File security question

[Guest]

Okay, I've searched, and _thought_ I was gaining some understanding of
Vista's new method of enforcing file and folder security. However, here's
what I don't get:

I have a folder that I've copied from an external hard drive, which was to
transfer the files from my previous Windows XP system to the Vista Ultimate
system that replaced it. I've taken ownership of the folder (which I'm not
sure that I had to do), and can copy files via Windows Explorer by accepting
the UAC prompts.

However, when I try to save a file to the folder from an IE7 "Save As..."
dialog, I'm denied, and the only alternative is an offer to save to the
"Documents" folder. Is this normal behavior? Is the only option to save
somewhere else (such as, the Desktop, which I did) and then copy it over
(which I also did)?

 

[Guest]

Thanks for your help! I'm pasting the results below; hopefully, you don't
need the SID's to evaluate, but I'm not terribly comfortable pasting them in
a public forum. Probably doesn't matter, so call me paranoid...

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\mcoppock>whoami /all /FO list

USER INFORMATION
----------------

User Name: toshiba\mcoppock
SID:

GROUP INFORMATION
-----------------

Group Name: Everyone
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: TOSHIBA\Debugger Users
Type: Alias
SID:

Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: BUILTIN\Administrators
Type: Alias
SID:
Attributes: Group used for deny only

Group Name: BUILTIN\Users
Type: Alias
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\INTERACTIVE
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Authenticated Users
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\This Organization
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: LOCAL
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\NTLM Authentication
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: Mandatory Label\Medium Mandatory Level
Type: Unknown SID type
SID:
Attributes: Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name: SeShutdownPrivilege
Description: Shut down the system
State: Disabled

Privilege Name: SeChangeNotifyPrivilege
Description: Bypass traverse checking
State: Enabled

Privilege Name: SeUndockPrivilege
Description: Remove computer from docking station
State: Disabled

Privilege Name: SeIncreaseWorkingSetPrivilege
Description: Increase a process working set
State: Disabled

Privilege Name: SeTimeZonePrivilege
Description: Change the time zone
State: Disabled
-----------------------

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\mcoppock>icacls d:\
d:\ NT AUTHORITY\SYSTEMOI)(CI)(F)
BUILTIN\AdministratorsOI)(CI)(F)
BUILTIN\UsersOI)(CI)(RX)
NT AUTHORITY\SYSTEMOI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

 

[Guest]

Thanks so much, that did it! Interestingly, on a few files, I received a
messages saying that the ACL has errors.

Final question: is this something to be concerned about? I.e., is there a
way to fix it, _should_ I fix it, and could it require a reinstall?

Thanks again!

OK, you are running into UAC. These lines in the whoami output is key:
Group Name: BUILTIN\Administrators
Type: Alias
SID:
Attributes: Group used for deny only

You are a member of Administrators, but your security token does not
actually have the Administrators group in it in the normal way. UAC marks
that group as a "deny" which means it is never used to grant permissions,
only to allow them. If you now look at the Access Control List (ACL i.e. the
permissions) for the drive:
C:\Users\mcoppock>icacls d:\
d:\ NT AUTHORITY\SYSTEMOI)(CI)(F)
BUILTIN\AdministratorsOI)(CI)(F)
BUILTIN\UsersOI)(CI)(RX)
NT AUTHORITY\SYSTEMOI)(CI)(F)

The fact that LocalSystem appears twice is very interesting, and signifies a
broken ACL actually. Ignoring that for a moment though, the parts causing you
trouble are the two middle lines. The second line grants Administrators full
control. You are an administrator, but because you are running under a
non-elevated token, you do not have Administrators in your token, so that
membership doesn't help you. The second line grants users read. You are also
a member of users. Thus, when running in admin approval mode under UAC, your
total rights to this drive is read.

To fix this, you need to grant Users modify privileges to the drive. Really
simple to do. Option one:
1. Right-click the drive letter in Explorer and select properties
2. Click the security tab
3. Click "Edit." You will be asked to elevate. Remember, until you do you
are still in admin approval mode and for all practical purposes you are not
an admin
4. Select "Users" and check the Modify box. If you see two entries for
LocalSystem pick one of them and delete it too. If you get an error about an
invalid ACL go ahead and accept fixing it. Your ACL should say
Administrators:Full control, and Users: Modify (assuming that is what you
want it to be). You technically do not need an entry for LocalSystem since it
is a member of Administrators.
5. Click OK enough times to get back to where you were.

The other option is to do it from an elevated command line.
1. Click the Window circle
2. Click All Programs: Accessories
3. Right-click on Command Prompt and select "Run as administrator"
4. Elevate
5. Run this command: icacls d:\ /grant BUILTIN\UsersOI)(CI)(M)

OI means "let objects (files) inherit this ACE". CI means "let containers
(directories) inherit this ACE". M means "modify". An ACE is an Access
Control List Entry, in other words, the entries in the ACL that grants or
denies someone permission to the object.

Either of those solutions will work.

Thanks for your help! I'm pasting the results below; hopefully, you don't
need the SID's to evaluate, but I'm not terribly comfortable pasting them in
a public forum. Probably doesn't matter, so call me paranoid...

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\mcoppock>whoami /all /FO list

USER INFORMATION
----------------

User Name: toshiba\mcoppock
SID:

GROUP INFORMATION
-----------------

Group Name: Everyone
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: TOSHIBA\Debugger Users
Type: Alias
SID:

Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: BUILTIN\Administrators
Type: Alias
SID:
Attributes: Group used for deny only

Group Name: BUILTIN\Users
Type: Alias
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\INTERACTIVE
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Authenticated Users
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\This Organization
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: LOCAL
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\NTLM Authentication
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: Mandatory Label\Medium Mandatory Level
Type: Unknown SID type
SID:
Attributes: Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name: SeShutdownPrivilege
Description: Shut down the system
State: Disabled

Privilege Name: SeChangeNotifyPrivilege
Description: Bypass traverse checking
State: Enabled

Privilege Name: SeUndockPrivilege
Description: Remove computer from docking station
State: Disabled

Privilege Name: SeIncreaseWorkingSetPrivilege
Description: Increase a process working set
State: Disabled

Privilege Name: SeTimeZonePrivilege
Description: Change the time zone
State: Disabled
-----------------------

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\mcoppock>icacls d:\
d:\ NT AUTHORITY\SYSTEMOI)(CI)(F)
BUILTIN\AdministratorsOI)(CI)(F)
BUILTIN\UsersOI)(CI)(RX)
NT AUTHORITY\SYSTEMOI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

Drop to a command prompt and run these two commands:
whoami /all /FO list
icacls <driveletter>:\

Substitute the drive letter of the external drive for the tag <driveletter>.

Paste the output of both commands into a reply to this post and we can tell
you what is going on. At least the whoami command should run from your normal
command prompt, not an elevated one. I want to see what is in the token you
normally use to access the files.

:

Okay, I've searched, and _thought_ I was gaining some understanding of
Vista's new method of enforcing file and folder security. However, here's
what I don't get:

I have a folder that I've copied from an external hard drive, which was to
transfer the files from my previous Windows XP system to the Vista Ultimate
system that replaced it. I've taken ownership of the folder (which I'm not
sure that I had to do), and can copy files via Windows Explorer by accepting
the UAC prompts.

However, when I try to save a file to the folder from an IE7 "Save As..."
dialog, I'm denied, and the only alternative is an offer to save to the
"Documents" folder. Is this normal behavior? Is the only option to save
somewhere else (such as, the Desktop, which I did) and then copy it over
(which I also did)?

 

[Guest]

There could be lots of reasons why the ACL has errors. One of them is
probably the one I saw below. it's probably not the end of the world, but one
way to look at it would be to run:
icacls d:\ /verify /t

If you have any specific problems you can always open the ACL in the ACL
Editor (Explorer, right-click, properties, security tab). If there is an
error in the ACL, ACL UI tends to fix it as best it can there.

