| Author |
Message |
Elizabeth Strachan
Guest
|
 Posted:
Fri Sep 30, 2005 12:50 pm Post subject:
NTFS Deny not Working STRANGE |
|
|
To anyone who can help,
I am having the strangest problem with a Windows 2003 Server.
Long story short we have to let some software developers TS into one of our
servers but the server also has company data on it that we don't want them to
access. The data is on a separate partition from anything else. My answer
was thus:
1. Create Domain Local Security Group
2. Deny Full Access at the root of the partition to the Group
3. Add users to the group.
Normally I would expect this to work but it does not. The deny is supposed
to override everything else but for some reason it is not working.
Here the strangeness continues:
If I Logon as the user and double click on the partition it says "No Access"
as expected but I can then do a D:\Some Folder on it and it all works fine.
They can then open documents and explore as they like.
I have gone into Advanced and reset permissions on files and folders. I
have gone into effective permissions and when I choose the group it says no
permission, when I choose one of the users it says Full Control. I have
removed and re-added the group to the user. The user has no special user
rights - we made a special group that had TS access but no ability to
shutdown/restart etc. so they are not system administrators.
The server is Windows 2003 SP1 and the only thing special about it is that
we have loaded the patch to hide folders via shares that users have no
permissions to.
I can't seem to find anyone else with the same problem so I am at a loss to
fix it? I can specifically deny it for that specific user and it works but
this will create us a lot of maintenance in the long run.
Does anyone have any ideas?
Sincerely,
Elizabeth |
|
| Back to top |
|
 |
Phil B
Guest
|
| Posted:
Fri Sep 30, 2005 4:50 pm Post subject:
Re: NTFS Deny not Working STRANGE |
|
|
I had a similar, but not identical issue.
The problem was being caused by the difference between the permissions
accessible: (1) By clicking the 'Permissions' button on the Sharing tab,
and (2) By accessing the Security/Permissions tab.
I found that I couldn't just get away with setting the permissions on
one of the tabs, but they also had to be set in the other place as well.
This has only happened with certain shares/folders however.
Strange is indeed the word.
Elizabeth Strachan wrote:
| Quote: | To anyone who can help,
I am having the strangest problem with a Windows 2003 Server.
Long story short we have to let some software developers TS into one of our
servers but the server also has company data on it that we don't want them to
access. The data is on a separate partition from anything else. My answer
was thus:
1. Create Domain Local Security Group
2. Deny Full Access at the root of the partition to the Group
3. Add users to the group.
Normally I would expect this to work but it does not. The deny is supposed
to override everything else but for some reason it is not working.
Here the strangeness continues:
If I Logon as the user and double click on the partition it says "No Access"
as expected but I can then do a D:\Some Folder on it and it all works fine.
They can then open documents and explore as they like.
I have gone into Advanced and reset permissions on files and folders. I
have gone into effective permissions and when I choose the group it says no
permission, when I choose one of the users it says Full Control. I have
removed and re-added the group to the user. The user has no special user
rights - we made a special group that had TS access but no ability to
shutdown/restart etc. so they are not system administrators.
The server is Windows 2003 SP1 and the only thing special about it is that
we have loaded the patch to hide folders via shares that users have no
permissions to.
I can't seem to find anyone else with the same problem so I am at a loss to
fix it? I can specifically deny it for that specific user and it works but
this will create us a lot of maintenance in the long run.
Does anyone have any ideas?
