Re: Permissions
From: Nexus (nexus06@drxlabs.com)
Date: 12/10/02
- Previous message: ktyler@nautilus-ins.com: "Re: XP admin shares"
- In reply to: Chris Berry: "Re: Permissions"
- Next in thread: Chris Berry: "RE: Permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 09 Dec 2002 15:32:26 -0800 From: Nexus <nexus06@drxlabs.com> To: Chris Berry <compjma@hotmail.com>
If what you have is working good(i assume you have some kind of 'image'
or something,
Then i would just use the sysinternal tools to understand more of whats
going on, and test a image with the newer perimission set.
and with your current permission set,users have full contrl over way to
many directorys (i have a Like issue having to run old apps based on NT
and such)
other then users being able to make changes and such, you have security
issues with virus's and webpage exploits have access to /winnt and
/system and /system32
folders and being able to totaly get into a system. but ultimetly it you
who has to deside on a security model and a standard image.
but:
having security groups is hard to setup, but makes admin way easyer
because you can easyly remove acccess from an app by just removing said
person from the
security group. if your on a win2k AD you can even setup GPO's for
software uses and access & times and such.
its all about , your needs and how much time you can spend setting it
all up. But once up its much better.
Nexus
Chris Berry wrote:
>> From: Nexus <nexus06@drxlabs.com>
>> goto sysinternals.com there are lots of good tools there that when
>> run before you run an app will tell you what it is accessing,
>> including reg keys dll , etc...
>
>
> Hmm, I might try that. I wonder if its worth it though, I'm pretty
> paranoid when it comes to security, but this just sounds like an
> administrative nightmare. What is it that you think a user could do
> with the permissions I mentioned that they couldn't with the ones
> you're suggesting? I mean you're going to have to give them some
> write permissions in order for some of your apps to work, and then all
> they have to do to install software is direct it to one of those
> directories.
>
>> another group you can utizile is authencated users, this group will
>> make sure a user is 'authencated'
>> this group is in leiu of the 'everyone' group.
>
>
> I pretty much never use the everyone group except where it is already
> installed. I tried setting up one machine where I removed the
> everyone group and gave explicit permissions instead, but win2k choked
> on that big time, revealing the fact that many M$ process depend on
> the base permissions in order to function. (bad coding practice if
> you ask me)
>
> Chris Berry
> compjma@hotmail.com
> Systems Administrator
> JM Associates
>
> "Live dangerously, overclock your servers."
>
> _________________________________________________________________
> MSN 8 with e-mail virus protection service: 2 months FREE*
> http://join.msn.com/?page=features/virus
>
>
>
- Next message: Leon Pholi: "RE: XP admin shares"
- Previous message: ktyler@nautilus-ins.com: "Re: XP admin shares"
- In reply to: Chris Berry: "Re: Permissions"
- Next in thread: Chris Berry: "RE: Permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
