ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: NTFS permissions

1998-10-13 17:44:03
Subject: Re: NTFS permissions
From: Pete Tanenhaus <tanenhau AT US.IBM DOT COM>
Date: Tue, 13 Oct 1998 17:44:03 -0400 
The ADSM process always adjusts it's access token to enable the Backup/Restore
and Manage Auditing
and Security Log privileges (and the system account always has these) so it
doesn't matter what access has
been implicitly or explicitly granted/denied to an object.

These privileges essentially bypass all of the file system security (read
description in NT admin doc for the corresponding
user rights).

Keep in mind that many NT privileges are not enabled by default, which
basically means that you may not have
access to something from an interactive logon session, but that a program may
be written to modify the access
token as ADSM does to enable the privileges (obviously the account must have
the corresponding user right).

I'm a bit curious as to why you removed  access by the system and admin
accounts to any of your resources - keep in mind that a local
Admin account can always take ownership of any local object regardless of
whether or not it has been granted implicit
or explicit access to the object, so you aren't really preventing these
accounts from gaining access.

I guess it might be of some use if you have auditing enabled and are auditing
all types of access to the objects in
question.

To really remove access from an Admin account you would have to take away the
Backup and Restore user rights,
which I really don't think you would want to do (for obvious reasons you can't
modify user rights for the System account).

 Hope this helps ......


Pete Tanenhaus, ADSM NT Client Development
---------------------- Forwarded by Pete Tanenhaus/San Jose/IBM on 10/13/98
3/98
02:13 PM ---------------------------


ADSM-L AT VM.MARIST DOT EDU on 10/13/98 07:13:25 AM
Please respond to ADSM-L AT VM.MARIST DOT EDU
To: ADSM-L AT VM.MARIST DOT EDU
cc:
Subject: Re: NTFS permissions


Thank you for your reply.

I understand how the local SYSTEM account works.  I am only backing up local
resources.  I know that by default, the SYSTEM account has FULL Control of
all local resources.  Our NT Admins have manually removed the SYSTEM and
Administrator's account from the NTFS permissions for all the user
directories.  My question is: how are my backups, and restores, still
working if they are not using the Administrator or the SYSTEM account?  I
think I'll do some testing using the Security Auditing.

Greg Heis
FedEx
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Problems with Qualstar TLS-46120, Leandro Carneiro Torres
Next by Date:  Re: Include-Exclude, Dan Curtis
Previous by Thread:  Re: NTFS permissions, Greg Heis
Next by Thread:  informix backup problem, Ivars Strazdins
Indexes:  [Date] [Thread] [Top] [All Lists]