NT4 & W2K File Permission Incompatibilities;
Is Microsoft Premier Support Needed?
Andrea Chan for
SLAC Windows Infrastructure Group
HEPNT 2001, Berkeley
File Permission Problem #1
Bug found on W2K file system where user can end up with Access Control List (ACL) that denies him access (or other un-intended effects) while performing valid permission changes.
This bug was found when we are testing an ACL editing script (work done by Matt Campbell and Bobby Tait, reproduced by Microsoft).
C:\Test(Inheritance from parent disabled, permissions set as below, propagated to child objects)‘Administrators: Full Control’ (This folder, subfolders and files)‘Authenticated Users: Read and Execute’ (This folder only)
Permissions at this level is set different than the level above (similar to user home directories)C:\Test\Files(Inheritance from parent disabled, permissions set as below, propagated to child objects)‘Administrators: Full Control’ (This folder, subfolders and files)‘TEST\user: Full Control’ (This folder, subfolders and files)
Logged on to user account
Using Explorer ‘Security’ tab, set permissions on C:\Test\Files
Change was made to add ‘Authenticated Users: Read & Execute’
On ‘Advanced’ tab, selected ‘Reset permissions on all child objects and enable propagation of inheritable permissions’
enabled
Press OK or ApplySecurity dialog box appeared‘Unable to save permission changes on Files. Access is denied’.
Clicked on Files folder in Explorer, access was denied.In Properties, ‘Security’ tab no longer was present.
Logged on as administratorPermissions was seen as inheriting from parent, ‘Administrators: Full Control’ was the only entry.‘User: Full Control’ was gone, user was denied access.
Summary of Problem #1
Set of conditions bug occurs– Using Explorer ‘Security’ tab (NT4 or W2K)
– User did not have permission further up the directory tree
– For the directory being changed, user had ‘Full Control’, inheritance from parents was disabled
– When permission was changed, ‘Reset permissions on all child objects and enable propagation of inheritable permissions’ was enabled
Summary of Problem #1 – cont’d
Symptoms look like ‘Security’ tab GUI changes permissions by deleting the explicit ACL, then writing a new one (rather than editing)
When the ACL was deleted– The directory in question momentarily inherited
permissions that were different from the parent directory
– At this point, the user who initiated the ACL change no longer had permissions to write the new ACL
– Therefore, the user ended up being denied access
Summary of Problem #1 – cont’d
Conditions where bug occurred were normal for enterprise computing (i.e., different levels of directory tree had different permissions)
Different outcomes occur depending on permissions inherited from directory above during the change
Problem type #1 – Denial of Service
– ‘Access denied’ if permissions inherited were more restrictive
– ‘Empty ACL’ if parent directory was root of a share
Problem type #2 – Even when ACL change is successful, Security Vulnerability results if momentarily inherited permissions from parents were of higher privileges
Summary of Problem #1 – cont’d
W2K SP2 does not fix this bug
Working with Microsoft (under Premier Support) to get fixes, currently testing fix for problem type #1
– Microsoft test matrix did not include this combination of permissions and inheritance for problem type #1, they have now included it
– Windows XP GUI does not have this problem (according to Microsoft tests)
Microsoft working on fix for problem type #2
File Permission Problem #2
W2K client can set finer granularity in NT4 file system (e.g, deny someone some kind of access)
NT4 file system can implement the deny access From an NT4 client, the Explorer ‘Security’ tab cannot
display this deny granularity NT4 security dialog box asks ‘Do you want to overwrite the
current security information? Y/N’ ‘No’ will forego trying to display permissions from NT4 client
and exit ‘Yes’ will reset the ACL’s in this directory tree, losing all
existing permissions
File Permission Problem #2–cont’d
Q287024, also cited in Mark Minasi ‘Windows 2000 Newsletter Number 17’ September 2001
Fix is to install the Security Configuration Manager on a Windows NT 4.0-based computer, the Windows 2000-style editor then replaces the existing editor
File Permission Problem #3
3rd problem arise because in W2K ACL’s,– Inheritance sets Implicit Access Control Entry (ACE) , this did not exist
in NT4
– Explicit ACE is explicitly set by user
– Explicit ACE has to be listed before implicit ACE
CACLS and SUBINACL do not order ACE properly in W2K file system
W2K file system can possibly reject such an ACL as invalid Q268546, Q296865 CACLS fixed in W2K SP2
Other incompatibilities affecting file services
NT4 DFS versus W2K DFS
Aliasing
NT4 SMB signing versus W2K SMB signing
Summary – File Permissions
Incompatibilities between NT4 and W2K, and bugs in W2K file permissions can produce invalid ACL’s
W2K inheritance adds to the complexity
Further caution and testing is needed prior to any global changes on W2K file permissions
If system administrators have such problems changing permissions, think what this means for users themselves
Is Microsoft Premier Support Needed?
SLAC shares with Stanford University a Dedicated Microsoft Technical Account Manager (TAM)– our share is 25%
TAM is one point-of-contact, and most importantly, the TAM acts as an advocate for SLAC inside Microsoft
TAM coordinates technical consulting, escalation management, supportability reviews, site visits
TAM coordinates key resources inside Microsoft and partner vendors for SLAC problems
Microsoft Premier Support – cont’d
Contrast with Microsoft Premium Support where previously– We purchased 10 calls to 1-800 Tech Support phone number
– During troublecalls, Tech Support reads recipe to us for weeks before escalating to those who can debug and fix the code
TAM makes sure that Microsoft resources gives our problems priority to debug or deliver the fixes (e.g., fix for Exchange Store memory leak, fix for W2K permissions bug)
TAM finds correct level of resource within Microsoft for our critical services (such as Exchange, file permissions)
Summary – Microsoft Premier Support
Annual cost pays for– TAM’s time
– 20 Premier Support calls (24 x 7 coverage)
– Resources that TAM pulls in to solve troublecalls and research questions (often outside of Premier Support call)
SLAC experience recommends using this service for mission critical Microsoft services
We want other critical PC vendors to live up to this type of TAM and Premier Support model