main point of Shadow Copy
    >> so you either disable it or you don't give the client software
    >> to the users.
    >>
    >> Why every would you want people not to be able to recover
    >> a file?
    >>
    >> If they are recovering "other people's files" then that should be
    >> dealt with through permissions.
    >>
    >> A user must have READ on the original to copy the shadow
    >> version, and Modify/Change on the original to overwrite it.
    >>
    >> Since each person almost always has this on their own files,
    >> they are going to be able to recover those file that belong to
    >> them, and any others that meet these requirements.
    >>
    >> --
    >> Herb Martin, MCSE, MVP
    >> Accelerated MCSE
    >> http://www.LearnQuick.Com
    >> [phone number on web site]
    >>
    >>
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    "Jeff Cochran" <jeff.nospam@zina.com> wrote in message
    news:427d7c44.541632987@msnews.microsoft.com...
    > On Fri, 6 May 2005 14:55:18 -0400, "Jeffrey L" <jeffrey@nowhere.com>
    > wrote:
    >
    > >Several users involved in billing are connected to share for BillingData.
    > >Only one of these users should have the authority to restore a previous
    > >version (such as an admin.)
    >
    > We have similar situations, and we simply don't deploy the client to
    > those systems.
    >
    > But in a billing environment shadow copies can be even more dangerous.
    > I accept your money and list your bill as paid. I roll back to the
    > previous version. I pocket the cash.
    >
    > I'm surprised auditors would allow anyone in the department the
    > authority.

    In a secure system, the accounting software would be the only "one"
    allowed to actually touch the raw files or raw database.

    Users are authenticated to the "accounting system" which grants them
    the rights to do only certain functions -- all of the raw data are hidden
    from them, along with illegal operations.
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    The users need WRITE access in order to enter payments, billing, etc. They
    are trusted not be theives and there are checks and balances in place for
    security purposes. We just didn't want anyone to have the ability to
    restore older files if they thought that there was a file integrity problem
    before IT gets involved and troubleshoots.


    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:%23SoP8yvUFHA.2468@TK2MSFTNGP10.phx.gbl...
    > "Jeffrey L" <jeffrey@nowhere.com> wrote in message
    > news:#BBfuxmUFHA.2616@TK2MSFTNGP14.phx.gbl...
    >> Several users involved in billing are connected to share for BillingData.
    >> Only one of these users should have the authority to restore a previous
    >> version (such as an admin.)
    >
    > Then those 'other users' should not have the authority to
    > WRITE to the main file or shouldn't even have the authority
    > to READ that file (make copies.)
    >
    > Notice that shadow copy is NOT the problem here, but rather
    > the permissions given to the users is the real issue.
    >
    > If they choose to make their "own" backup of a readable
    > file today, you could not stop them. If they choose to over-write
    > a WRITABLE file tomorrow from that backup -- for even
    > from some junk -- you could not stop them.
    >
    > You have a permission problem, not a shadow copy
    > problem.
    >
    > --
    > Herb Martin, MCSE, MVP
    > Accelerated MCSE
    > http://www.LearnQuick.Com
    > [phone number on web site]
    >
    >>
    >> "Herb Martin" <news@LearnQuick.com> wrote in message
    >> news:Ov6jDemUFHA.2768@tk2msftngp13.phx.gbl...
    >> >> "Jeffrey L" <jeffrey@nowhere.com> wrote in message
    >> >> news:ubxU60lUFHA.3572@TK2MSFTNGP12.phx.gbl...
    >> >> > Is there a way to limit some users of rolling back to a previous
    >> > version?
    >> >> > Although the users have access to the shared drive, we just don't
    > want
    >> >> > them to have the option of restoring a previous version.
    >> >
    >> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    >> > news:exqR6BmUFHA.1044@TK2MSFTNGP10.phx.gbl...
    >> >> Rollback what?? If you mean they are accessing a share on a Windows
    > 2003
    >> >> Server that has Volume Shadow Copy I don't know of a way to
    >> >> selectively
    >> >> prevent users from using it unless you do not install the client on
    > there
    >> >> Windows 2000/XP Pro computers. --- Steve
    >> >
    >> >
    >> > Steven is correct -- that is the main point of Shadow Copy
    >> > so you either disable it or you don't give the client software
    >> > to the users.
    >> >
    >> > Why every would you want people not to be able to recover
    >> > a file?
    >> >
    >> > If they are recovering "other people's files" then that should be
    >> > dealt with through permissions.
    >> >
    >> > A user must have READ on the original to copy the shadow
    >> > version, and Modify/Change on the original to overwrite it.
    >> >
    >> > Since each person almost always has this on their own files,
    >> > they are going to be able to recover those file that belong to
    >> > them, and any others that meet these requirements.
    >> >
    >> > --
    >> > Herb Martin, MCSE, MVP
    >> > Accelerated MCSE
    >> > http://www.LearnQuick.Com
    >> > [phone number on web site]
    >> >
    >> >
    >>
    >>
    >
    >
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    Jeffrey L wrote:
    > The users need WRITE access in order to enter payments, billing, etc. They
    > are trusted not be theives and there are checks and balances in place for
    > security purposes. We just didn't want anyone to have the ability to
    > restore older files if they thought that there was a file integrity problem
    > before IT gets involved and troubleshoots.
    >
    >
    >
    >


    Then simply remove the Shadow Copy client from the computers of those
    you don't or can't trust to follow company policy.


    --

    Bruce Chambers

    Help us help you:
    http://dts-l.org/goodpost.htm
    http://www.catb.org/~esr/faqs/smart-questions.html

    You can have peace. Or you can have freedom. Don't ever count on having
    both at once. - RAH
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    "Jeffrey L" <jeffrey@nowhere.com> wrote in message
    news:e$FVaJ$UFHA.2520@TK2MSFTNGP09.phx.gbl...
    > The users need WRITE access in order to enter payments, billing, etc.
    They
    > are trusted not be theives and there are checks and balances in place for
    > security purposes.

    > We just didn't want anyone to have the ability to
    > restore older files if they thought that there was a file integrity
    problem
    > before IT gets involved and troubleshoots.

    They can do that now; Shadow copy is not the problem
    other than it makes it easier -- so the answer is to either:

    1) Take away the shadow copy client software
    (doesn't really solve the real problem but it
    will keep them from using shadow copy to do it.)

    2) Fix the permissions -- which doesn't work with your
    current processes but is the only true answer. So
    this would imply putting a protective application
    between the user and the files to limit their access to
    only the necessary and approved function.

    3) User education -- since you "trust" the users, perhaps
    you can educate them to do the right thing and call
    IT when they need help.

    4) Making additional backups so that you can undo
    any mistakes they do make due to the inherent lack
    of security in your current systems.

    Until you recognize that you have a permission/security
    problem and not a shadow copy issue you probably won't
    be able to address the situation fully.

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]
  10. Archived from groups: microsoft.public.win2000.security (More info?)

    On Sun, 8 May 2005 13:26:30 -0400, "Jeffrey L" <jeffrey@nowhere.com>
    wrote:

    >The users need WRITE access in order to enter payments, billing, etc. They
    >are trusted not be theives and there are checks and balances in place for
    >security purposes. We just didn't want anyone to have the ability to
    >restore older files if they thought that there was a file integrity problem
    >before IT gets involved and troubleshoots.

    Then your only option is remove the shadow copy client from their
    systems. Or, since they are trusted, simply tell them not to restore
    shadow copies of those files/folders.

    An alternative that may or may not be possible in your setup is to
    have those files on different drive and not run shadow copy services
    for that drive.

    Jeff


    >
    >"Herb Martin" <news@LearnQuick.com> wrote in message
    >news:%23SoP8yvUFHA.2468@TK2MSFTNGP10.phx.gbl...
    >> "Jeffrey L" <jeffrey@nowhere.com> wrote in message
    >> news:#BBfuxmUFHA.2616@TK2MSFTNGP14.phx.gbl...
    >>> Several users involved in billing are connected to share for BillingData.
    >>> Only one of these users should have the authority to restore a previous
    >>> version (such as an admin.)
    >>
    >> Then those 'other users' should not have the authority to
    >> WRITE to the main file or shouldn't even have the authority
    >> to READ that file (make copies.)
    >>
    >> Notice that shadow copy is NOT the problem here, but rather
    >> the permissions given to the users is the real issue.
    >>
    >> If they choose to make their "own" backup of a readable
    >> file today, you could not stop them. If they choose to over-write
    >> a WRITABLE file tomorrow from that backup -- for even
    >> from some junk -- you could not stop them.
    >>
    >> You have a permission problem, not a shadow copy
    >> problem.
    >>
    >> --
    >> Herb Martin, MCSE, MVP
    >> Accelerated MCSE
    >> http://www.LearnQuick.Com
    >> [phone number on web site]
    >>
    >>>
    >>> "Herb Martin" <news@LearnQuick.com> wrote in message
    >>> news:Ov6jDemUFHA.2768@tk2msftngp13.phx.gbl...
    >>> >> "Jeffrey L" <jeffrey@nowhere.com> wrote in message
    >>> >> news:ubxU60lUFHA.3572@TK2MSFTNGP12.phx.gbl...
    >>> >> > Is there a way to limit some users of rolling back to a previous
    >>> > version?
    >>> >> > Although the users have access to the shared drive, we just don't
    >> want
    >>> >> > them to have the option of restoring a previous version.
    >>> >
    >>> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    >>> > news:exqR6BmUFHA.1044@TK2MSFTNGP10.phx.gbl...
    >>> >> Rollback what?? If you mean they are accessing a share on a Windows
    >> 2003
    >>> >> Server that has Volume Shadow Copy I don't know of a way to
    >>> >> selectively
    >>> >> prevent users from using it unless you do not install the client on
    >> there
    >>> >> Windows 2000/XP Pro computers. --- Steve
    >>> >
    >>> >
    >>> > Steven is correct -- that is the main point of Shadow Copy
    >>> > so you either disable it or you don't give the client software
    >>> > to the users.
    >>> >
    >>> > Why every would you want people not to be able to recover
    >>> > a file?
    >>> >
    >>> > If they are recovering "other people's files" then that should be
    >>> > dealt with through permissions.
    >>> >
    >>> > A user must have READ on the original to copy the shadow
    >>> > version, and Modify/Change on the original to overwrite it.
    >>> >
    >>> > Since each person almost always has this on their own files,
    >>> > they are going to be able to recover those file that belong to
    >>> > them, and any others that meet these requirements.
    >>> >
    >>> > --
    >>> > Herb Martin, MCSE, MVP
    >>> > Accelerated MCSE
    >>> > http://www.LearnQuick.Com
    >>> > [phone number on web site]
    >>> >
    >>> >
    >>>
    >>>
    >>
    >>
    >
Ask a new question

Read More

Security Microsoft Windows