Folder security

[mhossain]

Hi,
Can anyone tell me how to restore folder security (Those folder had been
redirected using group policy)?

It will be really appreciatable if anybody reads the following and tries to
answer any part of the question.
Thanks in Advance

Let me explain the scenario, I had to redirect some Profile folder to the D:
partition of the users local drive. Namely Music, Videos, Pictures. To
redirect using Group Policy I have followed following steps
1.Basic – Redirect everyone’s folder to the same location
2.Target folder - Create a folder for each user under the root path
3.Root Path - d:
4.Selected
a. Grant the user exclusive rights to Pictures/ Music/ Videos
b. Move the contents of Pictures/ Music/ Videos to the new
location.
c. Also apply redirection policy to Windows 2000, Windows 2000
Server, Windows XP, and Windows Server 2003 operation
systems.
d. Redirect the folder back to the local user profile location
when policy is
removed.

As I have given exclusive rights to users nobody has access to those folders
except the respective user. Not even the local computer admin (admin for the
computer user is using). So, to gain access of those folders I had to take
ownership of those folders and I did the following steps
1.Right click the folder and select properties
2.Select Security Tab
3.Click Advanced button
4.Select the Owner Tab
5.Click the Edit Button.
6.Select the local admin name.
7.Checked the Replace owner on subcontainers and objects check box.

If these steps are wrong can anybody tell me the correct steps? If these
steps is right than my next question is how I can restore folder security
exactly as it was before I have taken the ownership?

I mean here I want to have same Security features for that folder as it was
after redirecting the folder. User has exclusive rights and nobody else will
have access to the folder, not even the local computer admin (admin for the
computer user is using).

 

[cquirke (MVP Windows shell/user)]

On Tue, 24 Jul 2007 03:44:01 -0700, mhossain

I'm not a pro-IT guru, so can't answer, but must ask...

>User has exclusive rights and nobody else will have access to the
>folder, not even the local computer admin

....does av have access? Given that these folders are usually
full-shared, and are still the dumping ground for incoming material
("My Received Files", the Send To "My Documents" etc.), the risk of
malware pollution (and pollution of data backups) is a worry.



>--------------- ----- ---- --- -- - - -
To one who only has a hammer,
everything looks like a nail
>--------------- ----- ---- --- -- - - -

 

[mhossain]

My apology, to be honest I didn’t understand your question and comment. Can
you please explain?

Thanks
Ta.



"cquirke (MVP Windows shell/user)" wrote:

> On Tue, 24 Jul 2007 03:44:01 -0700, mhossain
>
> I'm not a pro-IT guru, so can't answer, but must ask...
>
> >User has exclusive rights and nobody else will have access to the
> >folder, not even the local computer admin
>
> ....does av have access? Given that these folders are usually
> full-shared, and are still the dumping ground for incoming material
> ("My Received Files", the Send To "My Documents" etc.), the risk of
> malware pollution (and pollution of data backups) is a worry.
>
>
>
> >--------------- ----- ---- --- -- - - -
> To one who only has a hammer,
> everything looks like a nail
> >--------------- ----- ---- --- -- - - -
>

 

[cquirke (MVP Windows shell/user)]

On Thu, 26 Jul 2007 20:16:02 -0700, mhossain

>My apology, to be honest I didn’t understand your
>question and comment. Can you please explain?

Sure - I was uncharactaristically terse. You said...

>> >User has exclusive rights and nobody else will have access to the
>> >folder, not even the local computer admin

....and I said...

>> ....does av have access? Given that these folders are usually
>> full-shared, and are still the dumping ground for incoming material
>> ("My Received Files", the Send To "My Documents" etc.), the risk of
>> malware pollution (and pollution of data backups) is a worry.

There are three aspects here:

1) Data hygiene

Until Vista, MS saw no difference between hi-risk incoming material
and hi-value personal data, mixing these together in the same "My
Documents". With Vista, we at last see Documents and Downloads
separated, but you still have incoming material routed into Documents,
e.g. the "My Recieved Files" of most MS Instant Messaging apps.

Data and system management is usually over-simplified as "just backup"
and "just wipe and rebuild", respectively. Both come up against what
I used to call the "backup problem" (how to create a backup that
magically includes all wanted changes and excludes all unwanted
changes, for protectrion against undefined future problems).

I've since realized the "backup problem" is a basic scope issue that
pervades not only backup, but also formal malware management and
"just" wipe and rebuild. These two malware recovery approaches are
usually seen as one-or-the-other, but the scoping issue is common to
both, as well as keeping the PC uninfected thereafter.

2) Too secure to manage

Whereas (1) is a generic issue, (2) is particular to your approach and
boosts the significance of (1). VPN is an example of problem (2),
i.e. where an opaque tube secures traffic between the inside of one
system to the inside of another such that no attacker can intercept
traffic, yet this also bypasses all boundary defences between the
inside of one system and the other. EFS can have the same effect.

Normally, "admin" or "system" rights trump or at least match user
rights, so that an antivirus running with these rights can scan the
user's material. If you un-nest these rights so that the system no
longer has access to the user's material, you may break your
antivirus's ability to scan and clean anything that comes in.

Malware is expected to start off with the rights of the user who
either launched it, or who was logged on at the time it was launched
by the system on the user's behalf. As such, even malware that was
scoped out of the data set by attention to (1), could find and infect
material within the data scope, using user rights.

An antivirus that lacked these rights would then not be able to scan
or clean the infected data set, which would then embed the malware
within backups of this data set.

3) Are your edges, really edges?

It's meaningful to talk about a PC as distinct from the LAN, and the
LAN as distinct from the Internet, only if there is separation between
these, especially when attempting to manage malware on them.

Unfortunately, these edges can be dissolved by admin shares that
expose all HD volumes to writes via names that are hidden from user
visibility, but are predictable for malware automation. Malware that
is "only" running with user rights may already be authenticated to
traverse these shares, if the user has the right to do so.

Just as admin shares dissolve the edge between PCs on the same LAN, so
WiFi and other wireless technologies can dissolve the separation
between Internet and LAN (or more accurately, the LAN and the "outside
world", given that local wireless attack is the risk here). For
example, if you secure WiFi with a strong WPA key, key use a loose
password to secure the router from Ethernet access, malware can
brute-force the router, look up the WPA key, and send it out.


The reason I raise (1) and (3) is because approaches such as (2) are
usually part of a grand strategy to flatten natural scopes (e.g. the
practical difference between keyboard and remote access) and replace
these with artificial "security" scopes.

I know this is the only way to scale up for corporate networks to
reduce their TCO, and thus it is the core thinking within NT. But it
doesn't scale downwards very well, i.e. if you try to dumb down the
expert skills investment required, the inherent fragility of
artificial "security" scoping breaks down into exploitability.

This, in a nutshell, is the tragedy of NT in the consumer space.

See...

http://cquirke.blogspot.com/2005/04/use-hard-scopes-as-natural-cover.html

....if more is needed on this last issue.


>-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -