Oh - just wanted to update this, because there's something new in Vista that affects how this works. <shameless plug> Michael Howard and I are working on a new book that is nearly done, and should be on the shelves in a couple of months - Writing Secure Code for Windows Vista. </shameless plug> At any rate, one of the things we explain is that there is now a creator-owner rights SID. The way this works is that the rights granted to the creator-owner on the basis of merely being the creator of the object can be configured.
So if an ACL doesn't have a creator-owner rights ACE, it defaults to the same behavior as before - WRITE_DAC and READ_CONTROL. If there is a creator-owner rights ACE, then the creator-owner only gets as much rights as you give them. This is pretty cool, because you could then have objects created by someone in the admins group, and then they don't continue to have effectively full control through WRITE_DAC if they are taken out of the admins group later. It has some obvious implications for Active Directory objects and delegation as well. Note that the same problem I pointed out earlier still exists - if someone places the ACL on the object at creation time, inherited ACEs don't apply, and they can do what they want - only thing you can do is monitor the folder (or other container), and fix things. Of course most users won't know how to do this, and it practically would seldom be a problem. It's also true that if you delegate out creation of something by impersonating the user, and they don't have direct access to create the object, they can't control how the ACL gets applied. This feature will also be showing up in Longhorn Server. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M. Burnett Sent: Monday, February 05, 2007 9:59 AM To: 'David LeBlanc'; 'De Rienzo, James'; 'Jim Harrison'; [EMAIL PROTECTED]; [email protected] Subject: RE: Share and NTFS permissions One way you can set custom permissions on new files is to use the file screens feature in Win2003 R2. You could create a file screen for all new files, have that screen run a script and that script can set permissions and can be as elaborate as you want. Of course, this does introduce a bit of a race condition but that would only be for the creator/owner. It may not work for every situation. I mentioned this technique recently in my blog: http://xato.net/bl/2007/02/01/using-filescreens-for-server-lockdowns/ Mark Burnett -----Original Message----- From: David LeBlanc [mailto:[EMAIL PROTECTED] Sent: Monday, February 05, 2007 10:31 AM To: 'De Rienzo, James'; 'M. Burnett'; 'Jim Harrison'; [EMAIL PROTECTED]; [email protected] Subject: RE: Share and NTFS permissions > -----Original Message----- > From: De Rienzo, James [mailto:[EMAIL PROTECTED] > Sent: Monday, February 05, 2007 7:34 AM > To: David LeBlanc; M. Burnett; Jim Harrison; > [EMAIL PROTECTED]; [email protected] > Subject: RE: Share and NTFS permissions > > Change the file's Ownership to Administrator, and be done with it. > > Simple yet effective. And have the likely side-effect of removing access from the original owner. I'd suggest taking a more thorough approach. This is why I originally wrote: "it takes ownership of anything showing up there, ****and sets an ACL the admin finds appropriate****"
