RE: DACLS for software distribution points...



The question arose in my mind during a recent SANS course where the
instructor bemoaned the fact that the EVERYONE group was just that-EVERYONE.
Now the caveat mentioned that the EVERYONE group is more secure than it USED
to be was not mentioned(I don't think think it was and I can't find it in
the SANS coursework either). It became highlighted this week as I'm setting
up some new software distro points. Which just shows me that things change
all the time and no-one can keep up with everything.

Sorry Susan-I got confused here;
Look at the last batch of patches and while the 2000's can' be nailed
from anon connections

can' or can't? Didn't know if a 't' got missed off here.


Regards
Murad Talukdar

-----Original Message-----
From: Laura A. Robinson [mailto:larobins@xxxxxxxxxxxxxxxx]
Sent: Tuesday, July 11, 2006 2:47 AM
To: 'Jeffrey Wei'; focus-ms@xxxxxxxxxxxxxxxxx
Cc: talukdar_m@xxxxxxxxxx
Subject: RE: DACLS for software distribution points...

Domain Users != Authenticated Users. If you use Domain Users for the DACL,
users (and computers) from any other domain in the forest will not be able
to access the share. In a single-domain environment or when you only want
one domain to be able to access the share, this is fine, but otherwise,
using Authenticated Users may be a better approach.

Having said that, we've had many, many discussions on this list about the
exact differences between the Everyone group and the Authenticated Users
group, and the reality is very likely that you're just increasing your
maintenance without increasing security, depending on the composition of the
domain in question (e.g., Win2K3 versus Win2K versus NTSP4+ versus NTSP4-,
etc.). The difference between the two groups may simply be the built in
Guest account and nothing else.

Laura

-----Original Message-----
From: Jeffrey Wei [mailto:jeffrey.wei@xxxxxxxxx]
Sent: Thursday, July 06, 2006 6:29 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Cc: talukdar_m@xxxxxxxxxx
Subject: RE: DACLS for software distribution points...

What I normally do is remove the "Everyone" and replace it
with "Domain Users".. which in itself means that it will have
to be authenticated users before they can read file folders only.

Not sure how everyone else does it?

Jeffrey Wei

-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m@xxxxxxxxxx]
Sent: Wednesday, July 05, 2006 6:02 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: DACLS for software distribution points...

Hi all,
MS says in this article that the DACLS for software
distribution points should be EVERYONE: READ and
Administrator: Full Control, Change, Read.

http://technet2.microsoft.com/WindowsServer/en/Library/45a873d
d-660d-4de
6-aa
c4-8a03974796121033.mspx?mfr=true

Why shouldn't the EVERYONE be removed and replaced with
Authenticated Users?
I was thinking of doing this and can't really see any adverse impact.

Kind Regards
Murad Talukdar






--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---

---
[This E-mail scanned for Spam and Viruses by
http://www.innovationnetworks.ca]


--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------






---------------------------------------------------------------------------
---------------------------------------------------------------------------