[cifs-protocol] [REG:114102711953179] Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]
Nadezhda Ivanova
nivanova at samba.org
Thu Nov 6 15:27:04 MST 2014
Hi Obaid,
I am using win2008R2. The user is not able to perform the undelete,
because he does not seem to have permission to list the contents of
Deleted Objects, and to him, the object is non-existent. And it also
appears that not even Administrator can grant LC permissions to a user
on the Deleted Objects container, so that effectively makes it
impossible for any user other than a member of Administrators to
perform an undelete... Negative testing works, though - adding ACE's
that deny the permissions specified in the docs prevent even a member
of Administrators group from performing the op.
Regards,
Nadya
On Thu, Nov 6, 2014 at 7:54 PM, Obaid Farooqi <obaidf at microsoft.com> wrote:
> Hi Nadiya:
> Can you please send me an lsass ttt trace of the failure scenario i.e. when your user has the permissions required by MS-ADTS but still not able to undelete? Please let me know the version of DC where you are trying to undelete the tombstone object so that I can send you appropriate binaries.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
>
> -----Original Message-----
> From: "Obaid Farooqi" <obaidf at microsoft.com>
> Sent: Monday, November 3, 2014 12:24 PM
> To: "Nadezhda Ivanova" <nivanova at samba.org>
> Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve Case Email" <casemail at microsoft.com>
> Subject: [REG:114102711953179] Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]
>
> Hi Nadiya:
> I am still working on this issue and will be in touch as soon as I have an answer.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
>
> -----Original Message-----
> From: Obaid Farooqi
> Sent: Tuesday, October 28, 2014 10:14 AM
> To: 'Nadezhda Ivanova'
> Cc: 'cifs-protocol at samba.org'; MSSolve Case Email
> Subject: RE: [REG:114102711953179] Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]
>
> Hi Nadiya:
> I'll help you with this issue and will be in touch as soon as I have an answer.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
>
> -----Original Message-----
> From: "Obaid Farooqi" <obaidf at microsoft.com>
> Sent: Monday, October 27, 2014 10:03 AM
> To: "Nadezhda Ivanova" <nivanova at samba.org>
> Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve Case Email" <casemail at microsoft.com>
> Subject: [REG:114102711953179] Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]
>
> Hi Nadiya:
> Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
>
> -----Original Message-----
> From: nivanova.samba at gmail.com [mailto:nivanova.samba at gmail.com] On Behalf Of Nadezhda Ivanova
> Sent: Monday, October 27, 2014 9:19 AM
> To: Interoperability Documentation Help
> Cc: cifs-protocol at samba.org
> Subject: Undelete operation security considerations [MS-ADTS]
> 3.1.1.5.3.7.1
>
> Dear Dochelp,
> I am currently trying to implement the proper access checking when executing an undelete operation, and I have established that the access rights described in 3.1.1.5.3.7.1, when granted to a regular Domain User, are not enough to enable that user to perform an Undelete operation.
>
> Some investigation showed that the user also needs List Children permission on the Deleted Objects container, but I can't find this mentioned in ADTS, am I looking in the wrong place?
>
> Also, could you please direct me to where the default security descriptor of a Deleted Objects container (say, after a fresh
>
> installation) is documented? It seems that it is a special case - according to http://support.microsoft.com/kb/892806, inheritance is broken, and even Domain Admins are only allowed a very limited set of rights. I would appreciate some more specific information that the output of the tool,an example SD in SDDL format would be best.
>
> Best Regards,
> Nadezhda Ivanova
>
>
More information about the cifs-protocol
mailing list