RE: Re[4]: Microsoft Windows Vista/2003/XP/2000 file management security issues
--This is getting boring. Let's take this offline, just between  you and
me. 
--You sound like many Linux/Unix guys I know who think they know Windows
security, but really don't. You're still acting like Windows security is
represented by Windows 95 without a firewall. You're mixing up your
security permissions, acting like you've never heard of the Creator
Owner SID, or the ability to change subfolder and file inheritance.
Either you don't know about them or you're purposefully ignoring them to
make your unlikely argument. Windows has incredibly security
granularity. You expect me to assume that the Windows administrator
makes bonehead configuration mistakes and I'm just supposed to accept
that as a Windows problem?  You can argue that some Windows
administrators may not configure something correctly based upon
perceived risks...but I'm not blaming Windows for that. 
--If make a public folder in Linux and give all users RWX, it
automatically flows down to the subfolders and objects, too. You can
configure Umask, but I can do exactly the same thing in Windows, using
the Creator Owner SID. So, you make additional change in Linux to make
it more secure, but I can't do the same in Windows...and that makes it a
Windows problem??
--See my other replies below.
Roger
*******************************************************************
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services  
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger@xxxxxxxxxxxxxx or rogrim@xxxxxxxxxxxxx
*******************************************************************
-----Original Message-----
From: 3APA3A [mailto:3APA3A@xxxxxxxxxxxxxxxx] 
Sent: Friday, March 09, 2007 11:56 AM
To: Roger A. Grimes
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re[4]: Microsoft Windows Vista/2003/XP/2000 file management
security issues
Nice.  What  about  creating  "Sales  Reports" folder only head of Sales
department has access inside "Sales" folder?
--Poor security practice. Never done it. If it is for head of Sales
only, make it under the head of Sales' normal user folder. Easy.  No
security problem.
 There  is  no  actual  difference  between  "Change" and "Full Control"
permissions  for  NTFS.  
--First, Change is a share permission, not an NTFS permission. Are you
talking Shares or NTFS permissions? In either case, there is a two major
differences between Change/Modify and Full Control. Those differences
are the ability to change permissions and taking ownership.
"Change"  give you ability to delete and create objects. An ability to
delete some object and create it again give you a way to become object
owner, like if you have "Take ownership" individual permission.  As  an
owner you always have implicit "Change permissions" individual
permission.  So, you have your "Full control" without having it.  There
is simply nothing more to debate here. Ownership problem was debated for
ages.
--If you delete and re-create the object, it's a new object. Jeez!  So,
the administrator intentionaly set up the folder or share so other
people could delete other people's objects, and this is a Windows
problem?  Alice gets Full Control on her new object, not Bob's old
folder. If you want to prevent Bob from accidentally putting his
personal, private files into Alice's newly created folder...if that's a
concern, don't allow public users to have Change/Modify permissions to
subfolders in the public folder. In Windows you can easily choose what
objects inherit what permissions. If that is your concern, turn off
inheritance to subfolders and files. Microsoft put those options in the
Security tab GUI for a reason.
RAG> You're just making up crap up that isn't overly realistic in the 
RAG> world, then going further to assume that a bonehead administrator 
RAG> compounds the problem by making further insecure decisions.
RAG> You are essentially say, "If you misconfigure your system and make 
RAG> further insecure choices, someone can hack you." Duh.
Who  can  tell  me,  creating "Sales reports" inside "Sales" is insecure
choice?
--Yes, absolutely.
RAG> There's  a  reason  why your "announcements" aren't making the news
RAG> media...because it isn't news.
If   I   want   to  "make  news  media",  I  write  article  on  Russian
cyberterrorism  and it's connection with Ukraine, Germany and US. Not an
article on enterprise file management best security practices.
--At least that is a real problem.