|
Posted by Roger Abell [MVP] on March 10, 2007, 1:38 am
Please log in for more thread options
There is a formal terminology that revolves around making the
"mandatory" access control distinction. You do seem to speak
within this context. Normally by mandatory access control we
mean prescribing what the access control must be, absolutely
and without possibility of it being different.
Windows in the released version is not capable of mandatory
access control. There seems to be main reasons. One you almost
mention, is that the creator of a new filesystem object becomes
the owner of the object; and, the owner is always able to change
the access control on the object. (The actual case you mention
sounds more to be artifact from having a grant to Creator Owner
on the parent container, which is a default ACLing used in post
NT4 Windows, but which can be removed and so does not prevent
Windows from being capable of mandatory access control.)
In order to come close to what you are after one needs to do
something like you have suggested. One way is to have a
security template that carries the filesystem specifications
and have this periodically applied such as by scheduled run
of secedit to apply the template. A better way is to use WMI
eventing and have a process that is always running and subscribed
to relevant changes in the storage area of interest, which same
process when evented examines the relevant change adjusting
ownership and ACLing as needed. That still is not mandatory
access control (there must be no possibility for access control
to be set differently than prescribed), and but that does allow
for a much shorter time-window during which the ACLing is
misaligned than does the scheduled/non-evented solutions.
Either approach will address the case you mention, and the
breach of mandatory control due to vesting ownership in the
object creator, and those from the other two origins I have
not mentioned. But you must craft the solution, and technically
you still do not end up with mandatory access control (just a
behavior very close to it).
Roger
> Hi,
>
> I've been using Windows Server for years, but there's one thing I've
> never been able to figure out: Is it possible to define mandatory
> filesystem permissions, ie permissions that are always used and cannot
> be overridden without admin intervention?
>
> I have a large shared storage pool that contains shared apps and data
> (software, group documents, etc) for the users on the network. Default
> permissions are for Administrators and SYSTEM to have full privs,
> whille Users have modify privs. Periodically however, one of the users
> will drop a new folder in there and the permissions on that new folder
> will have him with full privs. It's even worse with NFS access into
> the folder.
>
> What I'd like to do is set mandatory permissions that are always
> enforced but I can't seem to find a way to do this in Windows
>
> Is my alternative to use something like CACL or SetACL in task
> scheduler, and constantly slam the whole filesystem every few hours?
>
> Thanks
>
| 
XML Sitemap