"Deny" permissions keep getting lost?

[Tegger®]

A customer of mine has a problem with file permissions. The machine in
question is running XP Pro with all the updates except SP2. It is being
used as a file server on a small network.

There is a specific directory that is shared (read/write) among all users,
but which contains a number of files which must not be accessible to one
group of users. I have achieved this objective by selecting "Deny" in the
Security tab on each of those files for that group.

The problem is that (apparently at random) some of those files will change
to "Permit" for the group I want to "Deny". Setting them back to "Deny"
does not guarantee that the setting will be kept, even if you reboot after
making the security change.

It could take a week or several weeks, but eventually one or more of those
files will revert back to "Permit" for that group. Last week it was just
one file. Last month it was three.

My customer insists that there is no security breach (such as a leaked
password) that would give unauthorized admin access to the file server, and
I have to believe him on that, as I can find no evidence to the contrary.

Any ideas? I'm stumped.

--
TeGGeR®

How to find anything on the Internet:
www.google.com

or in Usenet Groups:
www.groups.google.com

Google is your friend. Learn how to use it.

 

[Roger Abell]

Enable auditing on those files, and/or the containing folder, so
there is a record of what account did this.
As you state that you placed an explicit deny on each file, the
only way the deny could not function is if someone directly
altered that deny on the file, or if someone forced down a
reACLing from a containing folder (but in that case all of the
files would have been affected.
I would create a subdirectory, set the directly to no inherit
permissions saying yes Copy the existing, and then alter
the permissions as desired - either not granting to any group
containing those that should have no access, or settings a deny
for them, or both. Then I would copy the files into the new
subdirectory and delete the originals. Oh yes, did I mention
settings an audit on the new subdirectory ?

 

[Tegger®]

Enable auditing on those files, and/or the containing folder, so
there is a record of what account did this.
As you state that you placed an explicit deny on each file, the
only way the deny could not function is if someone directly
altered that deny on the file, or if someone forced down a
reACLing from a containing folder (but in that case all of the
files would have been affected.
I would create a subdirectory, set the directly to no inherit
permissions saying yes Copy the existing, and then alter
the permissions as desired - either not granting to any group
containing those that should have no access, or settings a deny
for them, or both. Then I would copy the files into the new
subdirectory and delete the originals. Oh yes, did I mention
settings an audit on the new subdirectory ?

Thanks for the reply. The "inherit" flag *was* set on the files.

I have created a subdirectory and threw all the relevant files in there,
where in retrospect, they should have been in the first place.

The directory has permission for the proper group and deny for the other
one. The subdirectory has been set to "no inherit", but I left the inherit
flag on the files within.

So far so good. Tried access from various workstations and all seems well.

--
TeGGeR®

How to find anything on the Internet:
www.google.com

or in Usenet Groups:
www.groups.google.com

Google is your friend. Learn how to use it.