CRS: CRS Does Not Strip Entire ACL If It Fails to Find a Valid SID for an Access Denied ACE

ID: Q164803


The information in this article applies to:
  • Microsoft Commercial Internet System version 1.0
  • Microsoft Content Replication System


SYMPTOMS

If the Content Replication Server (CRS) is unable to find a valid SID on the target server during an ACL replication, it will remove the failed access control entry (ACE) from the ACL but keep the successful ACEs in the ACL. This creates a security hole if the ACE in question was an access denied ACE. Under this condition, it is possible for the SID to actually be granted access to the files, contrary to the intention of the administrator, if the same SID is a member of a successfully processed ACE that is granted permission.


RESOLUTION

This is a bug in the release version of MCIS 1.0. It is fixed by MCIS 1.0 Service Pack 2. Now if CRS is unable to find a valid SID it will check to see if the SID is assigned to a Access Denied ACE. If so, CRS strips all ACEs from the ACL and grants permission only to the Administrator. If the CE is not Access Denied, it removes only that particular ACE from the ACL. For more information on how CRS replicates ACLs, refer to the MCIS Resource Kit.


STATUS

Microsoft has confirmed this to be a problem in Microsoft Commercial Internet System version 1.0. This problem has been corrected in the latest U.S. Service Pack for Microsoft Commercial Internet System version 1.0. For information on obtaining the Service Pack, query on the following article in the Microsoft Knowledge Base:

Q183062 MCIS 1.0 Service Packs 1 and 2 Information

Additional query words: crs mcis sp2

Keywords :
Version : winnt:1.0
Platform : winnt
Issue type : kbbug


Last Reviewed: January 19, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.