• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 251
  • Last Modified:

Preventing file permission changes

Is there a way to prevent the owner/creator of a file to modify the file permissions?   I'd like to maintain the inherited permissions from the folder in which it is created.
0
gamagldba
Asked:
gamagldba
  • 9
  • 6
  • 4
  • +1
3 Solutions
 
slam69Commented:
if you deny creator owner under your inherited permissions full control does that work
0
 
KCTSCommented:
You can remove the security tab to stop the owner/creator modifying permissions - see http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_234741
0
 
gamagldbaAuthor Commented:
I've removed creator owner and added the specific account with limited permissions.  I tried not allowing change permissions and also tried denying change permissions and neither have worked.  When the account(SQL2005 service account writing trace files) creates the file it removes all permissions(except admin) and has full control.
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
KCTSCommented:
If you remove the security tab then they can't modify permissions !
0
 
slam69Commented:
Apologies this is a little different you cannot alter the permissions of the sql server service accoutn trace files, by definition the account needs full access to them? However the sql server service account should never be logged into by a user so shoudl never see any problems arise?
0
 
Toni UranjekConsultant/TrainerCommented:
These suggestions are all workarounds, which can be easily bypassed. Owner always has Change Permissions permission even if you set explicit Full control Deny or file/folder.
0
 
slam69Commented:
Please be advise dthis scenario being described is not standard in teh lsightest it relates to teh sql server service account and shoudl not be confused with anything to do with normal permissioning!!
0
 
KCTSCommented:
... NOT if you remove the security tab with a group policy...
0
 
gamagldbaAuthor Commented:
The service account is writing to a centralized location where I'm collecting trace files from many servers.  I then need to read those files using another account - this is where I have the permissioning issue.  I'm trying to avoid making this "reading" account an administrator.
0
 
slam69Commented:
The creator owner of these files is a service account that isnt logged into so the modfication of permissions by these files is irrelevant other than the fact that the user wants to read them in a non admin account, to do that you need to add regular user read write

0
 
gamagldbaAuthor Commented:
I've added the "reading" account to the folder where the file is being written and given permissions to this account. When the file is created by the sql service account it removes any folder permissions and substitutes it's own permissions.
Will the suggestion to remove the Security tab prevent programatic permission changes?
0
 
Toni UranjekConsultant/TrainerCommented:
If you remove security tab with GPO you can't change permissions from command prompt? ;)

Comment ID 21831538 from slam69 should work if permissions are set to apply to "This folder, subfolder nad files" for specific non admin account.

0
 
KCTSCommented:
No - I originally thought you mean a user was changing the permissons, in which case it would
0
 
Toni UranjekConsultant/TrainerCommented:
So your saying that SQL ignores permissions inheritance or overwrittes existing permissions? If they are overwritten, you could overwrite them again with scheduled script.
0
 
slam69Commented:
yup yup i do agree most of the things suggested here would work if this related to a standard user acocuntbut as its a service account generated file this is not the case and will not follow the normal rules and fixes
0
 
slam69Commented:
you could do that but the service account will always have full control to these files as the creator owner. an dyeas yuou could have ascheduled script over write them, but i would have though the only people who will be reading the trace logs will be sql dbas, who usually are local admins on their own machines by a metter of necessity and usually local admins on the machines hosting the sql server hence why i have never seen this be an issue, if it is then move the trace files back to the local location where the DBA's can read them as local admins and take copies of the files ot put them in a central repository keeping teh originals insitu.... still dont know why you would want to do this but thats the way i would do it
0
 
gamagldbaAuthor Commented:
Yes, it's turning off inheritance and overwriting permissions.  btw this happens for trace files. If I create a job output file it keeps inheritance.  And only sql 2005; sql 2000 doesn't do this.  Must be a way to protect the trace files from interogation.

I've thought of changing the permissions back before I read them, but then the reader would need more permissions then necessary.   Making him an admin works around this....
0
 
slam69Commented:
who is reading the files? i really would think the people who are using the trace files would usually be local admin on their machiens anyway, havent seen this be an issue before to be frank!!
0
 
gamagldbaAuthor Commented:
The reading account is actually a service account for another sql instance where the trace files will be loaded into tables.   The plan is to have a scheduled job load trace files.
0
 
slam69Commented:
then there is your issue, you have not kept a standardised sql service account otherwise this wouldnt have become an issue!! Not too sure of a way of getting round this

I would dump the idea and load the trace files as and when you wish to use them, its not that intensive a task anyway not sure why you would want to carry it out?
0
 
gamagldbaAuthor Commented:
1 service account would make for easier administration, but it's not our policy.   If that one account somehow gets disabled, it would cause problems across our whole environment.  

The reason for the centralized scheduled loading is so that we could more easily administer and generate audit/usage reports  that reflect all our many servers.  This would also allow for adhoc reporting by management.   I didn't expect this snag.

So it appears that it's not possible to prevent permission changes by the file owner.  I guess the solutions would be to overwrite permissions or make the reader an admin on the collection box.

thanks for all the comments.
0
 
slam69Commented:
thats exactly iut what you want to do is nto possible in the steps you are trying you either need one service accoutn as is standard or to alter the permissionso fthe files once produced.

hopefully the comments are enough for you to close the question, sometimes we are unable to tell you what you want to hear but at least you know what you need to dof rom here

please remember to close teh question
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 9
  • 6
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now