Jump to content

Recommended Posts

Guest mhossain
Posted

Hi,

Can anyone tell me how to restore folder security (Those folder had been

redirected using group policy)?

 

It will be really appreciatable if anybody reads the following and tries to

answer any part of the question.

Thanks in Advance

 

Let me explain the scenario, I had to redirect some Profile folder to the D:

partition of the users local drive. Namely Music, Videos, Pictures. To

redirect using Group Policy I have followed following steps

1.Basic – Redirect everyone’s folder to the same location

2.Target folder - Create a folder for each user under the root path

3.Root Path - d:

4.Selected

a. Grant the user exclusive rights to Pictures/ Music/ Videos

b. Move the contents of Pictures/ Music/ Videos to the new

location.

c. Also apply redirection policy to Windows 2000, Windows 2000

Server, Windows XP, and Windows Server 2003 operation

systems.

d. Redirect the folder back to the local user profile location

when policy is

removed.

 

As I have given exclusive rights to users nobody has access to those folders

except the respective user. Not even the local computer admin (admin for the

computer user is using). So, to gain access of those folders I had to take

ownership of those folders and I did the following steps

1.Right click the folder and select properties

2.Select Security Tab

3.Click Advanced button

4.Select the Owner Tab

5.Click the Edit Button.

6.Select the local admin name.

7.Checked the Replace owner on subcontainers and objects check box.

 

If these steps are wrong can anybody tell me the correct steps? If these

steps is right than my next question is how I can restore folder security

exactly as it was before I have taken the ownership?

 

I mean here I want to have same Security features for that folder as it was

after redirecting the folder. User has exclusive rights and nobody else will

have access to the folder, not even the local computer admin (admin for the

computer user is using).

  • Replies 3
  • Created
  • Last Reply
Guest cquirke (MVP Windows shell/user)
Posted

Re: Folder security

 

On Tue, 24 Jul 2007 03:44:01 -0700, mhossain

 

I'm not a pro-IT guru, so can't answer, but must ask...

>User has exclusive rights and nobody else will have access to the

>folder, not even the local computer admin

 

....does av have access? Given that these folders are usually

full-shared, and are still the dumping ground for incoming material

("My Received Files", the Send To "My Documents" etc.), the risk of

malware pollution (and pollution of data backups) is a worry.

 

 

>--------------- ----- ---- --- -- - - -

To one who only has a hammer,

everything looks like a nail

>--------------- ----- ---- --- -- - - -

Guest mhossain
Posted

Re: Folder security

 

My apology, to be honest I didn’t understand your question and comment. Can

you please explain?

 

Thanks

Ta.

 

 

 

"cquirke (MVP Windows shell/user)" wrote:

> On Tue, 24 Jul 2007 03:44:01 -0700, mhossain

>

> I'm not a pro-IT guru, so can't answer, but must ask...

>

> >User has exclusive rights and nobody else will have access to the

> >folder, not even the local computer admin

>

> ....does av have access? Given that these folders are usually

> full-shared, and are still the dumping ground for incoming material

> ("My Received Files", the Send To "My Documents" etc.), the risk of

> malware pollution (and pollution of data backups) is a worry.

>

>

>

> >--------------- ----- ---- --- -- - - -

> To one who only has a hammer,

> everything looks like a nail

> >--------------- ----- ---- --- -- - - -

>

Guest cquirke (MVP Windows shell/user)
Posted

Re: Folder security

 

On Thu, 26 Jul 2007 20:16:02 -0700, mhossain

>My apology, to be honest I didn’t understand your

>question and comment. Can you please explain?

 

Sure - I was uncharactaristically terse. You said...

>> >User has exclusive rights and nobody else will have access to the

>> >folder, not even the local computer admin

 

....and I said...

>> ....does av have access? Given that these folders are usually

>> full-shared, and are still the dumping ground for incoming material

>> ("My Received Files", the Send To "My Documents" etc.), the risk of

>> malware pollution (and pollution of data backups) is a worry.

 

There are three aspects here:

 

1) Data hygiene

 

Until Vista, MS saw no difference between hi-risk incoming material

and hi-value personal data, mixing these together in the same "My

Documents". With Vista, we at last see Documents and Downloads

separated, but you still have incoming material routed into Documents,

e.g. the "My Recieved Files" of most MS Instant Messaging apps.

 

Data and system management is usually over-simplified as "just backup"

and "just wipe and rebuild", respectively. Both come up against what

I used to call the "backup problem" (how to create a backup that

magically includes all wanted changes and excludes all unwanted

changes, for protectrion against undefined future problems).

 

I've since realized the "backup problem" is a basic scope issue that

pervades not only backup, but also formal malware management and

"just" wipe and rebuild. These two malware recovery approaches are

usually seen as one-or-the-other, but the scoping issue is common to

both, as well as keeping the PC uninfected thereafter.

 

2) Too secure to manage

 

Whereas (1) is a generic issue, (2) is particular to your approach and

boosts the significance of (1). VPN is an example of problem (2),

i.e. where an opaque tube secures traffic between the inside of one

system to the inside of another such that no attacker can intercept

traffic, yet this also bypasses all boundary defences between the

inside of one system and the other. EFS can have the same effect.

 

Normally, "admin" or "system" rights trump or at least match user

rights, so that an antivirus running with these rights can scan the

user's material. If you un-nest these rights so that the system no

longer has access to the user's material, you may break your

antivirus's ability to scan and clean anything that comes in.

 

Malware is expected to start off with the rights of the user who

either launched it, or who was logged on at the time it was launched

by the system on the user's behalf. As such, even malware that was

scoped out of the data set by attention to (1), could find and infect

material within the data scope, using user rights.

 

An antivirus that lacked these rights would then not be able to scan

or clean the infected data set, which would then embed the malware

within backups of this data set.

 

3) Are your edges, really edges?

 

It's meaningful to talk about a PC as distinct from the LAN, and the

LAN as distinct from the Internet, only if there is separation between

these, especially when attempting to manage malware on them.

 

Unfortunately, these edges can be dissolved by admin shares that

expose all HD volumes to writes via names that are hidden from user

visibility, but are predictable for malware automation. Malware that

is "only" running with user rights may already be authenticated to

traverse these shares, if the user has the right to do so.

 

Just as admin shares dissolve the edge between PCs on the same LAN, so

WiFi and other wireless technologies can dissolve the separation

between Internet and LAN (or more accurately, the LAN and the "outside

world", given that local wireless attack is the risk here). For

example, if you secure WiFi with a strong WPA key, key use a loose

password to secure the router from Ethernet access, malware can

brute-force the router, look up the WPA key, and send it out.

 

 

The reason I raise (1) and (3) is because approaches such as (2) are

usually part of a grand strategy to flatten natural scopes (e.g. the

practical difference between keyboard and remote access) and replace

these with artificial "security" scopes.

 

I know this is the only way to scale up for corporate networks to

reduce their TCO, and thus it is the core thinking within NT. But it

doesn't scale downwards very well, i.e. if you try to dumb down the

expert skills investment required, the inherent fragility of

artificial "security" scoping breaks down into exploitability.

 

This, in a nutshell, is the tragedy of NT in the consumer space.

 

See...

 

http://cquirke.blogspot.com/2005/04/use-hard-scopes-as-natural-cover.html

 

....if more is needed on this last issue.

 

>-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the

ashtrays in the lounge, when I don't even have a car?"

>----------------------- ------ ---- --- -- - - - -

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...