On Tue, Aug 10, 2010 at 8:03 AM, Ziots, Edward <[email protected]> wrote: > If they don't have at least read on the directory, they aren't getting > access to it, which means they aren't going to have write, unless you > explicitly add that accordingly, which I believe also adds read.
Incorrect. With NTFS, objects can have Read but not Write. Yes, in the basic "Security tab" GUI, when you check "Write" it adds "Read" automatically, but that's a feature of the GUI. You can then uncheck "Read" if you want. If you're using API calls or various command-line tools, adding "Write" does not explicitly add "Read". This has real-world uses. For example, a "drop box" folder, where users can copy files in, but cannot access other stuff in there. Also, if a user has the "Bypass traverse checking" right, if they have no permission to a directory but they have permission to objects within that directory, and they know the names of those objects, they can still access those objects. "Bypass traverse checking" is assigned to all users by default, and removing it breaks things. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
