NT4 & W2K File Permission Incompatibilities;

Is Microsoft Premier Support Needed?

Andrea Chan for

SLAC Windows Infrastructure Group

HEPNT 2001, Berkeley

File Permission Problem #1

Bug found on W2K file system where user can end up with Access Control List (ACL) that denies him access (or other un-intended effects) while performing valid permission changes.

This bug was found when we are testing an ACL editing script (work done by Matt Campbell and Bobby Tait, reproduced by Microsoft).

C:\Test(Inheritance from parent disabled, permissions set as below, propagated to child objects)‘Administrators: Full Control’ (This folder, subfolders and files)‘Authenticated Users: Read and Execute’ (This folder only)

Permissions at this level is set different than the level above (similar to user home directories)C:\Test\Files(Inheritance from parent disabled, permissions set as below, propagated to child objects)‘Administrators: Full Control’ (This folder, subfolders and files)‘TEST\user: Full Control’ (This folder, subfolders and files)

Logged on to user account

Using Explorer ‘Security’ tab, set permissions on C:\Test\Files

Change was made to add ‘Authenticated Users: Read & Execute’

On ‘Advanced’ tab, selected ‘Reset permissions on all child objects and enable propagation of inheritable permissions’

enabled

Press OK or ApplySecurity dialog box appeared‘Unable to save permission changes on Files. Access is denied’.

Clicked on Files folder in Explorer, access was denied.In Properties, ‘Security’ tab no longer was present.

Logged on as administratorPermissions was seen as inheriting from parent, ‘Administrators: Full Control’ was the only entry.‘User: Full Control’ was gone, user was denied access.

Summary of Problem #1

Set of conditions bug occurs– Using Explorer ‘Security’ tab (NT4 or W2K)

– User did not have permission further up the directory tree

– For the directory being changed, user had ‘Full Control’, inheritance from parents was disabled

– When permission was changed, ‘Reset permissions on all child objects and enable propagation of inheritable permissions’ was enabled

Summary of Problem #1 – cont’d

Symptoms look like ‘Security’ tab GUI changes permissions by deleting the explicit ACL, then writing a new one (rather than editing)

When the ACL was deleted– The directory in question momentarily inherited

permissions that were different from the parent directory

– At this point, the user who initiated the ACL change no longer had permissions to write the new ACL

– Therefore, the user ended up being denied access

Summary of Problem #1 – cont’d

Conditions where bug occurred were normal for enterprise computing (i.e., different levels of directory tree had different permissions)

Different outcomes occur depending on permissions inherited from directory above during the change

Problem type #1 – Denial of Service

– ‘Access denied’ if permissions inherited were more restrictive

– ‘Empty ACL’ if parent directory was root of a share

Problem type #2 – Even when ACL change is successful, Security Vulnerability results if momentarily inherited permissions from parents were of higher privileges

Summary of Problem #1 – cont’d

W2K SP2 does not fix this bug

Working with Microsoft (under Premier Support) to get fixes, currently testing fix for problem type #1

– Microsoft test matrix did not include this combination of permissions and inheritance for problem type #1, they have now included it

– Windows XP GUI does not have this problem (according to Microsoft tests)

Microsoft working on fix for problem type #2

File Permission Problem #2

W2K client can set finer granularity in NT4 file system (e.g, deny someone some kind of access)

NT4 file system can implement the deny access From an NT4 client, the Explorer ‘Security’ tab cannot

display this deny granularity NT4 security dialog box asks ‘Do you want to overwrite the

current security information? Y/N’ ‘No’ will forego trying to display permissions from NT4 client

and exit ‘Yes’ will reset the ACL’s in this directory tree, losing all

existing permissions

File Permission Problem #2–cont’d

Q287024, also cited in Mark Minasi ‘Windows 2000 Newsletter Number 17’ September 2001

Fix is to install the Security Configuration Manager on a Windows NT 4.0-based computer, the Windows 2000-style editor then replaces the existing editor

File Permission Problem #3

3rd problem arise because in W2K ACL’s,– Inheritance sets Implicit Access Control Entry (ACE) , this did not exist

in NT4

– Explicit ACE is explicitly set by user

– Explicit ACE has to be listed before implicit ACE

CACLS and SUBINACL do not order ACE properly in W2K file system

W2K file system can possibly reject such an ACL as invalid Q268546, Q296865 CACLS fixed in W2K SP2

Other incompatibilities affecting file services

NT4 DFS versus W2K DFS

Aliasing

NT4 SMB signing versus W2K SMB signing

Summary – File Permissions

Incompatibilities between NT4 and W2K, and bugs in W2K file permissions can produce invalid ACL’s

W2K inheritance adds to the complexity

Further caution and testing is needed prior to any global changes on W2K file permissions

If system administrators have such problems changing permissions, think what this means for users themselves

Is Microsoft Premier Support Needed?

SLAC shares with Stanford University a Dedicated Microsoft Technical Account Manager (TAM)– our share is 25%

TAM is one point-of-contact, and most importantly, the TAM acts as an advocate for SLAC inside Microsoft

TAM coordinates technical consulting, escalation management, supportability reviews, site visits

TAM coordinates key resources inside Microsoft and partner vendors for SLAC problems

Microsoft Premier Support – cont’d

Contrast with Microsoft Premium Support where previously– We purchased 10 calls to 1-800 Tech Support phone number

– During troublecalls, Tech Support reads recipe to us for weeks before escalating to those who can debug and fix the code

TAM makes sure that Microsoft resources gives our problems priority to debug or deliver the fixes (e.g., fix for Exchange Store memory leak, fix for W2K permissions bug)

TAM finds correct level of resource within Microsoft for our critical services (such as Exchange, file permissions)

Summary – Microsoft Premier Support

Annual cost pays for– TAM’s time

– 20 Premier Support calls (24 x 7 coverage)

– Resources that TAM pulls in to solve troublecalls and research questions (often outside of Premier Support call)

SLAC experience recommends using this service for mission critical Microsoft services

We want other critical PC vendors to live up to this type of TAM and Premier Support model