Guest mhossain Posted July 24, 2007 Posted July 24, 2007 Hi, Can anyone tell me how to restore folder security (Those folder had been redirected using group policy)? It will be really appreciatable if anybody reads the following and tries to answer any part of the question. Thanks in Advance Let me explain the scenario, I had to redirect some Profile folder to the D: partition of the users local drive. Namely Music, Videos, Pictures. To redirect using Group Policy I have followed following steps 1.Basic – Redirect everyone’s folder to the same location 2.Target folder - Create a folder for each user under the root path 3.Root Path - d: 4.Selected a. Grant the user exclusive rights to Pictures/ Music/ Videos b. Move the contents of Pictures/ Music/ Videos to the new location. c. Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operation systems. d. Redirect the folder back to the local user profile location when policy is removed. As I have given exclusive rights to users nobody has access to those folders except the respective user. Not even the local computer admin (admin for the computer user is using). So, to gain access of those folders I had to take ownership of those folders and I did the following steps 1.Right click the folder and select properties 2.Select Security Tab 3.Click Advanced button 4.Select the Owner Tab 5.Click the Edit Button. 6.Select the local admin name. 7.Checked the Replace owner on subcontainers and objects check box. If these steps are wrong can anybody tell me the correct steps? If these steps is right than my next question is how I can restore folder security exactly as it was before I have taken the ownership? I mean here I want to have same Security features for that folder as it was after redirecting the folder. User has exclusive rights and nobody else will have access to the folder, not even the local computer admin (admin for the computer user is using). Quote
Guest cquirke (MVP Windows shell/user) Posted July 26, 2007 Posted July 26, 2007 Re: Folder security On Tue, 24 Jul 2007 03:44:01 -0700, mhossain I'm not a pro-IT guru, so can't answer, but must ask... >User has exclusive rights and nobody else will have access to the >folder, not even the local computer admin ....does av have access? Given that these folders are usually full-shared, and are still the dumping ground for incoming material ("My Received Files", the Send To "My Documents" etc.), the risk of malware pollution (and pollution of data backups) is a worry. >--------------- ----- ---- --- -- - - - To one who only has a hammer, everything looks like a nail >--------------- ----- ---- --- -- - - - Quote
Guest mhossain Posted July 27, 2007 Posted July 27, 2007 Re: Folder security My apology, to be honest I didn’t understand your question and comment. Can you please explain? Thanks Ta. "cquirke (MVP Windows shell/user)" wrote: > On Tue, 24 Jul 2007 03:44:01 -0700, mhossain > > I'm not a pro-IT guru, so can't answer, but must ask... > > >User has exclusive rights and nobody else will have access to the > >folder, not even the local computer admin > > ....does av have access? Given that these folders are usually > full-shared, and are still the dumping ground for incoming material > ("My Received Files", the Send To "My Documents" etc.), the risk of > malware pollution (and pollution of data backups) is a worry. > > > > >--------------- ----- ---- --- -- - - - > To one who only has a hammer, > everything looks like a nail > >--------------- ----- ---- --- -- - - - > Quote
Guest cquirke (MVP Windows shell/user) Posted August 1, 2007 Posted August 1, 2007 Re: Folder security On Thu, 26 Jul 2007 20:16:02 -0700, mhossain >My apology, to be honest I didn’t understand your >question and comment. Can you please explain? Sure - I was uncharactaristically terse. You said... >> >User has exclusive rights and nobody else will have access to the >> >folder, not even the local computer admin ....and I said... >> ....does av have access? Given that these folders are usually >> full-shared, and are still the dumping ground for incoming material >> ("My Received Files", the Send To "My Documents" etc.), the risk of >> malware pollution (and pollution of data backups) is a worry. There are three aspects here: 1) Data hygiene Until Vista, MS saw no difference between hi-risk incoming material and hi-value personal data, mixing these together in the same "My Documents". With Vista, we at last see Documents and Downloads separated, but you still have incoming material routed into Documents, e.g. the "My Recieved Files" of most MS Instant Messaging apps. Data and system management is usually over-simplified as "just backup" and "just wipe and rebuild", respectively. Both come up against what I used to call the "backup problem" (how to create a backup that magically includes all wanted changes and excludes all unwanted changes, for protectrion against undefined future problems). I've since realized the "backup problem" is a basic scope issue that pervades not only backup, but also formal malware management and "just" wipe and rebuild. These two malware recovery approaches are usually seen as one-or-the-other, but the scoping issue is common to both, as well as keeping the PC uninfected thereafter. 2) Too secure to manage Whereas (1) is a generic issue, (2) is particular to your approach and boosts the significance of (1). VPN is an example of problem (2), i.e. where an opaque tube secures traffic between the inside of one system to the inside of another such that no attacker can intercept traffic, yet this also bypasses all boundary defences between the inside of one system and the other. EFS can have the same effect. Normally, "admin" or "system" rights trump or at least match user rights, so that an antivirus running with these rights can scan the user's material. If you un-nest these rights so that the system no longer has access to the user's material, you may break your antivirus's ability to scan and clean anything that comes in. Malware is expected to start off with the rights of the user who either launched it, or who was logged on at the time it was launched by the system on the user's behalf. As such, even malware that was scoped out of the data set by attention to (1), could find and infect material within the data scope, using user rights. An antivirus that lacked these rights would then not be able to scan or clean the infected data set, which would then embed the malware within backups of this data set. 3) Are your edges, really edges? It's meaningful to talk about a PC as distinct from the LAN, and the LAN as distinct from the Internet, only if there is separation between these, especially when attempting to manage malware on them. Unfortunately, these edges can be dissolved by admin shares that expose all HD volumes to writes via names that are hidden from user visibility, but are predictable for malware automation. Malware that is "only" running with user rights may already be authenticated to traverse these shares, if the user has the right to do so. Just as admin shares dissolve the edge between PCs on the same LAN, so WiFi and other wireless technologies can dissolve the separation between Internet and LAN (or more accurately, the LAN and the "outside world", given that local wireless attack is the risk here). For example, if you secure WiFi with a strong WPA key, key use a loose password to secure the router from Ethernet access, malware can brute-force the router, look up the WPA key, and send it out. The reason I raise (1) and (3) is because approaches such as (2) are usually part of a grand strategy to flatten natural scopes (e.g. the practical difference between keyboard and remote access) and replace these with artificial "security" scopes. I know this is the only way to scale up for corporate networks to reduce their TCO, and thus it is the core thinking within NT. But it doesn't scale downwards very well, i.e. if you try to dumb down the expert skills investment required, the inherent fragility of artificial "security" scoping breaks down into exploitability. This, in a nutshell, is the tragedy of NT in the consumer space. See... http://cquirke.blogspot.com/2005/04/use-hard-scopes-as-natural-cover.html ....if more is needed on this last issue. >-- Risk Management is the clue that asks: "Why do I keep open buckets of petrol next to all the ashtrays in the lounge, when I don't even have a car?" >----------------------- ------ ---- --- -- - - - - Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.