Saturday, June 16, 2012

Microsoft Special Permissions


An Administrator’s Nightmare or Easy Shortcuts.

Microsoft introduced special permission after the release of Windows 2000.  It is a representable view of applying permissions to files and folders by allowing permission to be granted to named groups in various permission levels.

At an individual level or in a small network special permissions do not create known issues; however, in large organization the use of special permissions create auditing and accountability issues as well as security management issues.

The special permissions applied in certain areas and not a standard. This permission applies to a group or a person as the owner of a folder, folder tree and files. Being an owner of a folder does not grant the person or group rights to the folder or files. It requires a proxy. In this case the proxy is a named Windows builtin SID called Creator/Owner and the permission is granted to it.

If an audit was to be performed, the actual permission as to who has permission to what would  be become a nightmare to perform because the audit trail would use the permission of creator\owner. And because multiple users or groups can be creator/owners there would be no security accountability.

In a migration scenario regardless of tool set being used (QUEST, Microsoft, ADUM) it would be impossible to maintain a co-existence between 2 domains during migration because there can only be ONE owner. Therefore any folder being accessed by special permissions can only be accessed by one account from one domain at a time. In a large migration that involves migration in incremental stages the special permissions scenario would not grant rights to folders and files from multiple domains.

The Solution

ManageRED with ADUM 8.00 or higher, has developed a non-intrusive method of providing coexistence from multiple domains whereby the special permission limitation has been removed. All accounts either explicit or through ownership are granted the same permissions to files and folders without destroying the original permission.

This process is now incorporated into the latest update to deal with the random use of special permissions throughout a network without user intervention or down time during the reACLing process.

Akos Sandor
Director, ManageRED Software
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)