Re: MCSA/MCSE Self-training book from MS PRESS for exam 70-215 incorrect on file permission questions?

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 03/24/04 

Date: Tue, 23 Mar 2004 19:56:27 -0800

NTFS permissions don't always trump share perms. A user's permissions on
one of them are going to be the greatest allowed by group membership minus
anything denied. The sum of the permissions granted going through both file
and share will be only the ones granted by both.

Aren't members of both groups also members of Everyone?

Result:
- Accounting group has full control via NTFS and full control via the share
('cause they're part of Everyone).
- AccountAdmin group has same.

That said, I can't say that I entirely like the wording of the test
question. I had to read it a couple of times before I could tell what "only
..." and "specified files" was supposed to mean for certain. 

-- 
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Leonard Hopkins" <leonard.hopkins@lphopkins.com> wrote in message
news:Sy08c.76470$_w.1033915@attbi_s53...
> I have been working on my MCSE on my own and flaws like this don't make it
> any easier. I could be wrong and hope that I am but a sample test question
> on page 962 goes as follows.
>
> 70-215.02.03.003
>
>
>
> You are the administrator of a Windows 2000 Server computer that is
> configured with a 10-GB FAT32 partition on its only hard disk. The
partition
> includes the AccountingDept folder, which contains documents specific to
the
> accounting department. You create two user groups: the Accounting group
and
> the AccountAdmin group. The Accounting group includes all members of the
> Accounting department.
>
> The AccountAdmin group includes about 10 members of the Accounting
> department who manage accounting-related documents.
>
>
>
> You want to accomplish the following goals:
>
>
>
> . Only the Accounting group should have read-only access to content in the
> AccountingDept folder.
>
>
>
> . Only the AccountAdmin group should have full control over content in the
> AccountingDept folder.
>
>
>
> . Only the Accounting group and the AccountAdmin group should have full
> control over specified files in the AccountingDept folder.
>
>
>
> You convert the FAT32 partition to an NTFS partition and share the
> AccountingDept folder. You implement share-level security for the
> AccountingDept folder by granting Read permission to the Accounting group
> and by granting Full Control permission to the AccountAdmin group. You
> implement NTFS permissions on the specified files within the
AccountingDept
> folder, granting full control to members of the Accounting group and the
> AccountAdmin group and removing the Everyone group.
>
>
>
> Which result or results does your installation achieve?
>
>
>
>
>
> A. Only the Accounting group will have read-only access to content in the
> AccountingDept folder.
>
>
>
> B. Only the AccountAdmin group will have full control over content in the
> AccountingDept folder.
>
>
>
> C. Only the Accounting group and the AccountAdmin group will have full
> control over specified files in the AccountingDept folder.
>
>
>
> D. The proposed solution does not meet any of the required results.
>
>
>
>
>
> The book answer states the only correct answer is D. How can this be? I
> don't care what folder you share, as long as you have NTFS permissions on
> the folder and its contents, this trumps any shared permission. I have
> demonstrated this exactly in my lab. Domain admins can't gain access to a
> shared folder as described in the preceding scenario after I set the
folder
> and file permissions to full control by the Accounting and AccountAdmin's
> groups. It doesn't matter that the "EVERYONE" group has full control on
> share permissions, only the groups with the appropriate NTFS permission
have
> authority. If not, then the whole NTFS security concept is a fantasy. I
> would like this addressed by someone from Microsoft. If I am wrong, please
> show me where. If I am correct, then I would like to know how flawed
> questions make it into training books and possibly even tests.
>
>
>
> MCSE Training Kit-Microsoft Windows 2000 Server
>
>
>
> 70-215.02.03.003
>
>
>
> ~ Correct Answers: D
>
>
>
> A. Incorrect: A shared folder is used to provide network users with access
> to file resources. When a folder is shared, users can connect to the
folder
> over the network and gain access to the files that it contains. However,
> although the Accounting group has been granted Read permission to the
shared
> folder, all other network users will have full control over the content
> because the Everyone group was not removed from the share permissions. By
> default, the Everyone group is granted Full Control permission to a shared
> folder. If you grant Read permission to the members of the Accounting
group,
> these users will be granted read-only access to all content within the
> shared folder, including subfolders and all files. Read permission allows
> users to display folder names, filenames, file data, and file attributes;
> run program files; and change folders within the shared folders', However,
> Full Control permission allows users to change file permissions, take
> ownership of files, create folders, add files to folders, change data in
> files, append data to files, change file attributes, delete folders and
> files, and perform all actions permitted by the Read permission. Users who
> are members of the Accounting group are also, by default, members of the
> Everyone group. When multiple permissions are granted to a resource, the
> most restrictive permissions apply,
>
>
>
>
>
> B. Incorrect: Although the AccountAdmin group has been granted Full
Control
> permission to the shared folder, all other network users will have full
> control over the content because the Everyone group was not removed from
the
> share permissions. By default, the Everyone group is granted Full Control
> permission to a shared folder. As a result, you must remove the Everyone
> group if you want to restrict access to the share; otherwise, all users on
> the network will have full control over all content in the shared folder
> except those users who are specifically allowed or denied specific
> permissions
>
>
>
> C. Incorrect: Although the AccountAdmin group will have full control over
> the specified files, the Accounting group will not because the Accounting
> group was granted read-only access at the share level. If share rights are
> configured for a shared folder and NTFS permissions are configured for
> folders or files within that shared folder, the most restrictive rights
> become the user's effective rights. So even though the Accounting group
has
> been granted full control over the files, it still has read-only access to
> those files. Another problem is that the Everyone group has full control
> over the entire folder, so the AccountAdmin and Accounting groups are not
> the only ones who will have full control over the specified files, In
> general, you should use either share permissions or NTFS permissions, but
> not both, Using both significantly increases the complexity of resolving
> access permissions for network resources. NTFS permissions are preferred
> because they can be set on both files and folders.
>
>
>
> D. Correct: The proposed solution fails to meet any of the requirements
> because the Everyone group was not removed from the share permission,
which
> granted all network users full control over all content in the shared
> folder, In addition, the solution fails because Read permission was
granted
> to the Accounting group at a share level, but Full Control permission was
> granted to the group for individual files, and the share-level Read
> permission overrides the NTFS-Level Full Control permission for those
files.
>
>
>
>

Relevant Pages