You don't need read permissions on a directory to open a file in it that you have read permissions on, assuming no one messed with the default settings regarding the Bypass Traverse Checking privilege. Which is why ABE can instill a false sense of security. Remember that Volume-local move will retain permissions.
-Anders On Tue, Aug 10, 2010 at 2:03 PM, Ziots, Edward <[email protected]> wrote: > Ken, > > If they don't have at least read on the directory, they aren't getting > access to it, which means they aren't going to have write, unless you > explicitly add that accordingly, which I believe also adds read. > > I agree the NTFS permissions need to be correct, and you should lay down > auditing, ( by Group, user or per-user auditing) to ensure that your > permissions are working as needed. > > And TEST TEST TEST. > > Been using ABE for quite a while and it's a nice way to streamline > things. > > Z > > Edward E. Ziots > CISSP, Network +, Security + > Network Engineer > Lifespan Organization > Email:[email protected] <email%[email protected]> > Cell:401-639-3505 > > -----Original Message----- > From: Ken Schaefer [mailto:[email protected]] > Sent: Tuesday, August 10, 2010 7:48 AM > To: NT System Admin Issues > Subject: RE: File server structure and perms > > > > -----Original Message----- > From: Ziots, Edward [mailto:[email protected]] > Sent: Tuesday, 10 August 2010 9:34 PM > To: NT System Admin Issues > Subject: RE: File server structure and perms > > > Have you had experience is Access Based Enumeration? You can setup one > master share, and unless you have NTFS permissions of read to the > directory underneath, the user doesn't even see the directory, which > means they wouldn't be able to read/write from it, and should solve the > problem. > > Just because someone can't see a directory doesn't mean they can't > read/write from it - they just need to know that the folder is there. > Only appropriate NTFS permissions stop this, which means that ABE or no, > the NTFS permissions have to be setup correctly. > > This is one reason why Microsoft didn't introduce ABE for a long time - > it adds next to nothing from a security perspective. It just stops > inquisitive users attempting to poke around. > > Cheers > Ken > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
