Windows 2000 security in a NT network
I have one Windows 2000 server in an NT network. The engineering dept has a directory with several subdirectories. The directories all have different secutiy levels. One directory is open to all for modification. They drop their files in there and then an admin reviews and moves the files to a read only directory. The problem is if you cut and paste the file it does not pick up the security of the new subdirectory. However, if you copy the file it does pick up the new security. Is this normal or is there something I am overlooking?
Software/Hardware used:
Software/Hardware used:
ASKED:
November 5, 2004 2:40 PM
UPDATED:
November 9, 2004 10:28 AM
Answer Wiki:
Cut and Paste is dealing with the file data at an entirely different level than copying. It all takes place INSIDE an application, and has NO connection to the file system itself.
If you have any concerns with security, stop all "cut&paste" right now, and stick with file copies.
You didn't ask, but I'm going to make a presumption based on experience. If this sort of activity is going on, then you (or engineering, actually) is going to have some VERY serious problems with version control integrity and the like. I suggest that you point the people responsible to some material on Release Engineering/Administration, and proper Version Control Systems. This smells like a disaster in the making.
Bob
To see all answers submitted to the Answer Wiki: View Answer History.
Caveat emptor – I have no NT machines to test on, but the theory I am about to present should be sound.
What we’re dealing with, here, is not application-level problems, but is at the filesystem level (please correct if this is not the case!).
WinNT, Win2k, WinXP, Win2k3 – should *not* matter what version of the server you are using, the key is that you have to have the disk formatted with NTFS, in order to use NT-based security.
Now…. There are a number of quirks about security properties, ownerships, and ACLs on NTFS volumes. The general rules-of-thumb are as follows:
1) if you are moving files from one folder to another on the same physical NTFS volume, you will retain the file(s) original security info;
2) if you copy the file(s) within the same volume, you will inherit the security properties of the destination directory and the original properties are lost;
3) if you move or copy files between two physical volumes, you will inherit.
You can use XCOPY (see all switches with /?) to transfer the various bits of security info if you want to copy on the same/different volume; SCOPY from the Resource Kit will also allow you to do the same, IIRC.
So, now that the lecure is over: the short answer is yes, this is normal NTFS behaviour. Your admins will have to copy the files into the restricted subdirectory, then delete from the higher-level folder, if you want to inherit. Cut/paste in Explorer is essentially moving.
Caveat emptor – I have no NT machines to test on, but the theory I am about to present should be sound.
What we’re dealing with, here, is not application-level problems, but is at the filesystem level (please correct if this is not the case!).
WinNT, Win2k, WinXP, Win2k3 – should *not* matter what version of the server you are using, the key is that you have to have the disk formatted with NTFS, in order to use NT-based security.
Now…. There are a number of quirks about security properties, ownerships, and ACLs on NTFS volumes. The general rules-of-thumb are as follows:
1) if you are moving files from one folder to another on the same physical NTFS volume, you will retain the file(s) original security info;
2) if you copy the file(s) within the same volume, you will inherit the security properties of the destination directory and the original properties are lost;
3) if you move or copy files between two physical volumes, you will inherit.
You can use XCOPY (see all switches with /?) to transfer the various bits of security info if you want to copy on the same/different volume; SCOPY from the Resource Kit will also allow you to do the same, IIRC.
So, now that the lecture is over: the short answer to your question is yes, this is normal NTFS behaviour. Your admins will have to copy the files into the restricted subdirectory, then delete from the higher-level folder, if you want to inherit. Cut/paste in Explorer is essentially moving.