[cifs-protocol] [REG:114102711953179] Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]

Obaid Farooqi obaidf at microsoft.com
Thu Nov 6 11:19:44 MST 2014 

Hi Nadiya:
I have uploaded two files; TTT_x86_x64_External_ws2k12.zip and TTT_x86_x64_External.zip. You will receive an email with the link to workspace and username password to down load these. TTT_x86_x64_External.zip is for Windows serve 2008 R2 and TTT_x86_x64_External_ws2k12.zip is for WS 2012 and later.

Here are the instructions on how to collect the traces:

1. You should have received an email by our file transfer system that has a user name, password and a link. Please click on the link (Windows or Java) and install the software. Login using the user name and password from the email. Please follow the instructions and download a files mentioned above

2. The archive has two folders; x64 and x86. In your case, since you are using windows server, copy the contents  of x64 folder to a directory on your server. I’ll use C:\ttt as an example. 
3. Open an elevated command windows and cd to C:\ttt.
4. Find out the PId of the  lsass process from task manager.
5. Execute the following commands in the elevated command window. PID is the number from step 4.
              C:\ttt>tttracer.exe -initialize
              C:\ttt>tttracer.exe –attach PID  -dumpfull

6. A little window will pop-up with title “lsass01.run”. 
7. Please reproduce the problem i.e try to undelete a tombstone object as a user that has all the permissions  that MS-ADST requires. 
8. Once you are done reproducing the problem, click on the little check box “Tracing on”. Note: please do not click “Exit App” or it will kill wintm service. This will create two files; svchost01.run and svchost01.out.  
9. Zip the files from step 8 and up load them to the work space where you downloaded the TTT binaries from.
10. Let me know when the files are available.



Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: Obaid Farooqi 
Sent: Thursday, November 6, 2014 11:55 AM
To: 'Nadezhda Ivanova'
Cc: 'cifs-protocol at samba.org'; MSSolve Case Email
Subject: RE: [REG:114102711953179] Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]

Hi Nadiya:
Can you please send me an lsass ttt trace of the failure scenario i.e. when your user has the permissions required by MS-ADTS but still not able to undelete? Please let me know the version of DC where you are trying to undelete the tombstone object so that I can send you appropriate binaries.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: "Obaid Farooqi" <obaidf at microsoft.com> 
Sent: Monday, November 3, 2014 12:24 PM
To: "Nadezhda Ivanova" <nivanova at samba.org>
Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve Case Email" <casemail at microsoft.com>
Subject: [REG:114102711953179] Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]

Hi Nadiya: 
I am still working on this issue and will be in touch as soon as I have an answer. 

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft 

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: Obaid Farooqi
Sent: Tuesday, October 28, 2014 10:14 AM
To: 'Nadezhda Ivanova' 
Cc: 'cifs-protocol at samba.org'; MSSolve Case Email
Subject: RE: [REG:114102711953179] Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]

Hi Nadiya: 
I'll help you with this issue and will be in touch as soon as I have an answer. 

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft 

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: "Obaid Farooqi" <obaidf at microsoft.com>
Sent: Monday, October 27, 2014 10:03 AM
To: "Nadezhda Ivanova" <nivanova at samba.org>
Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve Case Email" <casemail at microsoft.com>
Subject: [REG:114102711953179] Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]

Hi Nadiya: 
Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft 

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: nivanova.samba at gmail.com [mailto:nivanova.samba at gmail.com] On Behalf Of Nadezhda Ivanova
Sent: Monday, October 27, 2014 9:19 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: Undelete operation security considerations [MS-ADTS]
3.1.1.5.3.7.1 

Dear Dochelp,
I am currently trying to implement the proper access checking when executing an undelete operation, and I have established that the access rights described in 3.1.1.5.3.7.1, when granted to a regular Domain User, are not enough to enable that user to perform an Undelete operation.

Some investigation showed that the user also needs List Children permission on the Deleted Objects container, but I can't find this mentioned in ADTS, am I looking in the wrong place?

Also, could you please direct me to where the default security descriptor of a Deleted Objects container (say, after a fresh

installation) is documented? It seems that it is a special case - according to http://support.microsoft.com/kb/892806, inheritance is broken, and even Domain Admins are only allowed a very limited set of rights. I would appreciate some more specific information that the output of the tool,an example SD in SDDL format would be best.

Best Regards,
Nadezhda Ivanova

More information about the cifs-protocol mailing list