I am having a weird issue that didn't used to happen. Perhaps windows update causes this?
We have an E drive partition created and I created a directory:
Test1
I shared it with administrators and everyone. Administrators have full access while everyone group only has read permissions but this folder only. I added a permission to allow full control to this folder and subfolder's and files to it and assigned it to domain admins. My jadmin#domain.local account is added to this group
I checked the security on the folder and the same permissions exist.
I created a directory within Test1 and called it New Folder, disabled inheritance and made sure explicit permissions for domain admins full control to all dir and subdir and files are added.
When i attempt to open this folder, i get a message:
"You don't currently have permission to access this folder. Click Continue to permanently get access to this folder".
When I Push Continue then an explicit permission for my user gets added to that folder. I am trying to prevent that from happening. If domain admins(my user added to this group) is added with full control. Why does this warning pop up and require my user to explicitly be added. How to prevent this from occurring?
I was expecting to be able to access the new folder directory without any warning and an explicit permission to be added
Check if you can access it with an elevated CMD.
Folders wich are protected for builtin administrators groups are supposed to be security relevant. These users should also not be used to administrate on server systems.
Increase security by creating a seperate admin group and dedicated permissions.
Alternatives are using a progam that can be started elevated, Like CMD, PowerShell, totalCommander, winscp (local part) and many more.
You could also administrate remote. That should remove the problem.
Another way would be to add "Interactive Logon" group to all of your permissions where you need to access.
Disabling UAC or removing administrators from the security settings is the least that I would suggest.
Related
Our application uses a shared directory to store files that are 'checked out', modified via our application, and then 'checked in' to a shared directory, which is being accessed via SMB (The environment is hosted on a set of AWS servers, and our end-users access it via Citrix).
All users have read, write, etc. permissions for the shared directory.
We've recently changed the architecture of the application a bit. Previously, each user had his/her own subdirectory in the shared directory where the checked in/checked out file was stored.
In the new architecture, the individual subdirectories aren't used, so that all files checked in by users are stored directly into the shared directory. Users are then allowed to checkout/checkin any file in the shared directory.
The checkout process involves doing a File.Copy of the library version of the file to the user's local, non-shared directory. The user then uses our application to make changes to the file, which is then saved locally and File.Copy'd back into the shared directory.
Except that in the new architecture, the 'checkout' operation fails when User 2 attempts to checkout a file that was originally checked in by User1. As near as we can tell, this is because when, for example, User 1 checks a file in to the shared directory, the file implicitly receives a security entry for his specific AD login. A subsequent File.Copy operation by User 2 gets a permission error. If a full admin for the host system removes the security entry for User 1, then the File.Copy from the shared directory to User 2's local directory works fine.
Note that both users are assigned to a group with read, write, modify, etc to the shared directory (but not 'full control').
This doesn't seem like that unusual of a situation. We haven't (yet) tried to see if the application can programmatically remove the security entry created on the checkin - even assuming that's possible, it would be nice not to have to resort to that. But we've not found any arrangement of security settings that works.
Any information or suggestions will be appreciated.
Thanks...
As requested:
\\citrixfile01\Shares\clients\002\library
ALIGHTENT\002.EightTwoConversion:(I)(OI)(CI)(M)
NT AUTHORITY\LOCAL SERVICE:(I)(OI)(CI)(RX)
S-1-5-21-3973462947-2300097736-545649627-500:(I)(OI)(CI)(F)
ALIGHTENT\citrix:(I)(OI)(CI)(F)
ALIGHTENT\alightcalc:(I)(OI)(CI)(M)
ALIGHTENT\Domain Admins:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
\\citrixfile01\Shares\clients\002\library\AML_AmPac_8.2.amox
ALIGHTENT\002.Admin1:(I)(M)
ALIGHTENT\citrix:(I)(F)
ALIGHTENT\AEAdmin2:(I)(M)
ALIGHTENT\Domain Admins:(I)(F)
BUILTIN\Administrators:(I)(F)
When a file is moved, Windows does not update the ACL to add or remove inherited permissions. This is presumably for backwards-compatibility reasons; the permissions model looked somewhat different in the earliest versions of Windows NT.
Your options are to copy the file instead of moving it, or to explicitly reset the permissions after the file has been moved.