As a last resort you can propagate a whole new ACL down the whole tree. That
works if you haven't done anything to modify it down the line. To do that,
use ACL UI, go to the Advanced tab and select the "Replace all existing
inheritable permissions..." option and then click OK. That will overwrite any
problem ACLs, but it would also overwrite any custom ACLs you have below.

Thanks so much, that did it! Interestingly, on a few files, I received a
messages saying that the ACL has errors.

Final question: is this something to be concerned about? I.e., is there a
way to fix it, _should_ I fix it, and could it require a reinstall?

Thanks again!

OK, you are running into UAC. These lines in the whoami output is key:
Group Name: BUILTIN\Administrators
Type: Alias
SID:
Attributes: Group used for deny only

You are a member of Administrators, but your security token does not
actually have the Administrators group in it in the normal way. UAC marks
that group as a "deny" which means it is never used to grant permissions,
only to allow them. If you now look at the Access Control List (ACL i.e. the
permissions) for the drive:
C:\Users\mcoppock>icacls d:\
d:\ NT AUTHORITY\SYSTEMOI)(CI)(F)
BUILTIN\AdministratorsOI)(CI)(F)
BUILTIN\UsersOI)(CI)(RX)
NT AUTHORITY\SYSTEMOI)(CI)(F)

The fact that LocalSystem appears twice is very interesting, and signifies a
broken ACL actually. Ignoring that for a moment though, the parts causing you
trouble are the two middle lines. The second line grants Administrators full
control. You are an administrator, but because you are running under a
non-elevated token, you do not have Administrators in your token, so that
membership doesn't help you. The second line grants users read. You are also
a member of users. Thus, when running in admin approval mode under UAC, your
total rights to this drive is read.

To fix this, you need to grant Users modify privileges to the drive. Really
simple to do. Option one:
1. Right-click the drive letter in Explorer and select properties
2. Click the security tab
3. Click "Edit." You will be asked to elevate. Remember, until you do you
are still in admin approval mode and for all practical purposes you are not
an admin
4. Select "Users" and check the Modify box. If you see two entries for
LocalSystem pick one of them and delete it too. If you get an error about an
invalid ACL go ahead and accept fixing it. Your ACL should say
Administrators:Full control, and Users: Modify (assuming that is what you
want it to be). You technically do not need an entry for LocalSystem since it
is a member of Administrators.
5. Click OK enough times to get back to where you were.

The other option is to do it from an elevated command line.
1. Click the Window circle
2. Click All Programs: Accessories
3. Right-click on Command Prompt and select "Run as administrator"
4. Elevate
5. Run this command: icacls d:\ /grant BUILTIN\UsersOI)(CI)(M)

OI means "let objects (files) inherit this ACE". CI means "let containers
(directories) inherit this ACE". M means "modify". An ACE is an Access
Control List Entry, in other words, the entries in the ACL that grants or
denies someone permission to the object.

Either of those solutions will work.

Thanks for your help! I'm pasting the results below; hopefully, you don't
need the SID's to evaluate, but I'm not terribly comfortable pasting them in
a public forum. Probably doesn't matter, so call me paranoid...

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\mcoppock>whoami /all /FO list

USER INFORMATION
----------------

User Name: toshiba\mcoppock
SID:

GROUP INFORMATION
-----------------

Group Name: Everyone
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: TOSHIBA\Debugger Users
Type: Alias
SID:

Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: BUILTIN\Administrators
Type: Alias
SID:
Attributes: Group used for deny only

Group Name: BUILTIN\Users
Type: Alias
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\INTERACTIVE
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Authenticated Users
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\This Organization
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: LOCAL
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\NTLM Authentication
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: Mandatory Label\Medium Mandatory Level
Type: Unknown SID type
SID:
Attributes: Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name: SeShutdownPrivilege
Description: Shut down the system
State: Disabled

