Re: File access for Everyone

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 12/04/04 

Date: Sat, 4 Dec 2004 04:04:59 -0700

There is a principle of least privilege that has been
a guiding rule since before MS was a company.
It is this you are exploring here, and this that caused
us to want to replace Everyone with such as Users
back in NT4 systems (and, IIRC was why SubInAcls
was first written).

So, the question really is, "Is the Everyone grant needed
where this is being done" and if not, what is sufficient.
Say you determine that only the machine local Users
group is sufficient. Then the next thing to ask is, if the
grant is to Everyone, can any account other than a Users
member actually do anything because of the overly loose
grant? For example, if the file area is not shared, then
the access would have to be by a local login, and if an
account is not in Users it is not going to successfully
log in locally to XP/W2k3. So for those OS versions a
grant to Everyone in a non-shared area is an excessive
grant, but it is not an excessive exposure because other
factors limit the effectiveness of the grant. Now, the
excessive grant is still IMO not good, as consider what
happens when some later does share the area.

The idea is to know what is needed, and then to craft
access control so that all of what is needed, and nothing
else, can be done. The stickiness is in how one judges
the "can", as exampled earlier where ability to log in
was actually the determining factor. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Peter Bernhardt" <peter@spammenot.com> wrote in message
news:%23S6KhcY2EHA.1260@TK2MSFTNGP12.phx.gbl...
> I have a security best practice question. I am working with a software
> program that is using API calls to programmitically grant access to file
> directories on a Windows 2003 server to the Everyone group.
>
> Inasmuch as Microsoft changed the default behavior for creating new
folders
> to eliminate access to Everyone, I question the wisdom of opening up a
> folder to Everyone and think that good software does not relax default
> security.
>
> Anyway, I was hoping to get some opinion on this issue and find, if
> possible, any MS recommendations in this area.
>
> I've also found that Windows XP (I think as of SP2) also eliminates
Everyone
> from ACLs. Is this also true in security fixes for other OS's?
>
> TIA
>
>

Relevant Pages

  • Re: Newbie to security
    ... Use sp_grantdbaccess to grant access to the database. ... databases when you are new to security. ... Microsoft SQL Server 2000 SP3 Security Features and Best ...
    (microsoft.public.sqlserver.security)
  • Re: Adding multiple entries for the same user with xcacls...
    ... I am trying to say "grant specific security for GoupA to Subfolders and files only" and "grant specific security for GroupA to This folder only". ... update the existing ACE/ACEs for Principal. ...
    (microsoft.public.windows.server.security)
  • Re: Share Permissions vs NTFS Permissions
    ... Security principle: Never grant more security privileges than ... Always grant the minimum privileges at each opportunity. ... Recommend the tightest possible settings, ...
    (microsoft.public.windows.server.general)
  • Re: Share Permissions vs NTFS Permissions
    ... Security principle: Never grant more security privileges than ... Always grant the minimum privileges at each opportunity. ... Recommend the tightest possible settings, ...
    (microsoft.public.windows.server.general)
  • every interim poets are reluctant and other equivalent engagements are minimum, but will Tony experi
    ... Gawd Richard will grant the furniture, and if Allahdad et al divides it too, the practitioner will wish within the likely inside. ... The Agency's Office of Security thought about it for a week, ... "I was told that the Bureau wanted to get an apartment. ... ORATORY - Speech recognition. ...
    (sci.crypt)