|
Posted by =?Utf-8?B?Qlc=?= on August 10, 2006, 6:41 am
If you were Registered and logged in, you could reply and use other advanced thread options
these different scenarios in order to get a full understanding. Again,
thanks for the detail, much appreciated.
BW
"Roger Abell [MVP]" wrote:
> > Hi,
> >
> > I'm doing some practise for my MSCE exam and one questions is:
> >
> > Have folder structure Marketing(shared as MRKT)\Summary\Reports. Users
> > should not be able read, modify or add files in Marketing or Summary
> > folders,
> > but need to have access to files in Reports folder.
> >
> > The answer was "traverse folder/execute files" was minimum perms required
> > on
> > Marketing and Summary folders in order to let users get to Reports folder.
> >
> > However with just this perms I get access denied, I needed to add "list
> > folder contents" perm in order to get it to work. Does this seem right or
> > should the traverse permission work on its own?
> >
>
> Welcome to the real world as compared to the exam prep writers' world.
> I applaud you for testing things, something so simple but so often not done
> by exam crammers.
>
> The "traverse folder/execute files" permission bit is alone insufficient if
> the
> question intends that the users should be able to browse with Explorer
> through
> the directory structure from top down to and then into the Reports folder.
> You did notice the other bits set when you have a added a generic grant
> of "List folder contents", right? Notice that reading of permissions and of
> attributes is allowed? Notice that "List folder / read data" is allowed?
> It is this last that completes the enabling of access to Reports via
> browsing
> from top down with Explorer.
>
> Now, also notice that the generic List folder grant is set to apply to This
> folder and subfolders. From what you have said, the exam prep only
> said that "traverse folder/execute files" on the parental folders was the
> minimum needed, but did not say applied to "This folder only" for each
> of the two parental folders. Without that however, one has granted the
> ability to execute any files in the affected folders - which is clearly more
> than the required minimum permissions.
>
> Now, set up the structure as they have indicated and instead of browsing
> down in Explorer to the Reports folder, use cmd and cd to it. To do this
> conveniently you may want to make sure there is a folder above your
> Marketing folder.
> Just as with browsing in Explorer, where you could not navigate on down
> because you could not see the next lower level to click upon, with cd when
> you are at Marketing or Marketing\Summary you cannot see the next levels
> when you do a dir. However, knowing the path of the folder to which you
> need to go (i.e. cd) or into which you need to copy or which you need to
> list out, etc., i.e. Marketing\Summary\Reports, you can do that.
>
> This might be thought to illustrate that in a sense the question author is
> correct,
> that the permission bit for "traverse folder/execute files" is a minimun
> needed
> to allow accounts the desired access at the Reports subfolder.
> However, now go into the permissions of one of these parental folders and
> remove that grant of "traverse folder/execute files" and again try the
> exercise
> of cd and dir again, using an account that now has no grants on that
> parental
> folder. You will most likely see that nothing has changed.
>
> That is because of the User Right to Bypass traverse checking which (unless
> the machine has had this altered) is granted to all accounts.
> Apparently the question authors elected to overlook this aspect of their
> topic.
> In order to fully see the intent of the question writers you need to repeat
> this
> exercise using an account that does not have the Bypass traverse checking
> user right.
>
>
>
| 
XML site map