NTFS security pitfalls

I often find that administrators are diligent in setting NTFS security ACLS in folders shared out from a server, only to neglect the all too common entry "CREATOR OWNER:(OI)(CI)(IO)F".

So what's the consequence of this? Any user who creates a subfolder or file automatically gets "full control" of the object and could conceivably deny access to both administrators and the SYSTEM account, thus usurping the administrators authority and creating all kinds of trouble.

So, on any NTFS file system where I care about controlling who has access to what, one of the first things I run after installing the OS is:
cacls <DRIVE>:\ /T /E /R "CREATOR OWNER"

or other command / procedure that removes "CREATOR OWNER" from all access lists .

No comments: