>> Yeah, yeah a question about the not even released yet NT client. I
>> apologize, management is making me, it's their job to look stupid, I
>> mean make me look stupid, I'm mean they're just stupid, oh never mind
>> y'all know what I mean......
It's not stupid - several large ADSM NT beta customers have the asked th
same questions.
>> Apparently there is a problem with some of the currently available
>> backup solutions for NT. If a user sets his data permissions up
>> so that the data is _only_ accessible by the user, not even read for
>> anyone else. The backup software is then unable to backup the data.
I'll try to explain this. Backup applications usually run on accounts
which possess special user rights to allow bypassing normal NTFS file
security. Specially, these rights are Backup, Restore, and Security.
Backup and restore allow file data and DACL's (regular file permissions)
to be accessed, Security allows file SALC's (auditing information) to
be accessed. This access is allowed regardless of who owns the file.
There is also a take ownership right, which allows a user to change
the ownership of an NTFS file/directory.
The administrators and domain admins predefined user groups contain
all three of the above user rights, so one would think an administrator
account would be able to access any file, regardless of owner or
permissions.
There is a somewhat bizarre scenario in which administrator can be
denied direct access to an NTFS file. If a user creates a file and
then explicitly removes all of its permissions, other user's (including
administrators) will be able to access the file.
An administrator can, however take ownership of such a file. Once he
has ownership he has the authority to change the permissions.
Now the really strange part is that once an admin account has any access
to the file, he has really has unlimited access. What I mean by this is
that even if he has the lowest level access (List for a dir, read for
a file) the backup/restore user rights allow bypassing the limitations
of the file permissions.
The only way I think a backup application could process files owned
by another account with all permissions explicitly removed would be
to assume ownership of the file and add permissions.
Personally, I think it is a reasonable policy to require users who
create files to allow at least minimal access to the account which
will be performing the backups. Remember, by default this access will
be there when a file is created, and the user is not really preventing
an admin user from being able to access the file anyway as they can
always take ownership of it as mentioned above.
The ADSM NT client currently does not change the permissions on these
types of files - they will not be backed up and will generate an
"access denied" error message.
The thing that really confuses people is the MS documentation indicates
the Backup and Restore user rights bypass all file system security which
in this example is definitely not true.
>> Not that I really expect an answer on a product that doesn't even hav
>> an announcement letter out yet but, will the ADSM NT client be able t
>> backup the users data in this case?
I thought it had been announced. The client has been in beta
since the beginning of the year and it is scheduled to be Generally
Available this summer.
As I mentioned above, the only way the client would be able to back
this data up would be to take ownership of the files and add permissions
to it for the account running the backup. I don't really like the idea
of changing any of the file attributes in order to be able to back it
up, but it is a possibility.
>> ---
>> Keith A. Crabb Keith AT UH DOT EDU
>> University of Houston Operating Systems Specialist +1-713-743-1530
|
