Click here to get back home

Folder Security Issue
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Folder Security Issue Bill 11-01-2007
Posted by Bill on November 1, 2007, 10:53 am
Please log in for more thread options
 Having been through various posts about NTFS and trying many things I
don't think I can do this with anything simple and easy for I am
looking for some solutions.

Here is the situation
\DFS\Projects 2007\Project #1
\DFS\Projects 2007\Project #2
\DFS\Projects 2007\Project #3

I need to figure out a way so that you cannot MOVE any Project folder,
its subfolder or files to a different project.

All projects of a given year all reside on the same volume on the
server.

I have managed to get it so users cannot delete or move specific
folders, but I need them to be able to move them around and delete
them within the project.

The users use mapped drives to connect to the DFS root, so I can
afford to have some leeway in how the DFS is structured. Plus any
short term issues of fixing broken files/programs will be nothing
compared to the long term security of people not dragging and dropping
folders where they shouldn't.


Posted by Steven L Umbach on November 1, 2007, 6:53 pm
Please log in for more thread options
 What you need to look at is to possibly use special permissions [in advanced
security] and in that case you will see you have many options for
permissions in the apply onto drop down box [folders, subfolders, and files
and combinations thereof] and users/groups can have different permissions
for each set available. At first this is kind of hard to figure out if you
have not used special permissions before but a good place to see it
configured is on the drive/root folder of an XP Pro computer. For instance
you could try to deny write [or implicit lack of write] for create folders
to the root folder only of each project. While that may help it may not be
able to do completely what you want to do as a user can move a folder as
long as he has delete folder permission at the source and write/create
folder at the destination but it may stop most accidental drag and drops.

Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419 --- using
NTFS special permissions


> Having been through various posts about NTFS and trying many things I
> don't think I can do this with anything simple and easy for I am
> looking for some solutions.
>
> Here is the situation
> \DFS\Projects 2007\Project #1
> \DFS\Projects 2007\Project #2
> \DFS\Projects 2007\Project #3
>
> I need to figure out a way so that you cannot MOVE any Project folder,
> its subfolder or files to a different project.
>
> All projects of a given year all reside on the same volume on the
> server.
>
> I have managed to get it so users cannot delete or move specific
> folders, but I need them to be able to move them around and delete
> them within the project.
>
> The users use mapped drives to connect to the DFS root, so I can
> afford to have some leeway in how the DFS is structured. Plus any
> short term issues of fixing broken files/programs will be nothing
> compared to the long term security of people not dragging and dropping
> folders where they shouldn't.
>



Posted by Roger Abell [MVP] on November 6, 2007, 9:29 am
Please log in for more thread options
At the end of the day Bill I believe you will find that you have
researched this issue completely (based on what you have said)
and that there is no solution. If they can delete within a project
area, as you indicate they do need to be allowed, then if they
try to move something to a different project area where they can
write, then all will move up to the point where a delete is tried
that is disallowed. This usually means that substructure and
its files get moved to the new location and an empty dir gets
left behind. I have found no solution nor heard of one, other
than user education or scheduled examine and cleanup scripts.

Roger

> Having been through various posts about NTFS and trying many things I
> don't think I can do this with anything simple and easy for I am
> looking for some solutions.
>
> Here is the situation
> \DFS\Projects 2007\Project #1
> \DFS\Projects 2007\Project #2
> \DFS\Projects 2007\Project #3
>
> I need to figure out a way so that you cannot MOVE any Project folder,
> its subfolder or files to a different project.
>
> All projects of a given year all reside on the same volume on the
> server.
>
> I have managed to get it so users cannot delete or move specific
> folders, but I need them to be able to move them around and delete
> them within the project.
>
> The users use mapped drives to connect to the DFS root, so I can
> afford to have some leeway in how the DFS is structured. Plus any
> short term issues of fixing broken files/programs will be nothing
> compared to the long term security of people not dragging and dropping
> folders where they shouldn't.
>



Similar ThreadsPosted
Security issue about NTUSER.MAN November 25, 2006, 12:45 pm
Security Issue/Question April 28, 2007, 12:12 am
Application security issue May 15, 2007, 2:13 pm
Windows 2003 security issue January 25, 2006, 3:50 am
IIS or directory security issue on 2003 E server January 12, 2007, 9:56 pm
Re: Ntbackup Windows 2003 SP1 issue (VSS/Security) June 13, 2005, 6:37 pm
Re: Ntbackup Windows 2003 SP1 issue (VSS/Security) May 13, 2007, 5:47 pm
Re: Server 2008 Domains - Security issue February 15, 2008, 2:51 am
Bizarre File Security Issue in Win2003 server January 12, 2006, 9:50 am
RPC Local Security Windows 2003 Trust Issue February 2, 2006, 9:02 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap