home *** CD-ROM | disk | FTP | other *** search
- DOCUMENT:Q104221 30-SEP-1993 [W_NT]
- TITLE :Windows NT Backup and Security
- PRODUCT :Windows NT
- PROD/VER:3.10
- OPER/SYS:WINDOWS
- KEYWORDS:
-
- -----------------------------------------------------------------------
- The information in this article applies to:
-
- - Microsoft Windows NT operating system version 3.1
- - Microsoft Windows NT Advanced Server version 3.1
- -----------------------------------------------------------------------
-
- SUMMARY
- =======
-
- This article describes and defines Windows NT security as it relates
- to the following aspects of the Windows NT Backup program:
-
- - Tape Security and Access
- - Tape Ownership and Control
- - "Back Up Files and Directories" Right
-
- MORE INFORMATION
- ================
-
- Tape Security and Access
- ------------------------
-
- Tape security is in the form of access restriction to an entire tape
- or family set. The application does not provide restrictions to
- individual sets or files. When creating a new tape, the user has the
- option to restrict access to the tape by selecting the Restrict Access
- check box in the Backup Information dialog box.
-
- Tape Ownership and Control
- --------------------------
-
- Under NTFS, file permission information is written with the files to
- tape. These are kept for restore purposes only and do not restrict
- access to files on the tape. However, the computer name of the system
- the backup was made from and user name of the person who first created
- a tape or tape set is stored in the tape header. Therefore, if you are
- logged on to MACHINE1\USER1, you cannot read secure tapes created by
- MACHINE2\USER1. These are considered two separate individuals. This
- allows enforcement of minimal restrictions to tape access. Access is
- controlled at a "tape" level. No attempt is made to restrict access at
- the backup set or to individual files on the tape. The "Restrict
- Access to Owner or Administrator" check box designates the tape as a
- "secure" tape. If the restrict access is enabled, Windows NT Backup
- protects the tape by creating a password from the user name and
- computer name. The tape can then be accessed with the backup software
- by only the following:
-
- - The system administrator, who has access to all tapes.
-
- - The person who created the tape originally. In this case, you must be
- logged on to the computer where the tape was originally created.
-
- - A person with the "Back up files and directories" right.
-
- Any of these people are allowed to read, write, or erase the tape.
- Persons without the "Back up files and directories" right cannot
- modify the tape unless they created it by writing the first backup
- set. This prevents the accidental or deliberate erasure of information
- by anyone other than the tape's owner (the person who first wrote the
- tape), a backup user, or a system administrator. For tapes being
- written to transfer files between computers, "restrict access" should
- not be selected. For nonrestricted tapes, anyone would be allowed to
- read, write, or erase the tapes. Note that user-supplied passwords are
- not used for security purposes because they are easily forgotten. The
- proliferation of password use with various utilities can compromise
- security when the logon password is used in multiple places. Without
- the use of data encryption, tapes are not considered truly secure, and
- should be physically secured to protect sensitive data. The backup
- utility cannot prevent deliberate erasure of information from a tape.
- Security identification (SID) information is not used by Windows NT
- Backup.
-
- "Back Up Files and Directories" Right
- -------------------------------------
-
- Under NTFS, an Access Control List (ACL) is used to control each
- person's rights to system resources. Windows NT Backup will usually
- not back up drives, volumes, directories and/or files to which you do
- not have access privileges. Your ACL restrictions are inherited by the
- application at runtime. The exception is when you have the "Back up
- files and directories" right. Under this exception, you are able to
- back up and restore drives, directories, and files to which you would
- otherwise not have access to. The "Back up files and directories"
- right allows you to bypass ACL protection in order to back up
- another's files. In addition to being able to read the files, the
- "Back up files and directories" right allows Windows NT Backup to
- update the "archive" bit in the file header. Windows NT Backup checks
- for the existence of the "Back up files and directories" right for the
- active user, enables the associated rights while processing files, and
- disable these rights when backup/restore operations are complete.
-
- Additional reference words: 3.10
- KBCategory:
- KBSubCategory: 32ap
-
- =============================================================================
-
- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
- PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
- ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
- OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
- EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
- ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
- CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
- MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
- OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
- SO THE FOREGOING LIMITATION MAY NOT APPLY.
-
- Copyright Microsoft Corporation 1993.
