I'm well aware of that (I have the cacls, xcacls and other commands locked out too, even if they bring them on a USB stick the application whitelist and AppSense will stop them). If any of my users can get past the controls I have, I'd probably try and get them a job in our department :-) Hiding the GUI stops the casual clickers, who are 99.9% of the problem. You'll never stop a determined attacker - it's the spotting them and clearing up that's vital.
2010/1/13 <asbz...@gmail.com> > The problem is that simply hiding the GUI will not present someone from > running CACLS or ICACLS which are native depending on you version of the OS. > > > Sure, that requires a level of sophistication, but not that much more than > a standard user. A google search will put you right there. > > Sent from my Verizon Wireless BlackBerry > ------------------------------ > *From: * James Rankin <kz2...@googlemail.com> > *Date: *Wed, 13 Jan 2010 16:57:23 +0000 > *To: *NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> > *Subject: *Re: Users Setting NTFS Permissions > > It behaves exactly the same (for me anyway) after the permissions are > removed - creating user is named as owner on the security tab and has the > appropriate permissions rights to go with it. And after setting the owner > with subinacl. Digging around in all this is making me glad I've set the > security tab to hidden. I'm considering running the subinacl command as a > scheduled task as well, as I can see multiple owners on parts of my data > structure. > > 2010/1/13 <asbz...@gmail.com> > >> What about users who create folders after the permissions are removed? >> >> You have to do it from the very beginning, or manually reset the perms >> after the fact as Jonathan has indicated earlier. >> >> There is a special set of rights that are implicitly granted, but the >> removal of Creator/Owner should address that. >> >> I'll test it later today to verify. >> >> >> Sent from my Verizon Wireless BlackBerry >> ------------------------------ >> *From: * James Rankin <kz2...@googlemail.com> >> *Date: *Wed, 13 Jan 2010 16:16:07 +0000 >> *To: *NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> >> *Subject: *Re: Users Setting NTFS Permissions >> >> Hmmm....I've removed it and it is still listing users who have created >> folders as the owner. It's definitely not on the ACL... >> >> 2010/1/13 <asbz...@gmail.com> >> >>> Creator/Owner is inherited and can be removed easily enough. Far easier >>> to maintain. >>> >>> Sent from my Verizon Wireless BlackBerry >>> ------------------------------ >>> *From: * James Rankin <kz2...@googlemail.com> >>> *Date: *Wed, 13 Jan 2010 13:20:52 +0000 >>> *To: *NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> >>> *Subject: *Re: Users Setting NTFS Permissions >>> >>> I normally just give the groups RWXD, but the Creator Owner privilege >>> appears by default on newly created folders. Without removing the ability to >>> create folders and/or run subinacl scripts to take ownership, I find >>> removing the GUI to change the permissions is the easiest option. >>> >>> 2010/1/13 Jonathan Link <jonathan.l...@gmail.com> >>> >>>> Isn't that just obfuscation? I thought the ability to change >>>> permissions was granted by the Full Control right. If that's the case, >>>> pull >>>> Creator/Owner Full control from your file system and reassign permissions >>>> accordingly. >>>> >>>> >>>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin <kz2...@googlemail.com>wrote: >>>> >>>>> Prevent access to the rshx32.dll file on all your workstations and >>>>> servers to Administrators and System only. You can do this with a GPO. The >>>>> user can't access the security tab then and can't change permissions. >>>>> Unless >>>>> they know how to use cacls. You could lock the permissions on that file as >>>>> well through Group Policy. >>>>> >>>>> 2010/1/13 Terri Esham <terri.es...@noaa.gov> >>>>> >>>>> We have a Windows 2008 Domain whereby we control access to folders >>>>>> stored on one of the domain controllers through Active Directory >>>>>> groups. When a new folder is created on the network file server, we >>>>>> grant full permissions to the associated active directory group with >>>>>> the >>>>>> exception of the ability to set and change permissions. >>>>>> >>>>>> We just discovered that a user can grant permissions to any folder >>>>>> that >>>>>> they create under the primary folder because they are the folder >>>>>> owner. Obviously, I can change ownership to the domain admin, but >>>>>> how >>>>>> in the world would I keep up with this. I've no idea when a user >>>>>> might >>>>>> create a sub folder. I stumbled upon the problem because I found a >>>>>> folder whereby a user had granted the everyone group full rights. I >>>>>> knew none of the domain admins would do that. After talking with the >>>>>> owner of the folder, I found out he's been doing it all along. >>>>>> >>>>>> Wow! This is a real problem for us because we want to control access >>>>>> through groups. This one user had shared a bunch of folders using >>>>>> individual names. Plus, he had no clue what he was doing and just >>>>>> granted everyone full rights. >>>>>> >>>>>> How in the world do you guys handle this? Am I missing something? >>>>>> >>>>>> Thanks, Terri >>>>>> >>>>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put >>>>> into the machine wrong figures, will the right answers come out?' I am not >>>>> able rightly to apprehend the kind of confusion of ideas that could >>>>> provoke >>>>> such a question." >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> -- >>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >>> the machine wrong figures, will the right answers come out?' I am not able >>> rightly to apprehend the kind of confusion of ideas that could provoke such >>> a question." >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >> >> -- >> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >> the machine wrong figures, will the right answers come out?' I am not able >> rightly to apprehend the kind of confusion of ideas that could provoke such >> a question." >> >> >> >> >> >> >> >> >> >> > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~