Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Microsoft Windows Vista/2003/XP/2000 file management security issues
Date: Fri, 9 Mar 2007 19:55:45 +0300

Dear Roger A. Grimes,

--Friday, March 9, 2007, 6:49:13 PM, you wrote to 3APA3A () SECURITY NNOV RU:

RAG> For  one,  I've  been  a sys admin for 20 years and NEVER created a
RAG> private folder under a public folder.

Nice.  What  about  creating  "Sales  Reports" folder only head of Sales
department has access inside "Sales" folder?

RAG> I mean let's debate why users get Full Control to their own
RAG> folders in the first place. That's a common scenario (it's on
RAG> nearly every network) and its almost always too many permissions.
RAG> Do I want my regular end-users changing their folder's security
RAG> permissions? No. Should any regular end-user have Full Control to
RAG> any share? No, for the same reason.  These are valid, common,
RAG> security points that really do beg further discussion.

 There  is  no  actual  difference  between  "Change" and "Full Control"
permissions  for  NTFS.  "Change"  give you ability to delete and create
objects. An ability to delete some object and create it again give you a
way to become object owner, like if you have "Take ownership" individual
permission.  As  an  owner you always have implicit "Change permissions"
individual  permission.  So, you have your "Full control" without having
it.  There  is simply nothing more to debate here. Ownership problem was
debated for ages.

RAG> You're just making up crap up that isn't overly realistic in
RAG> the world, then going further to assume that a bonehead
RAG> administrator compounds the problem by making further insecure
RAG> decisions.

RAG> You are essentially say, "If you misconfigure your system and
RAG> make further insecure choices, someone can hack you." Duh.

Who  can  tell  me,  creating "Sales reports" inside "Sales" is insecure

RAG> There's  a  reason  why your "announcements" aren't making the news
RAG> media...because it isn't news.

If   I   want   to  "make  news  media",  I  write  article  on  Russian
cyberterrorism  and it's connection with Ukraine, Germany and US. Not an
article on enterprise file management best security practices.

RAG> With that said, you have something valid to say, but so far
RAG> it just isn't a "security vulnerability" that people need to be
RAG> aware of.

Roger, please read "Intro" section, it's rather small.

RAG> You're a smart person, concentrate on issues that will really
RAG> give us bang for the buck discussions and issues.

Are not we discussing?

RAG> Roger

RAG> *****************************************************************
RAG> *Roger A. Grimes, InfoWorld, Security Columnist 
RAG> *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
RAG> *email: roger_grimes () infoworld com or roger () banneretcs com
RAG> *Author of Professional Windows Desktop and Server Hardening (Wrox)
RAG> *http://www.amazon.com/gp/product/0764599909
RAG> *****************************************************************

~/ZARAZA http://securityvulns.com/
Да, ему чертовски повезло. Эх и паршиво б ему пришлось если бы он выжил! (Твен)

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]