Re: NTFS Effective Permissions?

From: Al Dunbar [MS-MVP] (alan-no-drub-spam_at_hotmail.com)
Date: 12/30/04 

Date: Wed, 29 Dec 2004 21:05:45 -0700

"Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
news:OL2NXRf7EHA.2452@TK2MSFTNGP14.phx.gbl...
> Hi,
>
> > For example, I often see NTFS objects whose security settings as
displayed
> > in the GUI are identical, while a script that uses ADsSecurity.dll to
> > display the detailed security settings shows that they are not the same.
I
> > assume that this has something to do with how permissions were inherited
by
> > the objects and/or how they were created.
>
> Can you clarify? If you go into the "Advanced" tab of the GUI, are you
> saying it's not the same as what you see when using a script? Do you
> have any such folder on your computer where you can test this? When you
> run CACLS on such a folder, does it agree with the GUI, or with your
script?

OK, there are two profile folders on my XP system, Jon and Al. Obviously,
these are permitted differentially to two different accounts, so I will
focus on the permissions that are extended to "SYSTEM". In the advanced
security settings tab, each folder shows the following for SYSTEM:

type = allow
name = SYSTEM
permission = full control
inherited from = <not inherited>
apply to = this folder, subfolders and files

Same so far. If I click the respective "Edit..." buttons, they show a check
in every "allow" box. Still the same, identical, in fact.

I then run a vbscript (you'll have to trust me on this a little bit), and it
shows two entries for SYSTEM on the Jon folder, but only one on the Al
folder. Below is (and also attached) is the complete output from this
script:

C:\Documents and Settings\Jon
no. flags aceflgs acetype accessmask trustee
1 0 0 0 001F01FF MYPC\Jon
2 0 0 0 001F01FF NT AUTHORITY\SYSTEM
3 0 0 0 001F01FF BUILTIN\Administrators
4 0 11 0 10000000 MYPC\Jon
5 0 11 0 10000000 NT AUTHORITY\SYSTEM
6 0 11 0 10000000 BUILTIN\Administrators
C:\Documents and Settings\Al
no. flags aceflgs acetype accessmask trustee
1 0 3 0 001F01FF BUILTIN\Administrators
2 0 3 0 001F01FF MYPC\Al
3 0 3 0 001F01FF NT AUTHORITY\SYSTEM

Sure, they both seem to give FULL access to SYSTEM, but one does it with an
ace flag value of 3 and accessmask of 001F01FF, while the other uses an ace
flag value of zero and also throws in an 11 with mask of 10000000.

The point here is that I did not use a script to set them up differently
this way, this just happened through the normal process of logging in and
having one's profile created. It's not like the level of actual permission
is different, just, as I said before, you cannot tell the difference from
the normal security tabs, and have to look at the lower level details to see
that they are not identical.

CACLS shows the difference, but in a different way:

C:\Documents and Settings>cacls al
C:\Documents and Settings\Al BUILTIN\Administrators:(OI)(CI)F
                             MYPC\Al:(OI)(CI)F
                             NT AUTHORITY\SYSTEM:(OI)(CI)F

C:\Documents and Settings>cacls jon
C:\Documents and Settings\Jon MYPC\Jon:F
                              NT AUTHORITY\SYSTEM:F
                              BUILTIN\Administrators:F
                              MYPC\Jon:(OI)(CI)(IO)F
                              NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
                              BUILTIN\Administrators:(OI)(CI)(IO)F

> > If they attempted to superimpose a layer of sensibility on this whole
domain
> > at the scripting level, I think they would be making the same mistake
that
> > has been made elsewhere where the nitty gritty details get bound up in a
> > presentation layer of sorts.
>
> I know what you mean, but I think the current model does make sense.

I believe it makes sense too, I just find the nittier grittier details to be
somewhat poorly explained.

> > What *would* be nice would be a good
> > explanation of just exactly what is meant by by the terminology used at
the
> > low level, and what it actually does.
>
> I think this is the main problem. Once you start reading the Security
> SDK you get to page two, and decide to throw the computer out of the
> nearest window, but once you get used to be terminology it gets a lot
> easier.

I don't mind the terminology, I am just confused by the lack of explanation
of the various possible ace flags values, how they get applied, and how they
interact.

> Each "object" (File or Folder if you like) is assigned a "list" (DACL)
> of who can access it, and in wot way (read-only, write, execute etc).
> Each "entry" in the list is called an ACE (Access Control Entry). Part
> of the ACE will be the "Trustee" (e.g. domain\joebloggs). So basically
> each file has a collection of ACEs that make up a DACL. You can enum the
> entries in script just like any other collection.

And have done. This part is quite easy to follow. It is the flags and acl
flags that throw me for a loop. Also, the explanation of how dynamic
inheritance is implemented is a bit vague to me.

> In reality, the permissions can be a nightmare even using the GUI. [Ever
> looked at multi-level permissions of nested Frontpage webs using
> Sharepoint?]. In this case, it's a problem whether you use scripting or
> not. The trick is to have a good network-wide strategy for all
> permissions that's as simple as possible, but still secure.

Well, I agree with you 100% there. Of all of the possible combinations of
ACL primitives, some seem to be functionally identical (with some likely
gotchas in some cases), and some likely make no sense at all to use. We
basically use Full access only for administrators, and either read-only or
read/write for the users, avoiding NONE like the plague.

/Al

begin 666 aclsdemo.txt
M#0I#.EQ$;V-U;65N=',@86YD(%-E='1I;F=S7$IO;@T*;F\N"69L86=S"6%C
M969L9W,)86-E='EP90EA8V-E<W-M87-K"71R=7-T964-"C$), DP"3 ),# Q
M1C Q1D8)35E00UQ*;VX-"C(), DP"3 ),# Q1C Q1D8)3E0@05542$]22519
M7%-94U1%30T*,PDP"3 ), DP,#%&,#%&1@E"54E,5$E.7$%D;6EN:7-T<F%T
M;W)S#0HT"3 ),3$), DQ,# P,# P, E-65!#7$IO;@T*-0DP"3$Q"3 ),3 P
M,# P,# )3E0@05542$]225197%-94U1%30T*-@DP"3$Q"3 ),3 P,# P,# )
M0E5)3%1)3EQ!9&UI;FES=')A=&]R<PT*0SI<1&]C=6UE;G1S(&%N9"!3971T
M:6YG<UQ!; T*;F\N"69L86=S"6%C969L9W,)86-E='EP90EA8V-E<W-M87-K
M"71R=7-T964-"C$), DS"3 ),# Q1C Q1D8)0E5)3%1)3EQ!9&UI;FES=')A
M=&]R<PT*,@DP"3,), DP,#%&,#%&1@E-65!#7$%L#0HS"3 ),PDP"3 P,48P
;,49&"4Y4($%55$A/4DE465Q365-414T-"@T*
`
end