January 16th, 2008, 11:54 PM
NTFS Security Question
I'm writing up a FAQ series of documents for the other region IT departments for our company, and one of the subjects I'm writing on is how to setup AD groups. I'm also including a troubleshooting area for common problems.
Thinking about this brought up a question I'm not sure on -- I know that typically, if you have a Deny permission set for an individual user, it will override any Allow permissions given elsewhere for the same directory. However, what about in a scenario where, say, a user is a member of two AD groups -- we'll call them Group1 and Group2 -- where Group1 has Allow permission set to a directory while Group2 has Deny permission set. Is the user, being a member of both groups, therefore denied access?
Basically, whereas Deny permissions override Allow permissions for ONE user, what about a user in MUlTIPLE groups, where one group has Allow and the other Deny?
My guess is Deny still overrides, but just wanted to confirm...
Last edited by AngelicKnight; January 16th, 2008 at 11:56 PM.
January 17th, 2008, 12:25 AM
This is the Summary from the end of the Document HERE it looks like Inheritance has something to do with weather the individual would be Allowed or Denied access. Hope that helps..
Permissions are almost the same from Windows NT’s NTFS 4.0 to Windows 2000/XP/2003’s NTFS 5.0. One of the main differences is the way that permissions inherit down through the structure with inherited and explicit permissions. It used to be that, if there was a Deny permission on the ACL, it was always evaluated first, then the Allow permissions would follow. Now, the permission hierarchy must be evaluated considering not only the Deny vs. Allow, but whether the permission is explicitly set or inherited down from a parent resource.
PASSWORD: I dont have one
January 17th, 2008, 12:31 AM
If a user is in multiple groups, and one of the groups has deny permissions to an object, the user will also be denied no matter what permissions the other groups have. The only way a user can access the object is if they have been explicitly allowed.
January 17th, 2008, 01:12 AM
"Groups are a great way to get increased comlexity without increasing the administrative burden on network administrators, because all network operating systems combine permission. When a user is a member of more than one group, which permissions does he have with respect to any particular resource? In all netowrk operating systems the permissions of the goups are combined, and the result is what we call the effective permissions the user has to access the resource. Lets use an example from Windows 2000. If Timmy is a member of the Sales group, which has list folder contents permission to a folder, and he is also a member of the Managers group, which has read and execute permissions to the same folder, Timmy will have both list Folder Contents and Read and Execute permissions to that folder"
-All-In-One Network+ Certification Exam Guide Third Edition, by Mike Meyers
In our scenario, we are going to look at a folder, C:\Data\HR, which contains both public and private files. We have allowed the C:\Data\HR folder to inherit the permissions from C:\Data, which includes just basic permissions from the root folder. We have also included the HR group on the ACL, giving the Group Allow-Read & Execute permissions. The final explicit entry on the ACL is for the non-HR group, which is given Deny-Full Control.
Below the HR folder are two files: Public.doc and Private.doc. The Public folder just allows for normal permission inheritance, so there are no special permissions added to the ACL. However, the private file has some explicit permissions added to the ACL. Since the Executive group needs to be able to read the contents of the private folder, this group is added explicitly with the Allow-Read & Execute permission. The result of this configuration is shown in Figure 5, which clearly shows that the Allow permission for the Executive group has a higher precedence than the Deny permission associated with the non-HR group. Since every executive is included in both groups, you can see that here is a case where Allow permissions have precedence over Deny permissions.
Figure 5:The scenario proves that there is a hierarchy of permissions for NTFS 5.0 resources. The hierarchy of precedence for the permissions can be summarized as follows, with the higher precedence permissions listed at the top of the list:
Allow permissions can have precedence over Deny permissions
January 17th, 2008, 04:23 PM
Crazy NTFS permissions -- I find that everytime I start to think I have it figured out, someone proves me wrong.
Thanks guys, this is just the kinda info I needed!
I'm going to say that generally Deny overrides Allow...the exceptions seem to be in very unique situations like that described above...
January 17th, 2008, 06:33 PM
Apologies for double posting -- a final thought I wanted to add. Here's how I have it written so far:
· Subdirectories created inside the shared directory by default are configured with the same permissions as the parent, unless manually specified otherwise.
· Deny permissions usually override any Allow permissions specified elsewhere.
· If a user is a member of multiple Active Directory groups, and any of one of those groups has permission to the drive, the user will likewise have access.
· Likewise, if a user is a member of multiple Active Directory groups, and any one of those groups has Deny permission to the drive, the user will usually be denied access, even if the user is a member of another group with “Allow” permission.
· Always consider that in subdirectories of network shares, explicit Allow permissions may in certain cases override inherited Deny permissions set for a user or group.
Does that sound more or less accurate, as far as general troubleshooting tips go?
January 17th, 2008, 07:24 PM
Most, Most , Least applies here.
January 17th, 2008, 07:32 PM
Afraid I don't follow...
I have the feeling I'm missing something obvious?
January 18th, 2008, 01:22 AM
permissions should be part of the planning process, but you must consider the GROUP set up as well. If you get the groups wrong, then no amount of tweaking permissions will help
when setting up group strategy remember AGULP
(A)ccounts can be members of-
(G)lobal Groups can be members of-
(U)niversal groups can be members of -
(L)ocal or Domain Local Groups have -
(P)ermissions assigned to them
you can nest groups to ease administration, but only in one way, Universal can NEVER go into a Global Group
Global groups would be the choice for people with the same job function, such as HR / Sales [MAX of 5000 per group, if more create additional groups.
Universal Groups are used to combine similar Global groups from different domains.
Use Group Policy to restrict users, apply these permissions to the local / domain local groups
RSoP = Resultant Set of Policy
Tool to quickly determine the outcome of your applied permissions and group policies
NTFS – set against groups, add all permissions, LEAST restrictive is what you get
File permissions override Folder permissions :-
Normally folder permissions will propagate down to child objects, if this is NOT true, file permissions will override
Permissions are cumulative :-
If a user is in a group with read permission and a group with write permission, they will have read AND write.
Deny permissions take precedence over Allow permissions :-
Explicit deny permission will always ‘beat’ any other permission [explicit, as in that specific user has a deny access to a particular folder, that’s the end of the permission for him] if a group he is in has a deny set against them, then again he will lose all permissions given via other groups, should the deny be set higher, then an explicit allow will override that.
Quick check on effective NTFS permissions for user / group on a particular resource, by clicking on the effective permissions tab :doh:
Set against a resource, again cumulative, add them up, LEAST restrictive is set
When you have GROUPS accessing SHARED resources the following is used
Add all NTFS permissions – least restrictive is set
Add all share permissions – least restrictive is set
Then take the most restrictive of the two sets
Deny access overrides all(unless explicit access is granted)
And AK grab books on MCSA exams 70-290 and 70-291
also 70-270 for XP
read em well, it's all in there
and my head still hurts from the MCSE 2k3 exams
Last edited by foxyloxley; January 18th, 2008 at 01:24 AM.
55 - I'm fiftyfeckinfive and STILL no wiser,
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
By cheyenne1212 in forum Miscellaneous Security Discussions
Last Post: February 1st, 2012, 02:51 PM
By pwaring in forum Other Tutorials Forum
Last Post: October 22nd, 2004, 10:15 PM
By Ennis in forum AntiOnline's General Chit Chat
Last Post: December 27th, 2003, 05:28 PM
By xmaddness in forum Miscellaneous Security Discussions
Last Post: October 9th, 2002, 10:21 PM
By xmaddness in forum Miscellaneous Security Discussions
Last Post: October 2nd, 2002, 10:32 PM