Volume Shadow Copy

[Jeffrey L]

Is there a way to limit some users of rolling back to a previous version?
Although the users have access to the shared drive, we just don't want them
to have the option of restoring a previous version.

Jeffrey L

 

[Steven L Umbach]

Rollback what?? If you mean they are accessing a share on a Windows 2003
Server that has Volume Shadow Copy I don't know of a way to selectively
prevent users from using it unless you do not install the client on there
Windows 2000/XP Pro computers. --- Steve

 

[Herb Martin]

Rollback what?? If you mean they are accessing a share on a Windows 2003
Server that has Volume Shadow Copy I don't know of a way to selectively
prevent users from using it unless you do not install the client on there
Windows 2000/XP Pro computers. --- Steve

Steven is correct -- that is the main point of Shadow Copy
so you either disable it or you don't give the client software
to the users.

Why every would you want people not to be able to recover
a file?

If they are recovering "other people's files" then that should be
dealt with through permissions.

A user must have READ on the original to copy the shadow
version, and Modify/Change on the original to overwrite it.

Since each person almost always has this on their own files,
they are going to be able to recover those file that belong to
them, and any others that meet these requirements.

 

[Jeffrey L]

Several users involved in billing are connected to share for BillingData.
Only one of these users should have the authority to restore a previous
version (such as an admin.)

Rollback what?? If you mean they are accessing a share on a Windows 2003
Server that has Volume Shadow Copy I don't know of a way to selectively
prevent users from using it unless you do not install the client on there
Windows 2000/XP Pro computers. --- Steve

Steven is correct -- that is the main point of Shadow Copy
so you either disable it or you don't give the client software
to the users.

Why every would you want people not to be able to recover
a file?

If they are recovering "other people's files" then that should be
dealt with through permissions.

A user must have READ on the original to copy the shadow
version, and Modify/Change on the original to overwrite it.

Since each person almost always has this on their own files,
they are going to be able to recover those file that belong to
them, and any others that meet these requirements.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Herb Martin]

Several users involved in billing are connected to share for BillingData.
Only one of these users should have the authority to restore a previous
version (such as an admin.)

Then those 'other users' should not have the authority to
WRITE to the main file or shouldn't even have the authority
to READ that file (make copies.)

Notice that shadow copy is NOT the problem here, but rather
the permissions given to the users is the real issue.

If they choose to make their "own" backup of a readable
file today, you could not stop them. If they choose to over-write
a WRITABLE file tomorrow from that backup -- for even
from some junk -- you could not stop them.

You have a permission problem, not a shadow copy
problem.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Is there a way to limit some users of rolling back to a previous version?
Although the users have access to the shared drive, we just don't want
them to have the option of restoring a previous version.

Rollback what?? If you mean they are accessing a share on a Windows 2003
Server that has Volume Shadow Copy I don't know of a way to selectively
prevent users from using it unless you do not install the client on there
Windows 2000/XP Pro computers. --- Steve

Steven is correct -- that is the main point of Shadow Copy
so you either disable it or you don't give the client software
to the users.

Why every would you want people not to be able to recover
a file?

If they are recovering "other people's files" then that should be
dealt with through permissions.

A user must have READ on the original to copy the shadow
version, and Modify/Change on the original to overwrite it.

Since each person almost always has this on their own files,
they are going to be able to recover those file that belong to
them, and any others that meet these requirements.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Jeff Cochran]

Several users involved in billing are connected to share for BillingData.
Only one of these users should have the authority to restore a previous
version (such as an admin.)

We have similar situations, and we simply don't deploy the client to
those systems.

But in a billing environment shadow copies can be even more dangerous.
I accept your money and list your bill as paid. I roll back to the
previous version. I pocket the cash.

I'm surprised auditors would allow anyone in the department the
authority.

Jeff

Is there a way to limit some users of rolling back to a previous version?
Although the users have access to the shared drive, we just don't want
them to have the option of restoring a previous version.

Rollback what?? If you mean they are accessing a share on a Windows 2003
Server that has Volume Shadow Copy I don't know of a way to selectively
prevent users from using it unless you do not install the client on there
Windows 2000/XP Pro computers. --- Steve

Steven is correct -- that is the main point of Shadow Copy
so you either disable it or you don't give the client software
to the users.

Why every would you want people not to be able to recover
a file?

If they are recovering "other people's files" then that should be
dealt with through permissions.

A user must have READ on the original to copy the shadow
version, and Modify/Change on the original to overwrite it.

Since each person almost always has this on their own files,
they are going to be able to recover those file that belong to
them, and any others that meet these requirements.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Herb Martin]

We have similar situations, and we simply don't deploy the client to
those systems.

But in a billing environment shadow copies can be even more dangerous.
I accept your money and list your bill as paid. I roll back to the
previous version. I pocket the cash.

I'm surprised auditors would allow anyone in the department the
authority.

In a secure system, the accounting software would be the only "one"
allowed to actually touch the raw files or raw database.

Users are authenticated to the "accounting system" which grants them
the rights to do only certain functions -- all of the raw data are hidden
from them, along with illegal operations.

 

[Jeffrey L]

The users need WRITE access in order to enter payments, billing, etc. They
are trusted not be theives and there are checks and balances in place for
security purposes. We just didn't want anyone to have the ability to
restore older files if they thought that there was a file integrity problem
before IT gets involved and troubleshoots.

Several users involved in billing are connected to share for BillingData.
Only one of these users should have the authority to restore a previous
version (such as an admin.)

Then those 'other users' should not have the authority to
WRITE to the main file or shouldn't even have the authority
to READ that file (make copies.)

Notice that shadow copy is NOT the problem here, but rather
the permissions given to the users is the real issue.

If they choose to make their "own" backup of a readable
file today, you could not stop them. If they choose to over-write
a WRITABLE file tomorrow from that backup -- for even
from some junk -- you could not stop them.

You have a permission problem, not a shadow copy
problem.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Is there a way to limit some users of rolling back to a previous
version?
Although the users have access to the shared drive, we just don't want
them to have the option of restoring a previous version.

Rollback what?? If you mean they are accessing a share on a Windows 2003
Server that has Volume Shadow Copy I don't know of a way to
selectively
prevent users from using it unless you do not install the client on there
Windows 2000/XP Pro computers. --- Steve


Steven is correct -- that is the main point of Shadow Copy
so you either disable it or you don't give the client software
to the users.

Why every would you want people not to be able to recover
a file?

If they are recovering "other people's files" then that should be
dealt with through permissions.

A user must have READ on the original to copy the shadow
version, and Modify/Change on the original to overwrite it.

Since each person almost always has this on their own files,
they are going to be able to recover those file that belong to
them, and any others that meet these requirements.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Bruce Chambers]

The users need WRITE access in order to enter payments, billing, etc. They
are trusted not be theives and there are checks and balances in place for
security purposes. We just didn't want anyone to have the ability to
restore older files if they thought that there was a file integrity problem
before IT gets involved and troubleshoots.

Then simply remove the Shadow Copy client from the computers of those
you don't or can't trust to follow company policy.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Herb Martin]

The users need WRITE access in order to enter payments, billing, etc. They
are trusted not be theives and there are checks and balances in place for
security purposes.

We just didn't want anyone to have the ability to
restore older files if they thought that there was a file integrity problem
before IT gets involved and troubleshoots.

They can do that now; Shadow copy is not the problem
other than it makes it easier -- so the answer is to either:

1) Take away the shadow copy client software
(doesn't really solve the real problem but it
will keep them from using shadow copy to do it.)

2) Fix the permissions -- which doesn't work with your
current processes but is the only true answer. So
this would imply putting a protective application
between the user and the files to limit their access to
only the necessary and approved function.

3) User education -- since you "trust" the users, perhaps
you can educate them to do the right thing and call
IT when they need help.

4) Making additional backups so that you can undo
any mistakes they do make due to the inherent lack
of security in your current systems.

Until you recognize that you have a permission/security
problem and not a shadow copy issue you probably won't
be able to address the situation fully.

 

[Jeff Cochran]

The users need WRITE access in order to enter payments, billing, etc. They
are trusted not be theives and there are checks and balances in place for
security purposes. We just didn't want anyone to have the ability to
restore older files if they thought that there was a file integrity problem
before IT gets involved and troubleshoots.

Then your only option is remove the shadow copy client from their
systems. Or, since they are trusted, simply tell them not to restore
shadow copies of those files/folders.

An alternative that may or may not be possible in your setup is to
have those files on different drive and not run shadow copy services
for that drive.

Jeff

Several users involved in billing are connected to share for BillingData.
Only one of these users should have the authority to restore a previous
version (such as an admin.)

Then those 'other users' should not have the authority to
WRITE to the main file or shouldn't even have the authority
to READ that file (make copies.)

Notice that shadow copy is NOT the problem here, but rather
the permissions given to the users is the real issue.

If they choose to make their "own" backup of a readable
file today, you could not stop them. If they choose to over-write
a WRITABLE file tomorrow from that backup -- for even
from some junk -- you could not stop them.

You have a permission problem, not a shadow copy
problem.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Is there a way to limit some users of rolling back to a previous
version?
Although the users have access to the shared drive, we just don't want
them to have the option of restoring a previous version.

Rollback what?? If you mean they are accessing a share on a Windows 2003
Server that has Volume Shadow Copy I don't know of a way to
selectively
prevent users from using it unless you do not install the client on there
Windows 2000/XP Pro computers. --- Steve


Steven is correct -- that is the main point of Shadow Copy
so you either disable it or you don't give the client software
to the users.

Why every would you want people not to be able to recover
a file?

If they are recovering "other people's files" then that should be
dealt with through permissions.

A user must have READ on the original to copy the shadow
version, and Modify/Change on the original to overwrite it.

Since each person almost always has this on their own files,
they are going to be able to recover those file that belong to
them, and any others that meet these requirements.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]