Hi, all
Our users has a requirement to log in to the system with Administrator
authentication, but they don’t want the users who log in the system with
Administrator authentication delete the files in our distributed file
system. So we enabled the ACL on our distributed file system. But there was
a problem. Our distributed file system implemented as a local file system by
redirect the requests to the server. So if log in with Administrator, the
user has SeTakeOwnershipPrivilege, then he can modify the ownership of a
file to local Administrators and do any operation he can to the file. My
goal is disable the SeTakeOwnershipPrivilege when the user access the file
on our distributed file system. I have tried to disable the
SeTakeOwnershipPrivilege in the following way, but it seems useless.
1.Get the access token by SeQuerySubjectContextToken
2.Query the privilege information by SeQueryInformationToken
3.For every privilege in the privilege set, check whether it is
SeTakeOwnershipPrivilege, if yes, then set its attribute to
SE_PRIVILEGE_REMOVED
Just hope someone can give me a clue. Thanks in advance.
Ted Chang
You could eventually remove the TakeOwnership privilege
from the privileges granted to the Administrator account.
You can do that in the global policy editor. Depends
on what your requirements are.
L.
Thanks, Ladislav. But if the local admin give himself the
SeTakeOwnershipPrivilege by group policy edit tool, then he can take
ownership of the file again. So I’m trying to disable this behavior from the
file system layer. By now I didn’t find a way to modify the privileges in
access token. Or am I in the wrong direction?
Ted Chang
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ladislav Zezula
Sent: Thursday, May 12, 2011 2:11 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] How to disable the SeTakeOwnershipPrivilege privilege?
You could eventually remove the TakeOwnership privilege
from the privileges granted to the Administrator account.
You can do that in the global policy editor. Depends
on what your requirements are.
L.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
“Ted Chang” wrote in message news:xxxxx@ntfsd…
Thanks, Ladislav. But if the local admin give himself the
SeTakeOwnershipPrivilege by group policy edit tool, then he can take
ownership of the file again. So I’m trying to disable this behavior from
the
file system layer.
And what prevents the admin from disabling your filter and taking the
privilege back?
When it comes to privileges, the file system is really only ever in charge
of checking them. The Security Reference Monitor is the one responsible for
enforcing the policy of who gets what privileges and I don’t know of any
support for a “filter” in that activity.
That’s not to say that it can’t be done, but the architected solution for
this is using the standard security policy tools. If those don’t fit into
your design then you’re probably on your own.
Have you looked at filtering the IRP_MJ_SET_SECURITY request? I don’t
generally agree with this sort of thing (if the admin has the privilege they
should be allowed to do what they want), but that would let you prevent the
changing of the DACL on the object.
-scott
–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com