Re: Share Permissions vs NTFS Permissions


"Pegasus" <I.can@xxxxxxx> wrote in message
news:ONMee0RsHHA.4796@xxxxxxxxxxxxxxxxxxxxxxx

"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:exh23TRsHHA.484@xxxxxxxxxxxxxxxxxxxxxxx

"Pegasus" <I.can@xxxxxxx> wrote in message
news:eGVHXKRsHHA.1408@xxxxxxxxxxxxxxxxxxxxxxx


NTFS permissions are sufficiently powerful to keep out
unauthorised users. I'd be interested to hear why you are
so strongly in favour of a belt-and-braces approach.

I already gave you the why -- re-read the message.

I was hoping for a little more substance. When I apply
permissions then I check them, same as I check all my
other work. If I detect a mistake then I prefer to correct
it instead of adding a second security layer which offers
far less flexibility or granularity than ACLs.

Security principle: Never grant more security privileges than
necessary, even with the INTENT to restrict them later.

Always grant the minimum privileges at each opportunity.

Alwasy grant privileges to ONLY those who specifically need
them.

You may in fact get the NTFS perfect -- but the fact that you
have to check them (and you should) implies you COULD be
wrong. Don't take such chances unnecessarily and don't recommend
that others (who may not be as careful as you) do so as a GENERAL
rule.

Recommend the tightest possible (practical) settings, with privileges
being granted as EXCEPTIONS whenever possible.

This is the way good security works more reliably.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)

Just because I ***might*** forget to do up my belt does
not necessarily mean that I wear braces.

It does if you really care about your security, your business and
your resources, as opposed to the mild discomfort or embarrassment
that will ensue if your pants are droopy or even fall off.

And notice, it's actually a figure of speech to refer to someone who is
serious about getting things right as "a belt and suspenders man".

It seems you do
(or at least you recommend to the OP that he does).

Also notice that "belt and suspenders" must be added, but we are
discussing built-in security and my GENERAL recommendation is
to NEVER give MORE privilege than necessary and never give
privileges to people (groups) who don't require that access.

People who are serious about security follow this as a general
principle:

Lock everything down; grant only the privileges required.



.

Relevant Pages

  • Re: Share Permissions vs NTFS Permissions
    ... Security principle: Never grant more security privileges than ... Always grant the minimum privileges at each opportunity. ... Recommend the tightest possible settings, ...
    (microsoft.public.windows.server.general)
  • Re: Share Permissions vs NTFS Permissions
    ... Security principle: Never grant more security privileges than ... Always grant the minimum privileges at each opportunity. ... Recommend the tightest possible settings, ...
    (microsoft.public.windows.server.general)
  • Re: APACHE$PRIVILEDGED
    ... The primary security on OpenVMS and on most other multi-processing operating systems is implemented via the memory management system and via what VAX calls the change-mode routines, via the Alpha SRM PALcode change-mode equivalent, or via what the IA-32 and IA-32e architectures refer to as the call gate. ... With OpenVMS constructs including device drivers )and user-written system services (UWSS; also known as privileged shareable images), these constructs operate in inner processor modes. ... One of the more hazardous situations for system security is a mixed environment; where there are resources shared between trusted and untrusted environments. ... Not only will the operation that requires privileges now be permitted, but other and potentially unintended operations can also be permitted. ...
    (comp.os.vms)
  • [UNIX] Bugzilla Multiple Vulnerabilities (SQL Injections, Privileges Escalation, Information Leak)
    ... Get your security news from a reliable source. ... user may retain privileges that should have been removed, ... Reference: ... secure bug, you can access the summary of that bug even if you do not have ...
    (Securiteam)
  • Re: Happy 10 years of continuous virus free computing on OpenVMS alpha 7.1
    ... OpenVMS provides an inherent security advantage over all the other ... advantage of OpenVMS brings it much closer to such a goal than any OS ... attaining higher mode privileges or services for which a process was ... currently used University-level texts on OS Design. ...
    (comp.os.vms)