RE: XP security permissions

From: Steve McLaughlin (steve_at_Lan.com.au)
Date: 01/20/04

  • Next message: P Cannon: "RE: Windows Remote Desktop" 
    To: <security-basics@securityfocus.com>
Date: Wed, 21 Jan 2004 09:51:23 +1100

    Firstly, it is good practice to keep things as simple as possible,

    You should add all of the restricted users to their own group, and then
    remove them from all other groups except the group you created and the
    inbuilt users group. This should keep things restricted enough. And they
    will not be able to install programs or tweak your system very much. The
    inbuilt USERS group is used for very restrictive use as you require.

    This will also protect your OS from harmful deletion of important system
    files.

    As for all the permissions you mentioned, it is ok to leave them all as
    default, unless you want to explicitly deny permission to a specific folder.
    In which case you would use the group you created to set the permissions.
    And not the inbuilt groups.

    Also, It sounds like you may have tweaked the privileges on the folders a
    bit more than you should have, in which case, it may be easiest to reformat
    and start again.

    steve mclaughlin | enlite technology
    (MCSA, A+, Network+, Server+)
     

    -----Original Message-----
    From: J. Yoon [mailto:supercool9000@hotmail.com]
    Sent: Tuesday, 20 January 2004 10:07 PM
    To: security-basics@securityfocus.com
    Subject: XP security permissions

    Please advise on a proper way to set folder permissions on XP
    without having my programs crash and other friends/users complaining too
    much.

    I want to give full permission to myself and administrators. The other 2
    accounts "friends/family" in my box, i don't want them to mess with any
    system settings but still want to give them the option of installing some
    softwares at a designated folder, run MS office/webbrowse/messenger/games...

    As for everyone else, is it possible to default deny all access? Seems like
    when I put Deny Everyone, it denies access to even myself.

    1) In the Program Files folder and WINDOWS folder,
    which folders should I be giving read/write/modify permissions to
    so that programs don't fail when limited/guest users run the programs?

    2) Which folders need SYSTEM and USER?
    I noticed that WINDOWS folder had some of these id's present in the security

    tab.

    3) how should the hidden system folders, page file, recycle, system volume
    information folders
    be set to and to whom shoudl perms be given?

    4) how about Program Files/MSN Messenger, Program Files/Microsoft Office
    Sound /video card driver directories,
    anti virus, firewall dirs

    i noticed that some programs need write privilages to run properly
    should normal users have modify privilages as well for some programs?
    if so which?

    _________________________________________________________________
    Let the new MSN Premium Internet Software make the most of your high-speed
    experience. http://join.msn.com/?pgmarket=en-us&page=byoa/prem&ST=1

    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    and many other technical hands on courses.
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
    any course!
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    and many other technical hands on courses.
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
    any course!
    ----------------------------------------------------------------------------

  • Next message: P Cannon: "RE: Windows Remote Desktop"

    Relevant Pages

    • RE: XP security permissions
      ... >will not be able to install programs or tweak your system very much. ... >In which case you would use the group you created to set the permissions. ... >Please advise on a proper way to set folder permissions on XP ... >We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
      (Security-Basics)
    • Re: Minimum NTFS Permissions - Theres such a thing???
      ... ?2001 Microsoft Corporation. ... HOW TO: Set Minimum NTFS Permissions Required for IIS 5.0 to Work WGID:198 ... " List Folder Contents" ...
      (microsoft.public.inetserver.iis.security)
    • Re: Unable to delete orphaned 1.5 GB System Restore folder
      ... The fact that the tech support is based in India has nothing to do with the ... If so you may want to leave this folder alone. ... down to all children folders because i can set those permissions to ... try deleting from the command line using system by using the AT ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Unable to delete orphaned 1.5 GB System Restore folder
      ... The only computers i fix are my own. ... If so you may want to leave this folder alone. ... it includes all subdirectories with inherited permissions. ... try deleting from the command line using system by using the AT ...
      (microsoft.public.windowsxp.security_admin)
    • RE: no OWA
      ... have the correct permissions was the "inetpub" folder. ... Correct the settings in IIS: ... click to check the "Hide All Microsoft Services" ...
      (microsoft.public.windows.server.sbs)