Privilege Name: SeChangeNotifyPrivilege
Description: Bypass traverse checking
State: Enabled

Privilege Name: SeUndockPrivilege
Description: Remove computer from docking station
State: Disabled

Privilege Name: SeIncreaseWorkingSetPrivilege
Description: Increase a process working set
State: Disabled

Privilege Name: SeTimeZonePrivilege
Description: Change the time zone
State: Disabled
-----------------------

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\mcoppock>icacls d:\
d:\ NT AUTHORITY\SYSTEMOI)(CI)(F)
BUILTIN\AdministratorsOI)(CI)(F)
BUILTIN\UsersOI)(CI)(RX)
NT AUTHORITY\SYSTEMOI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files


:

Drop to a command prompt and run these two commands:
whoami /all /FO list
icacls <driveletter>:\

Substitute the drive letter of the external drive for the tag <driveletter>.

Paste the output of both commands into a reply to this post and we can tell
you what is going on. At least the whoami command should run from your normal
command prompt, not an elevated one. I want to see what is in the token you
normally use to access the files.

:

Okay, I've searched, and _thought_ I was gaining some understanding of
Vista's new method of enforcing file and folder security. However, here's
what I don't get:

I have a folder that I've copied from an external hard drive, which was to
transfer the files from my previous Windows XP system to the Vista Ultimate
system that replaced it. I've taken ownership of the folder (which I'm not
sure that I had to do), and can copy files via Windows Explorer by accepting
the UAC prompts.

However, when I try to save a file to the folder from an IE7 "Save As..."
dialog, I'm denied, and the only alternative is an offer to save to the
"Documents" folder. Is this normal behavior? Is the only option to save
somewhere else (such as, the Desktop, which I did) and then copy it over
(which I also did)?

 

[Guest]

I think I'll leave well enough alone, at least until or unless I have other
problems, and definitely until I've got my hands around all this.

Again, thanks!

There could be lots of reasons why the ACL has errors. One of them is
probably the one I saw below. it's probably not the end of the world, but one
way to look at it would be to run:
icacls d:\ /verify /t

If you have any specific problems you can always open the ACL in the ACL
Editor (Explorer, right-click, properties, security tab). If there is an
error in the ACL, ACL UI tends to fix it as best it can there.

As a last resort you can propagate a whole new ACL down the whole tree. That
works if you haven't done anything to modify it down the line. To do that,
use ACL UI, go to the Advanced tab and select the "Replace all existing
inheritable permissions..." option and then click OK. That will overwrite any
problem ACLs, but it would also overwrite any custom ACLs you have below.

Thanks so much, that did it! Interestingly, on a few files, I received a
messages saying that the ACL has errors.

Final question: is this something to be concerned about? I.e., is there a
way to fix it, _should_ I fix it, and could it require a reinstall?

Thanks again!

OK, you are running into UAC. These lines in the whoami output is key:
Group Name: BUILTIN\Administrators
Type: Alias
SID:
Attributes: Group used for deny only

You are a member of Administrators, but your security token does not
actually have the Administrators group in it in the normal way. UAC marks
that group as a "deny" which means it is never used to grant permissions,
only to allow them. If you now look at the Access Control List (ACL i.e. the
permissions) for the drive:
C:\Users\mcoppock>icacls d:\
d:\ NT AUTHORITY\SYSTEMOI)(CI)(F)
BUILTIN\AdministratorsOI)(CI)(F)
BUILTIN\UsersOI)(CI)(RX)
NT AUTHORITY\SYSTEMOI)(CI)(F)

The fact that LocalSystem appears twice is very interesting, and signifies a
broken ACL actually. Ignoring that for a moment though, the parts causing you
trouble are the two middle lines. The second line grants Administrators full
control. You are an administrator, but because you are running under a
non-elevated token, you do not have Administrators in your token, so that
membership doesn't help you. The second line grants users read. You are also
a member of users. Thus, when running in admin approval mode under UAC, your
total rights to this drive is read.