Sincerely,
Elizabeth |
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Fri Sep 30, 2005 4:50 pm Post subject:
Re: NTFS Deny not Working STRANGE |
|
|
Out of curiosity try using a local group instead of a domain local group to
see if that changes anything. Also keep in mind that an explicit allow will
override an inherited deny for ntfs permissions so you may want to check
that possibility. It would also seem that the users that are remoting in are
a member of a group that has allow permissions to the folder such as users,
everyone, or domain users maybe. Even though deny permissions should work,
if that is the case you may want to configure permissions so that is not the
case as in remove users/everyone/domain users and create a global group with
only the users that should have access and probably give administrators and
system full control. When doing your testing and you change group
memberships be sure to logoff and logon again to refresh the token for the
test user. --- Steve
"Elizabeth Strachan" <ElizabethStrachan@discussions.microsoft.com> wrote in
message news:FFF115A9-0B0E-47BB-B615-666EF49932DF@microsoft.com...
| Quote: | To anyone who can help,
I am having the strangest problem with a Windows 2003 Server.
Long story short we have to let some software developers TS into one of
our
servers but the server also has company data on it that we don't want them
to
access. The data is on a separate partition from anything else. My
answer
was thus:
1. Create Domain Local Security Group
2. Deny Full Access at the root of the partition to the Group
3. Add users to the group.
Normally I would expect this to work but it does not. The deny is
supposed
to override everything else but for some reason it is not working.
Here the strangeness continues:
If I Logon as the user and double click on the partition it says "No
Access"
as expected but I can then do a D:\Some Folder on it and it all works
fine.
They can then open documents and explore as they like.
I have gone into Advanced and reset permissions on files and folders. I
have gone into effective permissions and when I choose the group it says
no
permission, when I choose one of the users it says Full Control. I have
removed and re-added the group to the user. The user has no special user
rights - we made a special group that had TS access but no ability to
shutdown/restart etc. so they are not system administrators.
The server is Windows 2003 SP1 and the only thing special about it is that
we have loaded the patch to hide folders via shares that users have no
permissions to.
I can't seem to find anyone else with the same problem so I am at a loss
to
fix it? I can specifically deny it for that specific user and it works
but
this will create us a lot of maintenance in the long run.
Does anyone have any ideas?
Sincerely,
Elizabeth |
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Sat Oct 01, 2005 12:50 am Post subject:
Re: NTFS Deny not Working STRANGE |
|
|
I just also want to mention that you may want to rethink having software
developers remote into a computer that has company data on it. Ideally you
would want to have that data on a separate server that they can not possibly
access. You can then also use the user rights for access this computer from
the network to restrict what users can access the server for using file
shares and then also restrict access for Remote Desktop to not include them.
For higher security ipsec polices can be used to isolate sensitive
servers/data from those users AND computers that should not have access to
the data. Ipsec policies must be thoroughly planned and tested after
reading MS documentation on the subject however. --- Steve
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23BuTWmcxFHA.3312@TK2MSFTNGP09.phx.gbl...
| Quote: | Out of curiosity try using a local group instead of a domain local group
to see if that changes anything. Also keep in mind that an explicit allow
will override an inherited deny for ntfs permissions so you may want to
check that possibility. It would also seem that the users that are
remoting in are a member of a group that has allow permissions to the
folder such as users, everyone, or domain users maybe. Even though deny
permissions should work, if that is the case you may want to configure
permissions so that is not the case as in remove users/everyone/domain
users and create a global group with only the users that should have
access and probably give administrators and system full control. When
doing your testing and you change group memberships be sure to logoff and
logon again to refresh the token for the test user. --- Steve
"Elizabeth Strachan" <ElizabethStrachan@discussions.microsoft.com> wrote
in message news:FFF115A9-0B0E-47BB-B615-666EF49932DF@microsoft.com...
To anyone who can help,
I am having the strangest problem with a Windows 2003 Server.
Long story short we have to let some software developers TS into one of
our
servers but the server also has company data on it that we don't want
them to
access. The data is on a separate partition from anything else. My
answer
was thus:
1. Create Domain Local Security Group
2. Deny Full Access at the root of the partition to the Group
3. Add users to the group.
Normally I would expect this to work but it does not. The deny is
supposed
to override everything else but for some reason it is not working.
Here the strangeness continues:
If I Logon as the user and double click on the partition it says "No
Access"
as expected but I can then do a D:\Some Folder on it and it all works
fine.
