Vista - Please help with this NTFS question...

This is a question from my book that me my friend and I are struggling with.



A user is assigned Read permission to the NTFS folder C:\ACCOUNTING. They require full access to C:\ACCOUNTING\FORMS. This can be accomplished by:

A) not possible

B) blocking permission inheritance at C:\ACCOUNTING\FORMS and assigning the user Full control to C:\ACCOUNTING\FORMS

C) assigning the user Full control to C:\ACCOUNTING

D) blocking permission inheritance at C:\ACCOUNTING and assigning the user Full control to C:\ACCOUNTING\FORMS

E) assigning the user Full control to C:\ACCOUNTING\FORMS



My friend believes the answer is E. I believe that may give you the same end result that you are looking for, but that would be assuming that the Full Control permission would override the Read permission (which may be true, but our book doesn't specifically state anything like that).

I personally believe the answer is B because when you deny the permission inheritance, it will (as stated in the book) prompt you to clarify whether the permissions should be copied or just removed entirely. Then you can clarify what permission the C:\ACCOUNTING\FORMS folder should have.



His reasoning is (I think this is crap by the way) that the book wants us to go the "shortest" route possible, similar to computer programming. The analogy he used was that when you are writing a program you try to write the program as small and use as few steps as possible in order to make the program as efficient as possible and that is the same with this question and that is why E is right.

My reasoning is that the book explains permissions as though you should remove the inheritance from the folder then assign the permission the way you want the person to have them. Period.

Please help us figure this out. We have a mid-term Wednesday (in 2 days) and I'm beginning to get confused. TIA

On Mon, 12 Oct 2009 20:50:43 -0500, LTCstudent
<guest@newsgroup-email.com> wrote:

My final answer is:

Does the book actually refer to both the singular "user" and "they" as
equivalent entities?
(okay - it's not an English studies book)

I think the answer expected is *B)* - you break the inheritance of the
parent/child directory relationship and set the desired permissions on
the child. Using *D)* you will have blocked inheritance to
C:\ACCOUNTING\<all children> as well as the "FORMS" child directory.

Get an XP machine and use the help system's search function to search
for "inheritance".

"LTCstudent" <guest@newsgroup-email.com> wrote in message
news:627c6cdb4de536a21b0dd78ba14e70da@newsgroup-gateway.com...

"LTCstudent" <guest@newsgroup-email.com> wrote in message
news:627c6cdb4de536a21b0dd78ba14e70da@newsgroup-gateway.com...
I picked E)


User only has read access to ACCOUNTING, so blocking inherited rights is
pointless since you're giving the user full access to the sub-directory
FORMS.

Now, if you wanted the user to have full access to ACCOUNTING and limited
access to FORMS, then you would want to block inherited rights and set
permission accordingly, like read access.

B) would accomplish the same results, but it has an unnecessary step and
therefore not the best answer.

E

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"LTCstudent" <guest@newsgroup-email.com> wrote in message
news:627c6cdb4de536a21b0dd78ba14e70da@newsgroup-gateway.com...

Ok... When I checked the forum for responses to my question this morning before school, I had 2 responses: One saying the answer was E and the other saying the answer was B. That kind of sucked, but I wasn't worried because I figured I would just ask one of the teachers at school.

Well, I asked Teacher #1 who is really knowledgeable about Server and permissions (he teaches Server, Exchange, etc at the school) and he said the answer was B. But then I mentioned it to Teacher #2 (who actually teaches the class where this question arose) and he said the answer was E. I guess 'street smarts' would say just go with the teacher who is teaching the class and be done with it, but i really want to understand this stuff.

So now I've returned from school and it looks like the consensus on this forum is that the correct answer is E which is fine. BUT Teacher #1 made a convincing point to me. He stated that the only permission assigned to a folder (c:\accounting\forms) that can override the inheritance permission is the 'Deny' permission unless you block the permission inheritance.

If the answer is E that would mean that 'Full Control' can also override the 'Read' permission. I'm assuming you guys say this because assigning 'Full Control' permission is giving the user more control therefore it will take precedence?


I don't know. I'm not trying to aggravate anyone here and I'm not trying to insult anyone's knowledge in NTFS security, I'm just trying to understand why the answer is E and not B and why there are so many professionals giving different answers. Thanks again.

On Tue, 13 Oct 2009 17:31:16 -0500, LTCstudent
<guest@newsgroup-email.com> wrote:

Both methods would work but why bother with B when E will suffice?

"LTCstudent" <guest@newsgroup-email.com> wrote in message
news:c1c924a6bfa9e0a128bfe6dc42a6bccf@newsgroup-gateway.com...OK, now you're just trying to come up with a scenario where answer B might
work better and misinterpreted what Teacher #1 is saying to fit your
argument.

