| Next: Missing msvcr80.dll file |
| Author |
Message |
boomboom999
External
Since: Nov 15, 2005
Posts: 9
|
 Posted: Wed Nov 16, 2005 4:10 pm Post subject: Permissions for Creator Owner
Archived from groups: microsoft>public>windowsxp>security_admin (more info?) |
|
|
By default in Windows 2000/XP/2003 many files and registry keys have
explicit permissions for CREATOR/OWNER which is always
"Full control".
Like this:
CREATOR/OWNER Full Control
Administrators Full Control
System Full Control
Why bother to add a spécial permission for CREATOR/OWNER when by
design CREATOR has always all needed permissions on its own files?
What would happen if we remove these permissions on NTFS volumes and in
Registry? |
|
| Back to top |
|
 |
Steven L Umbach5
External
Since: Jul 05, 2004
Posts: 2936
|
Posted: Wed Nov 16, 2005 10:50 pm Post subject: Re: Permissions for Creator Owner [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
The owner always has the ability to change permissions but if creator owner
placeholder was not present the owner would have the permissions based on
his group membership or user explicit permissions. There seems to be an
assumption that the creator owner of a folder file should have full control
and can be helpful in situations where you might want only the owner of a
file to be able to modify or delete it who otherwise would have restrictive
permissions that would not allow it based on group membership/explicit user
permissions. You can modify creator owner permissions. Many users would not
know or care that they can change permissions as the owner. --- Steve
<boomboom999.DeleteThis@yahoo.com> wrote in message
news:1132186231.921205.50650@g44g2000cwa.googlegroups.com...
By default in Windows 2000/XP/2003 many files and registry keys have
explicit permissions for CREATOR/OWNER which is always
"Full control".
Like this:
CREATOR/OWNER Full Control
Administrators Full Control
System Full Control
Why bother to add a spécial permission for CREATOR/OWNER when by
design CREATOR has always all needed permissions on its own files?
What would happen if we remove these permissions on NTFS volumes and in
Registry? |
|
| Back to top |
|
|
boomboom999
External
Since: Nov 15, 2005
Posts: 9
|
Posted: Thu Nov 17, 2005 4:21 am Post subject: Re: Permissions for Creator Owner [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
Steven L Umbach wrote:
> The owner always has the ability to change permissions but if creator owner
> placeholder was not present the owner would have the permissions based on
> his group membership or user explicit permissions.
Do you want to say that if the record
CREATOR/OWNER = Full Control
is not present, the OWNER still have "full control" but only through
his power to reset any administrator-defined ACLs?
There are two problems here:
1. The placeholder do not follow the real owner. So if I transfer
ownership to another user, the ACL still contain the record for the old
user. The only way is to reset (remove/readd)this ACL on the folder
level.
2. When I have 2 or more administrators and I want to keep traces of
what each of them placed/created on the server, file and registry ACLs
on server quickly become polluated by administrators' usernames which
create some problems when auditing ACls.
I'd suggest that Microsoft separate notions of Owner and Creator and
give flexibility to manage Owner's default supremacy. |
|
| Back to top |
|
|
Steven L Umbach5
External
Since: Jul 05, 2004
Posts: 2936
|
Posted: Thu Nov 17, 2005 10:48 am Post subject: Re: Permissions for Creator Owner [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
If creator owner is removed the owner still can always potentially change
the permissions. In XP Pro and Windows 2003 you can configure the security
option for system objects: default owner of objects created by
administrators group to be either administrators or object creator if you
want though that still does make it work the way you want and any
administrator can change that security option. While I agree that it is
difficult tracking what administrators do there has to be a certain level of
trust because of the power of the group membership granted to them. A
skilled administrator could almost always cover his tracks if he wanted
.. -- Steve
<boomboom999 RemoveThis @yahoo.com> wrote in message
news:1132230090.784028.290850@g49g2000cwa.googlegroups.com...
>
>
>
> Steven L Umbach wrote:
>> The owner always has the ability to change permissions but if creator
>> owner
>> placeholder was not present the owner would have the permissions based on
>> his group membership or user explicit permissions.
>
> Do you want to say that if the record
>
> CREATOR/OWNER = Full Control
>
> is not present, the OWNER still have "full control" but only through
> his power to reset any administrator-defined ACLs?
>
> There are two problems here:
> 1. The placeholder do not follow the real owner. So if I transfer
> ownership to another user, the ACL still contain the record for the old
> user. The only way is to reset (remove/readd)this ACL on the folder
> level.
>
> 2. When I have 2 or more administrators and I want to keep traces of
> what each of them placed/created on the server, file and registry ACLs
> on server quickly become polluated by administrators' usernames which
> create some problems when auditing ACls.
>
> I'd suggest that Microsoft separate notions of Owner and Creator and
> give flexibility to manage Owner's default supremacy.
> |
|
| Back to top |
|
|
boomboom999
External
Since: Nov 15, 2005
Posts: 9
|
Posted: Tue Nov 22, 2005 9:00 am Post subject: Re: Permissions for Creator Owner [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
Thank you for your responses.
What do you think if I remove "Creator/Owner=Full Control" records from
default Windows XP ACLs on the file system and in Regsitry?
Any side effects?
Is it a risky approach? |
|
| Back to top |
|
|
|
Microsoft Windows XP