WebDav Permissions for Operators groups

WebDav Permissions for Operators groups

am 15.10.2007 11:27:20 von roman

I have a standalone Windwos 2003 Server SP1 with IIS 6.0 and WebDav enabled
(a AD integraded server has the same behaviour).
A Folder on the server is mounted as Virtual Directory, which has the
following NTFS permissions:

User1: Read & Execute, List Folder Contents, Read
User2: Full Controll (for administration)

User1 is member of the group Users

==> everything is workig, the User1 has only read access through WebDav and
through Windows Explorer on the server.

Now my Problem:
I add the User to the "Backup Operators" group (the problem also exist if I
add the User1 to "Server Operators" or "Administrators" groups)

==> Through WebDav the User1 is now able to create Folders, delete Files and
Folders, through Windows Explorer (local at the server) the User1 has still
read only permissions.

Is the problem known?
Is a hotfix or a knowlege base article available for this problem? (I didn't
find something.)
Is the problem solved with Service Pack 2?
Is a workaround available (except "remove the user from the group ...")

Thanks!
Roman

Re: WebDav Permissions for Operators groups

am 17.10.2007 08:27:51 von Ken Schaefer

What are all the access control entries on that folder? Users can not bypass
NTFS permissions (except when using backup APIs, and they have the "backup
system" security privilege)

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken


"Roman" wrote in message
news:%23jgZX2wDIHA.4684@TK2MSFTNGP06.phx.gbl...
>I have a standalone Windwos 2003 Server SP1 with IIS 6.0 and WebDav enabled
>(a AD integraded server has the same behaviour).
> A Folder on the server is mounted as Virtual Directory, which has the
> following NTFS permissions:
>
> User1: Read & Execute, List Folder Contents, Read
> User2: Full Controll (for administration)
>
> User1 is member of the group Users
>
> ==> everything is workig, the User1 has only read access through WebDav
> and through Windows Explorer on the server.
>
> Now my Problem:
> I add the User to the "Backup Operators" group (the problem also exist if
> I add the User1 to "Server Operators" or "Administrators" groups)
>
> ==> Through WebDav the User1 is now able to create Folders, delete Files
> and Folders, through Windows Explorer (local at the server) the User1 has
> still read only permissions.
>
> Is the problem known?
> Is a hotfix or a knowlege base article available for this problem? (I
> didn't find something.)
> Is the problem solved with Service Pack 2?
> Is a workaround available (except "remove the user from the group ...")
>
> Thanks!
> Roman
>
>
>

Re: WebDav Permissions for Operators groups

am 18.10.2007 12:30:46 von roman

But it seems that WebDav could bybass NTFS security, give it a try.
The ACEs I wrote in my initial post is the "complete list", watch below I
add the output of xcacls.

Roman

############################################################ ############

D:\Temp>XCACLS.vbs d:\Temp\Read
Starting XCACLS.VBS (Version: 5.2) Script at 18.10.2007 10:22:05

Startup directory:
"D:\Temp"

Arguments Used:
Filename = "d:\Temp\Read"

************************************************************ **************
Directory: D:\Temp\Read

Permissions:
Type Username Permissions Inheritance

Allowed OITO01V\ladmin Full Control This Folder, Subfolde
Allowed OITO01V\User1 Read and Execute This Folder, Subfolde

No Auditing set

Owner: OITO01V\ladmin
************************************************************ **************

Operation Complete
Elapsed Time: 0,53125 seconds.

Ending Script at 18.10.2007 10:22:06


"Ken Schaefer" wrote in message
news:ugIJwbIEIHA.5208@TK2MSFTNGP04.phx.gbl...
> What are all the access control entries on that folder? Users can not
> bypass NTFS permissions (except when using backup APIs, and they have the
> "backup system" security privilege)
>
> Cheers
> Ken
>
> --
> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>
>
> "Roman" wrote in message
> news:%23jgZX2wDIHA.4684@TK2MSFTNGP06.phx.gbl...
>>I have a standalone Windwos 2003 Server SP1 with IIS 6.0 and WebDav
>>enabled (a AD integraded server has the same behaviour).
>> A Folder on the server is mounted as Virtual Directory, which has the
>> following NTFS permissions:
>>
>> User1: Read & Execute, List Folder Contents, Read
>> User2: Full Controll (for administration)
>>
>> User1 is member of the group Users
>>
>> ==> everything is workig, the User1 has only read access through WebDav
>> and through Windows Explorer on the server.
>>
>> Now my Problem:
>> I add the User to the "Backup Operators" group (the problem also exist if
>> I add the User1 to "Server Operators" or "Administrators" groups)
>>
>> ==> Through WebDav the User1 is now able to create Folders, delete Files
>> and Folders, through Windows Explorer (local at the server) the User1 has
>> still read only permissions.
>>
>> Is the problem known?
>> Is a hotfix or a knowlege base article available for this problem? (I
>> didn't find something.)
>> Is the problem solved with Service Pack 2?
>> Is a workaround available (except "remove the user from the group ...")
>>
>> Thanks!
>> Roman
>>
>>
>>
>