1 / 21

NT4 & W2K File Permission Incompatibilities; Is Microsoft Premier Support Needed?

NT4 & W2K File Permission Incompatibilities; Is Microsoft Premier Support Needed?. Andrea Chan for SLAC Windows Infrastructure Group HEPNT 2001, Berkeley. File Permission Problem #1.

aron
Download Presentation

NT4 & W2K File Permission Incompatibilities; Is Microsoft Premier Support Needed?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NT4 & W2K File Permission Incompatibilities;Is Microsoft Premier Support Needed? Andrea Chan for SLAC Windows Infrastructure Group HEPNT 2001, Berkeley

  2. File Permission Problem #1 • Bug found on W2K file system where user can end up with Access Control List (ACL) that denies him access (or other un-intended effects) while performing valid permission changes. • This bug was found when we are testing an ACL editing script (work done by Matt Campbell and Bobby Tait, reproduced by Microsoft).

  3. C:\Test (Inheritance from parent disabled, permissions set as below, propagated to child objects) ‘Administrators: Full Control’ (This folder, subfolders and files) ‘Authenticated Users: Read and Execute’ (This folder only)

  4. Permissions at this level is set different than the level above (similar to user home directories) C:\Test\Files (Inheritance from parent disabled, permissions set as below, propagated to child objects) ‘Administrators: Full Control’ (This folder, subfolders and files) ‘TEST\user: Full Control’ (This folder, subfolders and files)

  5. Logged on to user account • Using Explorer ‘Security’ tab, set permissions on C:\Test\Files • Change was made to add ‘Authenticated Users: Read & Execute’ • On ‘Advanced’ tab, selected ‘Reset permissions on all child objects and enable propagation of inheritable permissions’

  6. enabled

  7. Press OK or Apply Security dialog box appeared ‘Unable to save permission changes on Files. Access is denied’.

  8. Clicked on Files folder in Explorer, access was denied. In Properties, ‘Security’ tab no longer was present.

  9. Logged on as administrator Permissions was seen as inheriting from parent, ‘Administrators: Full Control’ was the only entry. ‘User: Full Control’ was gone, user was denied access.

  10. Summary of Problem #1 • Set of conditions bug occurs • Using Explorer ‘Security’ tab (NT4 or W2K) • User did not have permission further up the directory tree • For the directory being changed, user had ‘Full Control’, inheritance from parents was disabled • When permission was changed, ‘Reset permissions on all child objects and enable propagation of inheritable permissions’ was enabled

  11. Summary of Problem #1 – cont’d • Symptoms look like ‘Security’ tab GUI changes permissions by deleting the explicit ACL, then writing a new one (rather than editing) • When the ACL was deleted • The directory in question momentarily inherited permissions that were different from the parent directory • At this point, the user who initiated the ACL change no longer had permissions to write the new ACL • Therefore, the user ended up being denied access

  12. Summary of Problem #1 – cont’d • Conditions where bug occurred were normal for enterprise computing (i.e., different levels of directory tree had different permissions) • Different outcomes occur depending on permissions inherited from directory above during the change • Problem type #1 – Denial of Service • ‘Access denied’ if permissions inherited were more restrictive • ‘Empty ACL’ if parent directory was root of a share • Problem type #2 – Even when ACL change is successful, Security Vulnerability results if momentarily inherited permissions from parents were of higher privileges

  13. Summary of Problem #1 – cont’d • W2K SP2 does not fix this bug • Working with Microsoft (under Premier Support) to get fixes, currently testing fix for problem type #1 • Microsoft test matrix did not include this combination of permissions and inheritance for problem type #1, they have now included it • Windows XP GUI does not have this problem (according to Microsoft tests) • Microsoft working on fix for problem type #2

  14. File Permission Problem #2 • W2K client can set finer granularity in NT4 file system (e.g, deny someone some kind of access) • NT4 file system can implement the deny access • From an NT4 client, the Explorer ‘Security’ tab cannot display this deny granularity • NT4 security dialog box asks ‘Do you want to overwrite the current security information? Y/N’ • ‘No’ will forego trying to display permissions from NT4 client and exit • ‘Yes’ will reset the ACL’s in this directory tree, losing all existing permissions

  15. File Permission Problem #2–cont’d • Q287024, also cited in Mark Minasi ‘Windows 2000 Newsletter Number 17’ September 2001 • Fix is to install the Security Configuration Manager on a Windows NT 4.0-based computer, the Windows 2000-style editor then replaces the existing editor

  16. File Permission Problem #3 • 3rd problem arise because in W2K ACL’s, • Inheritance sets Implicit Access Control Entry (ACE) , this did not exist in NT4 • Explicit ACE is explicitly set by user • Explicit ACE has to be listed before implicit ACE • CACLS and SUBINACL do not order ACE properly in W2K file system • W2K file system can possibly reject such an ACL as invalid • Q268546, Q296865 • CACLS fixed in W2K SP2

  17. Other incompatibilities affecting file services • NT4 DFS versus W2K DFS • Aliasing • NT4 SMB signing versus W2K SMB signing

  18. Summary – File Permissions • Incompatibilities between NT4 and W2K, and bugs in W2K file permissions can produce invalid ACL’s • W2K inheritance adds to the complexity • Further caution and testing is needed prior to any global changes on W2K file permissions • If system administrators have such problems changing permissions, think what this means for users themselves

  19. Is Microsoft Premier Support Needed? • SLAC shares with Stanford University a Dedicated Microsoft Technical Account Manager (TAM)– our share is 25% • TAM is one point-of-contact, and most importantly, the TAM acts as an advocate for SLAC inside Microsoft • TAM coordinates technical consulting, escalation management, supportability reviews, site visits • TAM coordinates key resources inside Microsoft and partner vendors for SLAC problems

  20. Microsoft Premier Support – cont’d • Contrast with Microsoft Premium Support where previously • We purchased 10 calls to 1-800 Tech Support phone number • During troublecalls, Tech Support reads recipe to us for weeks before escalating to those who can debug and fix the code • TAM makes sure that Microsoft resources gives our problems priority to debug or deliver the fixes (e.g., fix for Exchange Store memory leak, fix for W2K permissions bug) • TAM finds correct level of resource within Microsoft for our critical services (such as Exchange, file permissions)

  21. Summary – Microsoft Premier Support • Annual cost pays for • TAM’s time • 20 Premier Support calls (24 x 7 coverage) • Resources that TAM pulls in to solve troublecalls and research questions (often outside of Premier Support call) • SLAC experience recommends using this service for mission critical Microsoft services • We want other critical PC vendors to live up to this type of TAM and Premier Support model

More Related