Allow on folder overrides explicit deny on file... wth?

Hi,

In the 70-270 Self-Paced Training kit second edition, question number 2 at page 8-33 and the provided answer basically claim that a "delete subfolders and files" permission allowed on a parent folder will override an explicit full control deny on a file found inside.

I understand that "delete subfolders and files" wins even if the delete permission has not been granted (as in absent, not there, very different than explicitly denied) on the file, as explained at page 8-12.

But in this case, Full control is explicitly denied (including the Delete permission) on the file itself and this would be overriden by the "delete subfolders and files" on the parent folder?

That would contradict the 2 main rules:
File permissions override Folder permissions.
Deny Permissions override Allow permissions.

Either there's a mistake in the book, or I'm getting very confused. Any help appreciated.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Mishra

I don't have the training kit. Do you want to post what the question says?

Cambridge

Sorry about that.

Scenario
You are an administrator working for a company named Fabrikam, Inc., a regional
advertising company with a headquarters office in Memphis, TN, and several branch
locations throughout the Southeast. Members of the company’s Accounting department,
which is located in the main office, keep accounting information for the company’s
clients on a file server located within the department. On that file server is a
folder named Client Accounts, to which all members of the Accounting department
need access. Due to confidentiality agreements, there are certain documents within the
Client Accounts folder that should be accessible only by employees, not by temporary
or contract workers.

You have configured the Client Accounts folder in the following manner:

You removed the Everyone group entirely. You added the Users group and assigned that group Full Control. In addition, you have performed the following actions:

You made all part-time employees members of a group named Part Time. You made all contract workers members of a group named Contractors. You assigned the Deny Full Control permission to the Part Time And Contractors groups for the files that are protected by the confidentiality agreement.Question
2. Even if users of the Part Time And Contractors groups cannot access the file, there
is a risk that they will delete the file. Why?

Answer
Full Control includes the Delete Subfolders And Files special permission for POSIX compliance.
This special permission allows a user to delete files in the root of a folder to which the user has
been assigned Full Control permission. This permission overrides the file permissions.

dynamik

MS KB wrote:

IMPORTANT: Groups or users who are granted Full Control on a folder can delete any files in that folder regardless of the permissions that protect the file.

http://support.microsoft.com/kb/308419

The part time and contractors will be members of the users group, so they will be assigned full control of the folder as well.

Cambridge

Ok that closes the case but let me still question the way the book presents it. It's confusing at best.

Page 8-12:

Delete Subfolders And Files
Delete Subfolders And Files allows or denies the deletion of subfolders or
files within a folder, even if the Delete permission has not been granted on
the particular subfolder or file.

Delete
Delete allows or denies the deletion of a file or folder. A user can delete a
file or folder even without having the Delete permission granted on that file
or folder, if the Delete Subfolder And Files permission has been granted to
the user on the parent folder.

The way they put it is not false, but it's half the thruth. To be clear and avoid confusion, wouldn't it be better this way:

Delete Subfolders And Files
Delete Subfolders And Files allows or denies the deletion of subfolders or
files within a folder, even if the Delete permission has been denied on
the particular subfolder or file.

Delete
Delete allows or denies the deletion of a file or folder. A user can delete a
file or folder even if the Delete permission is denied on that file
or folder, if the Delete Subfolder And Files permission has been granted to
the user on the parent folder.

Also, at page 8-4, the 2 main rules for calculating effective permissions are presented as universal rules. (File Permissions Override Folder Permissions and Deny Permissions Override Allow Permissions) They don't mention that there is one big exception, which contradicts not just one, but the 2 rules all at once. The Delete Subfolders And Files exception should be mentionned right there, or at least referred to right away.

You just can't have that type of writing in a chapter covering a complex topic like NTFS permissions, in my opinion. I mean, don't make it harder to understand than it already is. I also noted a few major inaccuracies in the same chapter. I found the book was pretty clear and easy to follow in all previous chapters, but they really messed up chapter 8. And that's inexcusable, because it's probably the most important one.

Anyways, thanks a lot for the help. This chapter would definitely benefit from a complete re-writing if they ever publish a third edition, which seems unlikely. I apologize for the ranting, but this chapter was the cause for much frustration.

dynamik

Welcome to the wonderful world of training materials. I'm sure everyone here can empathize with your frustration.

I should note that your explanations are not accurate. This situation only occurs if the user has been granted full control of the folder. That is the key. Re-read the explanation they gave you. It doesn't simply override the denial of the delete permission.

Cambridge

I just made the test. Before testing I removed inheritance on the parent folder to be able to test only what I wanted to.

I Allowed parent folder all special permissions except take ownership. So it did have "Delete subfolders and files", and all other special permissions, but not Full control.

Then I created a file inside, on which I denied Full Control.

The result stays the same: I can still delete the file, meaning that allow "Delete subfolders and files" on the parent folder still overrides deny Full Control on the file even if parent folder does not have Full control.

So when you say:

This situation only occurs if the user has been granted full control of the folder.

Most likely I didn't get what you mean. Can you explain?

Bonkers

I completely understand where youre coming from Cambridge. I have just reached that chapter and after reading it I must admit my damn head hurts. The book so far has rocked for me but this chapter aint as well written as it might have been.

Goldmember

dynamik wrote:

Welcome to the wonderful world of training materials. I'm sure everyone here can empathize with your frustration.

Exactamundo!!!!!