No, I am asking for clarification on the original question. Why when a user is grated Read & Execute are they also granted the special permission Create Folders\Append Data and Create Files\Write Data? Is it only so that a user can create temporary files? It seems silly to me that when you grant someone read access they by default can also write.
On 9/4/07, Ansgar -59cobalt- Wiechers <[EMAIL PROTECTED]> wrote: > On 2007-09-03 Megan Kielman wrote: > > On 8/24/07, Ansgar -59cobalt- Wiechers <[EMAIL PROTECTED]> wrote: > >> On 2007-08-22 Robert McIntyre wrote: > >>> On my Windows 2003 servers we create a data partition and format it > >>> with NTFS. The default permissions for Users are Read & Execute, > >>> List Folder Contents, and Read. This is what we want. But the > >>> Users account also gets the special permissions Create > >>> Folders\Append Data and Create Files\Write Data. > >>> > >>> From the articles that I have seen on TechNet, the special > >>> permissions are not needed if we only want read access. So why are > >>> they there by default? What purpose do they serve? If we remove > >>> the special permissions will it cause problems? > >>> > >>> The only thing that I could think of is that maybe it is needed to > >>> create a temporary file when you open a document for reading. > >> > >> If you remove those ACEs your users will be unable to create files > >> and folders on that partition. That may cause problems e.g. in cases > >> when they need to open files with progams like MS Word, because Word > >> creates temp files in the same directory as the document. > > > > How is the Create Folders/Append Data and Create Files/Write Data > > permission different then Write? > > The former two are subsets of the latter. "Write" permissions consist of > these four basic permissions: > > - Create Files/Write Data > - Create Folders/Append Data > - Write Attributes > - Write Extended Attributes > > > How does it differentiate an action where the user intends to > > create/write data versus creating a temp file as a byproduct of > > opening a Word doc? > > You aren't asking what the difference between writing to an already > existing file and creating a new file is, are you? > > Regards > Ansgar Wiechers > -- > "All vulnerabilities deserve a public fear period prior to patches > becoming available." > --Jason Coombs on Bugtraq >