They can then open documents and explore as they like.
I have gone into Advanced and reset permissions on files and folders. I
have gone into effective permissions and when I choose the group it says
no
permission, when I choose one of the users it says Full Control. I have
removed and re-added the group to the user. The user has no special user
rights - we made a special group that had TS access but no ability to
shutdown/restart etc. so they are not system administrators.
The server is Windows 2003 SP1 and the only thing special about it is
that
we have loaded the patch to hide folders via shares that users have no
permissions to.
I can't seem to find anyone else with the same problem so I am at a loss
to
fix it? I can specifically deny it for that specific user and it works
but
this will create us a lot of maintenance in the long run.
Does anyone have any ideas?
Sincerely,
Elizabeth
|
|
|
| Back to top |
|
|
Roger Abell [MVP]
Guest
|
| Posted:
Sat Oct 01, 2005 4:50 pm Post subject:
Re: NTFS Deny not Working STRANGE |
|
|
As Steve indicated, the problem is likely in your statement
| Quote: | The deny is supposed to override everything else but
for some reason it is not working.
An ACL is composed of ACEs which are supposed to be ordered: |
Explicit deny(s)
Explicit grant(s)
Inherited deny(s)
Inherited grant(s)
Think of the list as being walked in that order, and the processing
stopping as soon as it is known that the principal will or will not
have the requested permissions - and the semantics is that if
there is an explicit grant of what is requested, then it does not
matter is the same is denied by inheritance.
So, it is not that deny overrides everything else, but that deny
overrides the same type of grant.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Elizabeth Strachan" <ElizabethStrachan@discussions.microsoft.com> wrote in
message news:FFF115A9-0B0E-47BB-B615-666EF49932DF@microsoft.com...
| Quote: | To anyone who can help,
I am having the strangest problem with a Windows 2003 Server.
Long story short we have to let some software developers TS into one of
our
servers but the server also has company data on it that we don't want them
to
access. The data is on a separate partition from anything else. My
answer
was thus:
1. Create Domain Local Security Group
2. Deny Full Access at the root of the partition to the Group
3. Add users to the group.
Normally I would expect this to work but it does not. The deny is
supposed
to override everything else but for some reason it is not working.
Here the strangeness continues:
If I Logon as the user and double click on the partition it says "No
Access"
as expected but I can then do a D:\Some Folder on it and it all works
fine.
They can then open documents and explore as they like.
I have gone into Advanced and reset permissions on files and folders. I
have gone into effective permissions and when I choose the group it says
no
permission, when I choose one of the users it says Full Control. I have
removed and re-added the group to the user. The user has no special user
rights - we made a special group that had TS access but no ability to
shutdown/restart etc. so they are not system administrators.
The server is Windows 2003 SP1 and the only thing special about it is that
we have loaded the patch to hide folders via shares that users have no
permissions to.
I can't seem to find anyone else with the same problem so I am at a loss
to
fix it? I can specifically deny it for that specific user and it works
but
this will create us a lot of maintenance in the long run.
Does anyone have any ideas?
Sincerely,
Elizabeth |
|
|
| Back to top |
|
|
Roger Abell [MVP]
Guest
|
| Posted:
Sat Oct 01, 2005 4:50 pm Post subject:
Re: NTFS Deny not Working STRANGE |
|
|
I forgot to add . . .
For this reason, and the all to easily confusing situations that can
arise, I highly recommend analyzing storage for a restructure that
avoids use of deny whereever possible.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Elizabeth Strachan" <ElizabethStrachan@discussions.microsoft.com> wrote in
message news:FFF115A9-0B0E-47BB-B615-666EF49932DF@microsoft.com...
| Quote: | To anyone who can help,
I am having the strangest problem with a Windows 2003 Server.
