T 2.116 Data loss relating to copying or moving data in Windows server 2003 or higher

The moving and copying of objects or entire subtrees to or from directories consists of several, sometimes hidden, procedures that can make the data objects and directory structures moved unusable. The threat does not originate for the most part from individual users, but rather from administrators since they sometimes need to move large or system-critical databases.

A classic threat often encountered in migration scenarios is posed by moving objects of the file system past media or system limits. This data is not checked at the destination before it is removed from its original location. The data affected by the move may become lost.

Less obvious is the behaviour of object meta-information such as access authorisations or other attributes, which applies to several objects at the same time. Complex authorisation structures with automatic inheritance mechanisms that have different effects on the source and destination locations are often active in the directory structure. For example, with Microsoft Windows a move of a file copies the existing file authorisations to the destination, but a copy resets the file authorisations at the destination according to the specifications there. A prerequisite is, of course, that the destination is able to interpret the authorisations and other meta-information correctly. Otherwise, authorisation structures developed over a long period can be lost all at once.

Differences between individual components can arise in terms of the effects of copying and moving mechanisms, in Windows Server 2003 for example between the file system, the component services, the Internet Information Services (IIS), and the Active Directory. A lack of knowledge of the underlying operating concepts of these mechanisms and a lack of thoroughness can quickly lead to a loss of data and incorrect system configurations.

Unexpected effects when copying and moving data may also be due to the underlying system components used to save and generate objects and directories. Examples for Windows Server 2003 include the Distributed File System (DFS), Active Directory, and the Encrypting File System (EFS). The read and write process for a copy/move in the EFS contains steps for temporary storage and cryptography, accessing certificate services, and storing public keys as meta-information. The copying and moving of files and directory trees by inexperienced personnel can quickly lead to the unavailability or incompleteness of the data or make it impossible to guarantee the confidentiality of the data.

In the NTFS file system in particular, unexpected effects in files can arise due to Alternate Data Streams (ADS). Alternate Data Streams are invisible sections of a file in which Windows Server 2003 can store additional information such as time zone information or pictographs.

The command line and the Windows Explorer respond differently when handling Alternate Data Streams. Through move and copy operations, an ADS can be changed accidentally or intentionally, become lost, or be filled with content without your knowledge. If adequate protection is not provided using suitable file authorisations, an ADS can become a very dangerous point of attack.

Example:

On a domain controller, the Windows command xcopy is used to copy the contents of the system drive to another hard disk partition. The command is called with certain parameters that are also used to copy the SysVol folder. After the copy operation, the data on the system drive are not needed any more and are deleted recursively (e.g. using rd /s). However, after the copy, not all information normally replicated through the SysVol folder (e.g. group policy objects, login scripts) is available any more on this domain controller. This is due to the structure of the SysVol folder, which contains connection points (referred to as junction points) to shared DFS's replicated using the File Replication Service (FRS). In this case, xcopy does not back up all contents of the folder, and only copies the junction points. The recursive delete operation performed later reaches the original shared DFS through the copied junction points and deletes some of its contents, provided that the authorisations available permit this. In certain circumstances, the deletion is then replicated on other domain controllers, with the result that operations throughout the domain are disrupted. The problem can only be eliminated by restoring the system status everywhere from data backups.