2k adv server security permissions
Results 1 to 8 of 8

Thread: 2k adv server security permissions

  1. #1
    Junior Member
    Join Date
    Feb 2002
    Posts
    10

    Question 2k adv server security permissions

    OK, i run 2k adv server for a file server mainly, and whenever a file is put on the drive the sharing permissions change at random, normally it wipes the permissions however sometimes it will only give system access to the folder. needless to say this is really cramping my style. anyone ever heard of this or a fix for this?

    thanks
    shadowmaker
    all problems, no matter how big, when you boil them down, endup being a microsoft issue

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    sounds like its inhertiing the rights... have you changed permissions on anything AT ALL? If you change it somewhere in the drive structure above it, it may get passed on. (like crap, it flows downhill)
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  3. #3
    Junior Member
    Join Date
    Mar 2003
    Posts
    11
    Do the permissions change pretty much immediately? If so I'd subscribe to avenger_jcc's inheritance suggestion.

    If the permissions change at some point after the file is droped in there, then I'd look towards a script or similar altering the permissions.

    Out of interest, is this inside a share that is managed by cluster (I notice you're running Adv Srvr)?

    If you can't track it down from above, then you'll need to enable auditing on your server, and then enable auditing on your file/directory. This is a bit of a pain as it often gives you much more info than you've got time to read but should ultimately nail down the offending task/process.
    [glowpurple]$ _[/glowpurple]

  4. #4
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Also, if anyone is a domain admin in a w2k domain, they can take ownership of a folder and then change permissions on that folder.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  5. #5
    Junior Member
    Join Date
    Mar 2003
    Posts
    11
    Strictly speaking though CXGJarrod, you don't need to be a domain admin to do that, anyone who is a member of the local administrators group on the server (which does of course include domain admins, but could also include others) could take ownership.

    I'd still suggest putting in auditing to see whats going on. Even an admin who takes ownership, then resets the permissions will be logged. If they clear the sec.log then you'll see that they cleared the sec.log as the first event in the newly cleared sec.log (provided of course you've not set the sec.log to overwrite when full, but then you're asking for trouble if you do that....)
    [glowpurple]$ _[/glowpurple]

  6. #6
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    SysDrop: I was just trying to give an example, but you are correct....
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    One of the biggest problems I have seen is users who prepare files under "Desktop" on their local machine (NT4/ Win2k, NTFS), then move/copy them to the server.

    When you copy files in NT / Win2k, it attempts to copy the permissions. It often fails to do so, because the files were originally owned by a local user who doesn't exist on the server. In this case, the files end up with severely limited access.

    Encourage people not to prepare files under "Desktop" - as this directory is normally restricted. Either encourage users to prepare files directly on the server or in another, unprotected directory locally, then when they move them to the server the permissions will be more appropriate.

  8. #8
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Files NTFS permissions are *preserved* when copied or moved on the *same volume ("drive")*.
    Files NTFS permissions are *inherited from parent directory* when copied or moved to a *diffrent volume ("drive")*

    Hope this clears things up.


    Ammo
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides