Main Area and Open Discussion > General Software Discussion

managing file permissions under windows (madness?)

<< < (5/5)

mwb1100:
You are allowed to do crazy things like erradicate the administrators group. You read that right: you can make it so some user has full permissions on a file, but the admins don't. I have no idea how I managed to do this feat... and I fixed it now. But I'm really curious about what purpose this may fulfill[/li][/list]
-urlwolf (April 25, 2009, 06:34 AM)
--- End quote ---

Remember that this security architecture is designed to support large organizations (even military - to a certain level).  For  example, you have have an enterprise where the admins who maintain the systems are not permitted to access sensitive files such as payroll or heath records (this is actually probably quite common).  In these cases the admin group would not have permission for these files.  However, since admins are all-powerful, there is a 'loophole' - an admin is always allowed to take ownership of a file system object.  Once the admin is the owner, he has access to the file (or at least the ability to modify permissions to give access - the Windows security model is flexible enough to even deny owners access to file objects, but an owner can always modify permissions).

The one part of the loophole that admins can't close in this scenario is that changing ownership of the object gets logged, so if this occurs there's at least an audit trail (and if the admin deletes the logs, there's an audit trail of that).

Navigation

[0] Message Index

[*] Previous page