CRS: CRS Does Not Strip Entire ACL If It Fails to Find a Valid SID for an Access Denied ACE (164803)
The information in this article applies to:
- Microsoft Commercial Internet System 1.0
- Microsoft Content Replication System
This article was previously published under Q164803 SYMPTOMS
If the Content Replication Server (CRS) is unable to find a valid SID on
the target server during an ACL replication, it will remove the failed
access control entry (ACE) from the ACL but keep the successful ACEs in the
ACL. This creates a security hole if the ACE in question was an access
denied ACE. Under this condition, it is possible for the SID to actually be
granted access to the files, contrary to the intention of the
administrator, if the same SID is a member of a successfully processed ACE
that is granted permission.
RESOLUTION
This is a bug in the release version of MCIS 1.0. It is fixed by MCIS 1.0
Service Pack 2. Now if CRS is unable to find a valid SID it will check to
see if the SID is assigned to a Access Denied ACE. If so, CRS strips all
ACEs from the ACL and grants permission only to the Administrator. If the
CE is not Access Denied, it removes only that particular ACE from the ACL.
For more information on how CRS replicates ACLs, refer to the MCIS Resource
Kit.
STATUS
Microsoft has confirmed this to be a problem in Microsoft Commercial
Internet System version 1.0. This problem has been corrected in the
latest U.S. Service Pack for Microsoft Commercial Internet System
version 1.0. For information on obtaining the Service Pack, query
on the following article in the Microsoft Knowledge Base:
183062 MCIS 1.0 Service Packs 1 and 2 Information
Modification Type: | Major | Last Reviewed: | 10/28/2003 |
---|
Keywords: | kbbug kbfix KB164803 |
---|
|