Re: (mayayana) RE: NT Permissions
- From: Eduardo <mm@xxxxxx>
- Date: Mon, 31 Aug 2009 04:28:50 -0300
Nobody escribió:
You may want to check these articles:
How to Shoot Yourself in the Foot with Security, Part 1
http://technet.microsoft.com/en-us/library/cc512612.aspx
How to Shoot Yourself in the Foot with Security, Part 2: To ACL or Not to ACL
http://technet.microsoft.com/en-us/library/cc512610.aspx
Thanks, I read the second one. Good article.
There were some things that I've been naming incorrectly in my previous posts.
Some extracts from the article:
*) "ACL stands for Access Control List"
*) "An ACL is simply a list of Access Control List Entries (ACE). Each ACL contains 0 or more ACEs. If no ACEs are present in the ACL then no user has the type of access represented by the ACL."
-- So... what I've calling 'an ACL entry', in fact is an ACE. The ACL is -- the list of all the ACEs for the object.
*) "ACLs are used to control subjects' access to objects. The terms subject and object here deserve defining. A subject is basically a security principal in the system. It could be a user, or some other identifiable entity, such as a program. For example, as part of the service hardening work in Windows Vista, a service will now be an identifiable entity that can have permissions associated with it.
An object is any securable entity. In Windows NT-based operating systems, such as Windows 2000, Windows XP, and Windows Server 2003, essentially any object can be secured. This includes things we think about every day, such as files, registry keys, and Active Directory objects; as well as things we do not (unless we are programmers), such as named pipes, mutexes, critical sections, processes, SAM objects, and services. "
*) "Unfortunately, many people also fail to understand that if you set incorrect ACLs there are few ways to recover. In fact, if you destroy the default DACLs on the operating system files, there is really only one guaranteed rollback tool:
Format c:
There is no way to roll back ACLs in an automated way. You can certainly export ACLs, and there are tools that do that. There are even tools that will stamp those ACLs back on the objects. However, none of them know what to do with objects that did not exist when the snapshot was taken, or with objects which have deliberately had their ACL changed since the snapshot was taken."
-- Access Enum
*) "The second tool is Access Enum from Sysinternals. Access Enum is fairly simple really: it will enumerate all subfolders, files, or registry keys, which have permissions different from its parent. It can be very useful as a quick check to spot obvious problems. "
-- Download link: http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx
.
- References:
- (mayayana) RE: NT Permissions
- From: Eduardo
- Re: (mayayana) RE: NT Permissions
- From: Nobody
- (mayayana) RE: NT Permissions
- Prev by Date: Re: C++ question about "syntax structures"
- Next by Date: Re: (mayayana) RE: NT Permissions
- Previous by thread: Re: (mayayana) RE: NT Permissions
- Next by thread: C++ again: Equivalent for ostream
- Index(es):
Relevant Pages
|
