Office 2007 NTFS Permissions problem

[Comptroller]

In my testing, I've noticed that Office 2007 seems to require much higher
permissions to perform tasks than 2003. In Office 2007, I need to grant
users "Modify" access to save changes to files versus "Write" access using
Office 2003.

For example, if a user with the permissions "Read & Execute", "Read" and
"Write" tries to save a Word or Excel 2003 file after making changes,
everything is fine. However, if he uses Office 2007, he gets an "Access is
Denied" error when trying to save the changes. Now, if I give him "Modify"
access to the file, he is again able to save the changes.

Obviously, from a security viewpoint, this is a problem and a major step
backwards.
Has anyone else experienced this issue? Do you know how to correct it?

 

[Harlan Grove]

. . . In Office 2007, I need to grant
users "Modify" access to save changes to files versus "Write" access
using Office 2003.

For example, if a user with the permissions "Read & Execute", "Read"
and "Write" tries to save a Word or Excel 2003 file after making
changes, everything is fine. However, if he uses Office 2007, he
gets an "Access is Denied" error when trying to save the changes.
Now, if I give him "Modify" access to the file, he is again able to
save the changes.

Obviously, from a security viewpoint, this is a problem and a major
step backwards.

....

Ob

 

[Harlan Grove]

For example, if a user with the permissions "Read & Execute", "Read"
and "Write" tries to save a Word or Excel 2003 file after making
changes, everything is fine. However, if he uses Office 2007, he
gets an "Access is Denied" error when trying to save the changes.
Now, if I give him "Modify" access to the file, he is again able to
save the changes.

Obviously, from a security viewpoint, this is a problem and a major
step backwards.

....

You don't understand what's going on or how file saving works in
Office 2003. Word and Excel 2003 save working COPIES of open files on
diesk. The copies remain OPEN while they're open in Word/Excel. When a
user saves the file, Word/Excel 2003 writes the copy of the file to
disk, AND IF SUCCESSFUL deletes the original and renames the copy with
the original filename.

In Word/Office 2007 it may be the case that Word/Excel 2007 CLOSE the
copies then try to reopen them when the user tries to save the file.
That would require modify permission because the file wasn't already
open when trying to save. THIS IS A GUESS.

However, if users can ERASE files, then there's NO EFFECTIVE
DIFFERENCE between giving them read+write+erase permissions or read
+write+modify+erase permissions. Note that if users didn't have erase
permission they'd have received many error messages when saving files
in Word/Excel 2003.

While there are low-level differences between MODIFYING a file in
place (opening existing files for write access) vs WRITING a new
version of the file, erasing the old version, then renaming the new
version with the old version's filename (never need to open the old
version after it's been read into memory), the end result is EXACTLY
the same.

Separate modify permission comes from the old days when some users
could create NEW files but neither erase or modify any existing files.
Some transaction systems depended on this. However, it ONLY makes
sense in highly specialized processing scenarios, NOT (as in, NEVER)
normal user working directories in which users are creating, revising
and deleting files all the time.

 

[Comptroller]

Harlan,

While I take your point about erasing the internals of a document being akin
to deleting it, there are some glaring problems with your answer.

The likelihood of a user accidentally erasing the contents of a file is low,
but accidentally deleting the entire file...an entire folder...an entire
directory? When you start elevating priveleges, it elevates the possibility
of, and the damage caused by, mistakes. Not to mention intentional mischief.

Deleting a document also deletes version history, while erasing a document
does not. You're saying that I will have to audit all of my directories
instead of relying on document version history to see who makes changes to a
file. No thanks.

The need to completely change the existing NTFS structure on thousands of
folders and tens (if not hundreds) of thousands of files is not a simple
change, especially in a tiered support organization where managers, asst
managers, project managers, etc. need to be informed of the modifications
that IT is making to their files.

Virii/Malware are an ever present threat. Escalating a users access to
folders/files greatly increases the risk should something malicious enter
your environment.

Finally, its just poor design that requires an INCREASE in users rights to
allow them to continue performing their day-to-day duties.

The least MS could do is provide an EXPLANATION as to why such a change was
made; a little documentation would go a long way. So much for the more
security conscious Microsoft.