There's three states of access control.

Expressly granted access
If your name is on the guest list you get in.
The host knows you and you been invited.

No access permission granted
Your name is not on the guest list, you are not getting in.
The host does not know you and you're not invited in.

Expressly denied access
You name appears on list of people forbidden to enter, you're not getting
in.
The host knows you and told the guards to keep you out.


It seems to me, you're confusing "No access permission granted" with
"Expressly denied access." In the original scenario, it does not mention
"deny" at all. Not being granted access is not the same as expressly denied
access, although the net result is the same.

If you are expressly denied access to the party, but want to use the
port-a-potty outback and the guard at the port-a-potty is told to let you
use it, you can. In this case, Teacher
#1 is wrong. Block permission inheritance doesn't do any good here.
Expressly granted permission overrides denied inherited permission. As long
as you bypass the party and go directly to the port-a-potty.

Using the Command Prompt, you can CD (change directory) to
/Party/Port-a-Potty, but you can't CD to /Party.


Only "Expressly granted access" will get you in. "No permissions granted"
means you aren't granted access and "Expressly denied access" means you are
denied access by name. The latter two denies you permission.

Block permission inheritance is used when you want the subfolder to have
tighter restrictions than the parent folder. You want to grant full access
to ACCOUNTING, but only READ access to FORMS. So you use block permission
inheritance so the user doesn't get full access to FORMS, because they
inherited full access from ACCOUNTING.

I strongly disagree with the usage of "override".

It's a logical AND, you have Read access AND Full Control, net permission
access is Full Control. Now, if you had inherited Expressly denied read
access and receive Full access control THEN that would override the
inherited expressly denied read access.

Blocking permission inheritance so the user doesn't get Read access makes no
sense if the net permission access is going to be Full Control. It doesn't
hurt, but it's a pointless gesture.

You want to block permission inheritance if you want to limit the access to
subfolders. It resets the access permissions, so you start with no access
granted. Then access permissions are added from there, rather than
inherited from the parent.


Well, I haven't seen anyone pick B and you misinterpreted Teacher #1 and he
is also wrong about usage of block permission inheritance.


I would stick with what Teacher #2 says, he seems to know what he is talking
about. He IS the one teaching the class and you can do your own tests to
verify what he says is true.

But that's just my opinion.

Thanks to your post, I had to do some investigating and I ended up learning
a thing or two about NTFS security.

"Tae Song" <tae_song@newsgroup> wrote in message
news:406C5B33-706A-4168-9109-3CC68139303E@newsgroupWhat I said was that I thought the "expected answer" was *B*, not that
it was the *right* answer. Often what is taught in schools is not
*right*. My thinking was that the teacher may be stressing a point to be
considered during your current level of understanding. I didn't like any
of the choices given. I thought (and it might be stressed later on) that
creating a group with the desired permissions and placing that *user* in
that group would be best (occam's razor be damned) for manageability.
Then, is the user's need to have full access truly correct - does he or
she *need* "take ownership" or "change permissions" - perhaps "modify"
rights would be sufficient (least privilege). Is it really desired that
some permissions for that subfolder be contingent upon whatever changes
to the parent folder are made in the future? If so, you would want
inheritance to remain intact.
They probably stress "Occam's razor" and have the simplest solution
being the *correct* solution.

Can you forsee the mess created by adding more individual users and and
their desired permissions by explicit deny or allow on an object? When
(and if) there comes a time to rescind access, will you be able to keep
track of who has access to what?
Teacher two (teaching the class in question) will give you the *correct*
answer for that class, so go with it.
He is wrong. A specific allow will take precedence over an inherited
deny.

The first check (after any Mandatory Label check) is the first ACE entry
which "should be" the explicit deny, then the explicit allow, then the
inherited deny, then the inherited allow (followed by grandparent
inheritance etcetera as required).
If teacher #1 really said that specific allow won't take precendence
over inherited deny, I think he is wrong.

If *both* an allow and a deny appear at the same tier, the deny will
take precedence however.
Please mister bouncer, check your *other* list if no specific deny or
allow is found on *this* list.

(I'm in the "bartender" and "firewatch" groups - so if you want drinks
and fire extinguishers at the ready....)

[...]

Thanks for the feedback and the microscopic details I asked for. I don't really care which answer was correct, but B seemed more thorough so I was convinced it was correct and was confused as to why someone would just do E.

If it is possible to have a NTFS permission (that is directly assigned) override the inherited permission... then so be it. It just didn't "feel" right to me and the book didn't specifically state it. But like I said... thanks guys for clarifying it.