One of the tenants of information security is CIA – Confidentiality, Integrity and Availability.The following is an example of how integrity and availability of data is compromised, and an example of how to lessen the impact. I know some people will make suggestions on best practices. Bear in mind, that there are some brilliant examples of best practice. I’m more than in favor of doing them, but how this fits with how your current network set up works, depends on various things, ensuring BAU is key. Issue:
My organization moved from Novell to Microsoft. I have to admit, I liked NFS and setting up groups and shares was a breeze. It was quick and easy to fix problems, too.Of course, who hasn’t had the dreaded support call?“I’ve lost my folder.”“Which one?”
“The yellow one.” (that has really happened before)“When did you last see your folder?”
“I don’t know – you’re IT can you get it back?”“Yeah sure we have tape backups that go back 3 years.”
“Really?” (getting hopes up)“No – 3 weeks.”
“Oh…..”“Where did you last see your folder?”
“I don’t know”Hmmmm…….“What was the folder called?”
“Finance, I think?” I think?
Good old detective work always saved the day, usually, and it was usually quick to resolve, assuming no one had purged the volumes and the tape backups were intact.Not blowing my own trumpet here, but a clear advantage I had was I had a great understanding of our data, who it belongs to, who has access to it and where it might end up if moved. I also have an understanding of the value of that data. I have this knowledge because I made a point in investing the time to know. It helps with troubleshooting no end. I found I was able to resolve issues quickly; the problem seems to be if other people were involved in fixing.Fast forward to migration to Microsoft, things are not so clear cut.This is because of traversal rights. With Novell, if someone moved folder A into folder B, you could expand the now visible folder B and spot folder A as the actual user. Under Microsoft, if User A moved folder A into Folder B, and another user rang up the helpdesk complaining folder A had “disappeared”, then you don’t have traversal rights as the user when remoting the session to spot where it is.I mentioned CIA. Data that is moved is a lack of availability – certainly whilst people are floundering trying to figure out where it has gone. Depending on who is involved in resolving the problem, data that is restored can present an issue with integrity. If the data has moved and someone restores the data instead, there are now two copies, and clearly someone (the person that moved the data) could be updating the wrong version – version control issues = integrity issues.Drag and drop is a common problem, and one that was widely reported on the internet. Below are the issues that arise. Risk:
- Main folders are being dragged from the root or main folder, and dropped into a neighboring folders (availability)
- Data is restored, as this is not located in a timely fashion – this results in out of date data (integrity)
- Data is restored, but original data is found later – this causes version control issues, and also adds files/folders to backup tape (integrity)
- Mistakes can be made in trying to rectify the problem – namely access/group rights, and replication of data (availability/integrity)
- There is no audit control, if something is moved – we do not know who did it.
I understand the last one there could be some audit control if you purchase the necessary tools ($$$), but if budget is an issue, then not everyone will have that luxury.If users have rights to folders, they can move them. If it is moved to a nested folder somewhere else – you have no chance in finding it quickly. There is no file creator owner to indicate who did it at the time – as the folder has just moved. We still have the issue of users aware they have done something accidental, but not sure what and not fully aware of what they did. And, they don’t call IT Support – hey it’s Friday, IT can sort it on Monday, or “that’s not my problem.”Surely. there must be a way of stopping this from happening? This was causing a lot of issues. I broached this subject with fellow server engineers. The answer was “no, not really”.Hmmmm…… being someone that likes a challenge and I can be pretty persistent, I can see the benefit of fixing something that would reduce support man hours and availability/integrity issues. I figured it was worth my while to do some digging on this to find a fix. A couple of hours research to fix many man hours of effort and hassle seemed like a good investment to me?Google was not forthcoming; I quickly found that to get your answer you really had to tweak your search criteria and try different things – and boy did I try. After a couple of days I struck gold.I’m hoping this article will make this problem more visible for people searching for this fix. Resolution:
Under Windows 7 it is incredibly easy to accidentally click and drag a folder and drop it somewhere.It has been identified most incidents involve a list of folders, and the top folder is usually accidentally dragged into the next one down. This is the most common issue. This is the most obvious place to look, assuming it was the same person with access to both folders that logged the call.When the mouse button is used to click on a folder and the mouse is moved more than 4 pixels, drag and drop is invoked. By amending the setting to 40 pixels, the arrow will change to a hand and a user has to move the mouse pointer beyond the first folder (40 pixels) to invoke drag and drop, they can then put the folder in the next one down or any other folder if they desire. Dragging folders belong 40 pixels into a desired folder will still work. The idea is to minimize the number of support calls generated by user error.
Fig.1 – with fix in place, attempting to drag Templates to 1_Service_strategy
Fig. 2 – with fix in place, attempting to drag Templates to 3_Service_transition In the above examples, if a user did want to move Templates to 1_Service_strategy, then they would hold and drag beyond the folder then back to the intended folder.The nature of the fix is to ensure quick successive clicks do not cause accidents.If a folder is moved into the next folder – it indicates that someone wanted the folder to be there, the intention of the fix is to prevent accidental moving of folders.To have this fix in place, it's a simple registry fix and can be applied by GPO. Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Control Panel\Desktop]"DragHeight"="4" - change 4 to 40"DragWidth"="4" - change 4 to 40 If you're feeling mischievous, you could set this to something larger than the screen resolution, this depending on your viewpoint prevents any drag and drop at all, or a fairly annoying denial of service.
I hope this is of use to someone; it certainly reduces a lot of unwanted helpdesk calls.