Permissions for Creator Owner

[boomboom999]

By default in Windows 2000/XP/2003 many files and registry keys have
explicit permissions for CREATOR/OWNER which is always
"Full control".


Like this:


CREATOR/OWNER Full Control
Administrators Full Control
System Full Control


Why bother to add a spécial permission for CREATOR/OWNER when by
design CREATOR has always all needed permissions on its own files?


What would happen if we remove these permissions on NTFS volumes and in

Registry?

 

[Steven L Umbach]

The owner always has the ability to change permissions but if creator owner
placeholder was not present the owner would have the permissions based on
his group membership or user explicit permissions. There seems to be an
assumption that the creator owner of a folder file should have full control
and can be helpful in situations where you might want only the owner of a
file to be able to modify or delete it who otherwise would have restrictive
permissions that would not allow it based on group membership/explicit user
permissions. You can modify creator owner permissions. Many users would not
know or care that they can change permissions as the owner. --- Steve




By default in Windows 2000/XP/2003 many files and registry keys have
explicit permissions for CREATOR/OWNER which is always
"Full control".


Like this:


CREATOR/OWNER Full Control
Administrators Full Control
System Full Control


Why bother to add a spécial permission for CREATOR/OWNER when by
design CREATOR has always all needed permissions on its own files?


What would happen if we remove these permissions on NTFS volumes and in

Registry?

 

[boomboom999]

The owner always has the ability to change permissions but if creator owner
placeholder was not present the owner would have the permissions based on
his group membership or user explicit permissions.

Do you want to say that if the record

CREATOR/OWNER = Full Control

is not present, the OWNER still have "full control" but only through
his power to reset any administrator-defined ACLs?

There are two problems here:
1. The placeholder do not follow the real owner. So if I transfer
ownership to another user, the ACL still contain the record for the old
user. The only way is to reset (remove/readd)this ACL on the folder
level.

2. When I have 2 or more administrators and I want to keep traces of
what each of them placed/created on the server, file and registry ACLs
on server quickly become polluated by administrators' usernames which
create some problems when auditing ACls.

I'd suggest that Microsoft separate notions of Owner and Creator and
give flexibility to manage Owner's default supremacy.

 

[Steven L Umbach]

If creator owner is removed the owner still can always potentially change
the permissions. In XP Pro and Windows 2003 you can configure the security
option for system objects: default owner of objects created by
administrators group to be either administrators or object creator if you
want though that still does make it work the way you want and any
administrator can change that security option. While I agree that it is
difficult tracking what administrators do there has to be a certain level of
trust because of the power of the group membership granted to them. A
skilled administrator could almost always cover his tracks if he wanted
.. -- Steve

 

[boomboom999]

Thank you for your responses.
What do you think if I remove "Creator/Owner=Full Control" records from
default Windows XP ACLs on the file system and in Regsitry?
Any side effects?
Is it a risky approach?