To fix this, you need to grant Users modify privileges to the drive. Really
simple to do. Option one:
1. Right-click the drive letter in Explorer and select properties
2. Click the security tab
3. Click "Edit." You will be asked to elevate. Remember, until you do you
are still in admin approval mode and for all practical purposes you are not
an admin
4. Select "Users" and check the Modify box. If you see two entries for
LocalSystem pick one of them and delete it too. If you get an error about an
invalid ACL go ahead and accept fixing it. Your ACL should say
Administrators:Full control, and Users: Modify (assuming that is what you
want it to be). You technically do not need an entry for LocalSystem since it
is a member of Administrators.
5. Click OK enough times to get back to where you were.

The other option is to do it from an elevated command line.
1. Click the Window circle
2. Click All Programs: Accessories
3. Right-click on Command Prompt and select "Run as administrator"
4. Elevate
5. Run this command: icacls d:\ /grant BUILTIN\UsersOI)(CI)(M)

OI means "let objects (files) inherit this ACE". CI means "let containers
(directories) inherit this ACE". M means "modify". An ACE is an Access
Control List Entry, in other words, the entries in the ACL that grants or
denies someone permission to the object.

Either of those solutions will work.

:

Thanks for your help! I'm pasting the results below; hopefully, you don't
need the SID's to evaluate, but I'm not terribly comfortable pasting them in
a public forum. Probably doesn't matter, so call me paranoid...

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\mcoppock>whoami /all /FO list

USER INFORMATION
----------------

User Name: toshiba\mcoppock
SID:

GROUP INFORMATION
-----------------

Group Name: Everyone
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: TOSHIBA\Debugger Users
Type: Alias
SID:

Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: BUILTIN\Administrators
Type: Alias
SID:
Attributes: Group used for deny only

Group Name: BUILTIN\Users
Type: Alias
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\INTERACTIVE
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Authenticated Users
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\This Organization
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: LOCAL
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\NTLM Authentication
Type: Well-known group
SID:
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: Mandatory Label\Medium Mandatory Level
Type: Unknown SID type
SID:
Attributes: Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name: SeShutdownPrivilege
Description: Shut down the system
State: Disabled

Privilege Name: SeChangeNotifyPrivilege
Description: Bypass traverse checking
State: Enabled

Privilege Name: SeUndockPrivilege
Description: Remove computer from docking station
State: Disabled

Privilege Name: SeIncreaseWorkingSetPrivilege
Description: Increase a process working set
State: Disabled

Privilege Name: SeTimeZonePrivilege
Description: Change the time zone
State: Disabled
-----------------------

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\mcoppock>icacls d:\
d:\ NT AUTHORITY\SYSTEMOI)(CI)(F)
BUILTIN\AdministratorsOI)(CI)(F)
BUILTIN\UsersOI)(CI)(RX)
NT AUTHORITY\SYSTEMOI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files


:

Drop to a command prompt and run these two commands:
whoami /all /FO list
icacls <driveletter>:\

Substitute the drive letter of the external drive for the tag <driveletter>.

Paste the output of both commands into a reply to this post and we can tell
you what is going on. At least the whoami command should run from your normal
command prompt, not an elevated one. I want to see what is in the token you
normally use to access the files.

:

Okay, I've searched, and _thought_ I was gaining some understanding of
Vista's new method of enforcing file and folder security. However, here's
what I don't get:

I have a folder that I've copied from an external hard drive, which was to
transfer the files from my previous Windows XP system to the Vista Ultimate
system that replaced it. I've taken ownership of the folder (which I'm not
sure that I had to do), and can copy files via Windows Explorer by accepting
the UAC prompts.

However, when I try to save a file to the folder from an IE7 "Save As..."
dialog, I'm denied, and the only alternative is an offer to save to the
"Documents" folder. Is this normal behavior? Is the only option to save
somewhere else (such as, the Desktop, which I did) and then copy it over
(which I also did)?