Long story short we have to let some software developers TS into one of
our
servers but the server also has company data on it that we don't want them
to
access. The data is on a separate partition from anything else. My
answer
was thus:
1. Create Domain Local Security Group
2. Deny Full Access at the root of the partition to the Group
3. Add users to the group.
Normally I would expect this to work but it does not. The deny is
supposed
to override everything else but for some reason it is not working.
Here the strangeness continues:
If I Logon as the user and double click on the partition it says "No
Access"
as expected but I can then do a D:\Some Folder on it and it all works
fine.
They can then open documents and explore as they like.
I have gone into Advanced and reset permissions on files and folders. I
have gone into effective permissions and when I choose the group it says
no
permission, when I choose one of the users it says Full Control. I have
removed and re-added the group to the user. The user has no special user
rights - we made a special group that had TS access but no ability to
shutdown/restart etc. so they are not system administrators.
The server is Windows 2003 SP1 and the only thing special about it is that
we have loaded the patch to hide folders via shares that users have no
permissions to.
I can't seem to find anyone else with the same problem so I am at a loss
to
fix it? I can specifically deny it for that specific user and it works
but
this will create us a lot of maintenance in the long run.
Does anyone have any ideas?
Sincerely,
Elizabeth |
|
|
| Back to top |
|
|
Elizabeth Strachan
Guest
|
| Posted:
Wed Oct 05, 2005 12:50 am Post subject:
Re: NTFS Deny not Working STRANGE |
|
|
First off - thanks for all the good input. I have done and studied every MS
exam text since NT4 and never did I once realise that an explicit allow
overrides an inherited deny. I always thought that a deny killed everything.
Secondly - I checked the explicit/inherited dilemma and at the folder level
and below where the data is there is only inherited permissions for both the
allow and deny so it should not be a problem?
I would rather not be giving these guys direct access to the server but it
is out of my hands because they are writing an app that plugs into the line
of business application. This customer is a small business so they do not
have spare servers kicking around.
I too am a firm believer in never using deny permissions and just not
allowing but in this particular instance I felt it would be far, far easier
just to deny access to a certain partition because we wanted them to have
access to everything else. I guess I was wrong and I will now probably need
to spend hours reconfiguring the permissions to make it work how we want.
"Roger Abell [MVP]" wrote:
| Quote: | I forgot to add . . .
For this reason, and the all to easily confusing situations that can
arise, I highly recommend analyzing storage for a restructure that
avoids use of deny whereever possible.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Elizabeth Strachan" <ElizabethStrachan@discussions.microsoft.com> wrote in
message news:FFF115A9-0B0E-47BB-B615-666EF49932DF@microsoft.com...
To anyone who can help,
I am having the strangest problem with a Windows 2003 Server.
Long story short we have to let some software developers TS into one of
our
servers but the server also has company data on it that we don't want them
to
access. The data is on a separate partition from anything else. My
answer
was thus:
1. Create Domain Local Security Group
2. Deny Full Access at the root of the partition to the Group
3. Add users to the group.
Normally I would expect this to work but it does not. The deny is
supposed
to override everything else but for some reason it is not working.
Here the strangeness continues:
If I Logon as the user and double click on the partition it says "No
Access"
as expected but I can then do a D:\Some Folder on it and it all works
fine.
They can then open documents and explore as they like.
I have gone into Advanced and reset permissions on files and folders. I
have gone into effective permissions and when I choose the group it says
no
permission, when I choose one of the users it says Full Control. I have
removed and re-added the group to the user. The user has no special user
rights - we made a special group that had TS access but no ability to
shutdown/restart etc. so they are not system administrators.
The server is Windows 2003 SP1 and the only thing special about it is that
we have loaded the patch to hide folders via shares that users have no
permissions to.
I can't seem to find anyone else with the same problem so I am at a loss
to
fix it? I can specifically deny it for that specific user and it works
but
this will create us a lot of maintenance in the long run.
Does anyone have any ideas?
Sincerely,
Elizabeth
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in