If you want to explicitly reset the permissions, you can do this using File.SetAccessControl. To apply the inherited permissions for the new location, the FileSecurity object should contain an empty ACL and the AreAccessRulesProtected property should be false.
I'm using Active Directory and belong to specified group. (Not an Administrator.)
I have made folder in my 'C:' and then trying to share to another group users.
But I can't. Just i can get the warning message that '~Access denied~. You did not make shared resources.'.
Is there way to take care of this problem?
Thank you~!
Sharing of resources might have been blocked by your Administrator, either get your self added in power users group / asked them to share folder for you.
If you have Administrator Access - login with that and try. other wise less privileged user can not share the resources.
I'm developing a site on an XAMPP localhost on a Mac. I manipulate my mySQL database via phpMyAdmin (not comfortable with the command line).
Everything works fine (I know, right!).
2 things have got me worried for when I eventually move my site to a real online live server.
First the background:
1) I am using a CMS/Framework type thing. When trying to install it (in the htdocs folder), I found that I needed to write-enable some folder or the other (FileSystem permissions in Finder). So I write-enabled all the folders contained in the mother folder. Mac's have 3 default types of users (right-click a folder in Finder and choose info). They are "Me", "admin" and "everyone". I right-clicked the mother folder (in Finder), selected "Read&Write" for all 3 types of users, and chose "Apply to enclosed items." And the installation worked out fine.
2) I am able to come and go as I please into phpMyAdmin to directly manipulate my database. I presume phpMyAdmin recognizes me as Root. I do not have a password for Root. I do have a separate user created with a password (let's call the user "specificdbuser") and I use "specificdbuser" to connect to the database from within my site's PHP code.
My concerns regarding 1 & 2 are:
1) I'm presuming that enabling Read&Write permissions for all 3 types of users, and in particular for all folders and items within the mother folder, is a security risk. Is there a better way? (a) How do I figure out which folders need to be writeable so that I only make those writeable instead of making everything writeable?, and (b) Instead of giving Read&Write permissions to the 3 default Mac user types, should I instead be creating some new type of user (Root? specificdbuser?) and only give that user permission to Read&Write permissions? As this is a website, do I need to give "everyone" permission to Read&Write? What the heck does "everyone" mean anyway?
2) Let's say I eventually set up my database's Root account with a password. When I eventually migrate my localhost site to a real live online server, will this Root / password combination work on that site too?
I'm kind of confused, are you talking about FileSystem permissions or MySQL Database permission? If it is a FileSystem question, then please check the web service user that runs your PHP scripts. If it's a database permission, then please refer to #2 answer.
I would say, for security reason never use the "root" when connecting to your database. I would suggest you setup the same user name/password/permissions on your local and in server. But if that doesn't make sense you can have a config file that says if "localhost" then db_user = blah_blah, else if server side db_user = blah.
I'm using Apache 2 to run my localhost on Mac (Mavericks), and every time I add a file or a folder in the default directory /Library/WebServer/Documents (and its subdirectories) the system asks me to authenticate:
This is a problem specially when using frameworks like Symfony or Zend Framework because they can't have writing access to folders. What can I do to solve this?
Mac/Linux grants access on different levels:
Per user
Per group
Per everybody
The folder Library/WebServer/Documents outside of the logged-in user paradigm (you) therefore write access (and other access like execute) is only granted to the administrator of the computer (or so-called root) which isn't you however on most Mac environment the password of root is your password (different users with the same password).
You will want to modify Apache2 configuration and change the directory to a folder located within your user's directory which is something like /Users/{whatever is your username} (you will probably need to create the folder).
Once, you moved the content of /Library/WebServer/Documents into the new folder, make sure the permission are set properly. Refer to the following documentation at the chapter "How to Modify Permissions with the Info Window".
The reason why your Mac is asking for permissions to write files outside of your user's directory is for security reasons. Imagine if you download a file, execute it and grant access (by giving the root password) then the file could potentially be a virus and erase or do all kind of things on your computer.
Some of my windows registry permissions have been changed.It denies access to services like SQL Server. What is the issue here and how can it be resolved? Moreover I am able to login only in safe mode.
You can change permissions using regedit.exe. Try clicking on a registry key and choosing the "Permissions" option. On my computer the permissions are set in the following way:
the System group and the Administrators group - full control
the Restricted group - read
the Everyone group - read (on branches like HKEY_LOCAL_MACHINE)