Mail Archives: cygwin/2006/01/18/13:16:34
Dave Korn wrote:
> > I'm not sure that power users have the ability to change ownership in
> > this way..
>
> Actually, I'm not sure either. If "Power Users" isn't enough, it would need
> to be a local admin.
This discussion reminds me of an article I read recently:
http://www.microsoft.com/technet/community/columns/secmgmt/sm1105.mspx
"For many years it has been fashionable to perform blanket replacement
of ACLs to "secure" the system. For instance, if you look at the ACL on
the %systemdrive%\boot.ini it contains an ACE for Power Users. Many
people believe that if you simply remove all the ACEs for Power Users,
you have effectively contained that group. This is not true. There is a
very simple fact about Power Users that you need to be aware of:
Power Users are administrators who simply have not made themselves
administrators yet.
You cannot remove the ACLs on the file system, or even the registry, and
prevent that. Power Users are ingrained in the operating system, and
they have sufficient privileges to escalate to an administrator fairly
easily. You cannot use Power Users to contain untrusted users. It is
only meant to keep well meaning users from hurting themselves and the
operating system accidentally. Nevertheless, many organizations have
policies to attempt to limit Power Users by performing blanket DACL
replacement. The same types of policies are commonly found to replace
the Everyone group with Authenticated Users or Domain Users, which we
cover below. Unfortunately, attempts to perform blanket DACL replacement
often have disastrous effects. "
Brian
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -