Re: \winnt\system32

From: x y (jamescagney90210@excite.com)
Date: 07/16/02 

From: "x y" <jamescagney90210@excite.com>
Date: Tue, 16 Jul 2002 07:23:55 -0400

I'm not sure changing the whole folder this way is a good idea. You
definitely don't want to remove System from being able to access those
folders. Also, if you run IIS, this would cause problems for IIS, and
possibly other services. Some of those commands you may want your users to
run, like IPCONFIG, or CMD, etc.

I think the usual approach [e.g. by looking at Microsoft group policy
"secure server" templates] is to change the permissions on just the .EXE
files you don't want ordinary users to access so that those .EXE files only
have Administrator and System able to access them.

Download and edit the high security web template using Notepad for a list of
some of the files and for a quick way to be able to apply the new
permissions. [www.microsoft.com/security] Or, look at the security
templates on your windows 2000 system in %windowsroot%\security\template\ or
by doing Start, Run, MMC, and adding the Security Templates snap in. You
can add or cut out the parts of those templates you don't want using either
Notepad or the Security Templates MMC, and/or you can just apply the NTFS
portion of those templates by doing start, run, typing SECEDIT, clicking OK
to get the helpfile describing the command line switches to apply just the
NTFS permissions.

You may also want to search www.microsoft.com/support for "minimum NTFS
permissions" to see a list of minimum NTFS permissions required by IIS and
maybe by Windows.

"alex mook" <amook@housing.ucsb.edu> wrote in message
news:18d3001c22c38$6fbd8fc0$9be62ecf@tkmsftngxa03...
> I have heard that among other directories, the
> \winnt\system32 directory should have the everyone group
> removed from being able to execute commands and only have
> administrators have rights here. Any ideas on security for
> this directory. Would removing the everyone group have
> implications on the normal operations of the operating
> system.
>
> Thanks,
> Alex

Relevant Pages

  • Re: Customzing Security Template Files
    ... As you work with the Security Templates and the Security Configuration ... (which by the way also tells you where the permissions are persisted, ... >>> When configuring a service using the Security Template snapin, ...
    (microsoft.public.security)
  • Re: Normal folder permissions
    ... I thought I had a good technet URL to describe these templates, ... To add Security Configuration and Analysis to an MMC console click ... your My Documents files inherit permissions from the>> My Documents folder and this usually has full permissions for ... >>> What are the normal permissions supposed to be for folders like those>>> in MyDocuments or c:\temp and such? ...
    (microsoft.public.windowsxp.security_admin)
  • Re: converting to NTFS
    ... SECEDIT you have to first import the templates into a brand new security ... just apply the NTFS file permissions, it has the word "AREA" in it. ...
    (microsoft.public.win2000.security)
  • Re: custom security template
    ... Open the .inf templates in the mmc security templates snapin where you will ... have to move them ino the default folder or point to them. ... >;File and Folder Permissions. ...
    (microsoft.public.security)
  • Re: Server 2003 share permissions
    ... > simple share level permission with granular NTFS permissions. ... > this extra security is a good idea. ...
    (microsoft.public.windows.server.general)