Re: Thoughts on removing Everyone:F from root?

From: karl [x y] (jamescagney90210@excite.com)
Date: 08/27/02 

From: "karl [x y]" <jamescagney90210@excite.com>
Date: Tue, 27 Aug 2002 07:14:50 -0400

"jessv" <jessv@fox.com> wrote in message
news:93b701c24d54$14bf2ce0$a4e62ecf@tkmsftngxa06...
> Seems to be a big debate here in deploying servers in how
> NTFS permissions should be set. I've been in the mind set
> that Everyone: Full Control should be removed from the
> system root and propagated down through the file system.
> In place add Administrators: Full Control, System: Full
> Control & Creator/Owner: Full control.
>
> The argument here is that the hot fixes and SP are enough
> to secure a corporate environment of 16,000 people. Mind
> you IIS is also loaded in a default configuration on some
> of these boxes (of course IUSER should have rights). Is
> somebody willing to dish out some thoughts from their own
> personal experience? Any difference on a DC?

I personally would worry *first* about being sure the servers are configured
properly... just installing all the patches isn't enough to secure an IIS
server with vulnerable settings, and NTFS permissions alone isn't enough to
prevent a compromise of an insecure server. Some of the compromises would
give an attacker System-equivalent permissions, in which case the NTFS
permissions you described would not stop them.

After the server is securely configured, then I would think that using NTFS
permissions to control what IUSR, IWAM and Everyone have access to is not a
bad idea, though it is possible to waste too much of your time and/or create
a denial of service or other problems fiddling with the permissions if you
aren't careful.

Relevant Pages

  • Re: write with cURL
    ... execute permissions. ... of potential security risks from other users on the same server. ... I made this suggestion because their web host appears to run Apache ... risk to allow Apache's group write access, since all PHP scripts ran ...
    (alt.php)
  • RE: Windows 2003 Server - Everyone Group
    ... this folder only accessable by the users in the "special" group. ... Configure User and Group Access on an Intranet in Windows Server ... NTFS files system permissions control ... group that you want to set permissions for, click Check Names to verify the ...
    (microsoft.public.win2000.networking)
  • Fail DBD::Mysql 4.003 installation
    ... This test requires a running server and write permissions. ... permissions, then retry. ... Failed 9/9 tests, 0.00% okay ...
    (perl.dbi.users)
  • Re: write with cURL
    ... execute permissions. ... of potential security risks from other users on the same server. ... I made this suggestion because their web host appears to run Apache ... risk to allow Apache's group write access, since all PHP scripts ran ...
    (alt.php)
  • Re: Virtual Directory - Permission Denied with fso CopyFile
    ... TestUser (normal user account with same credentials on all machines). ... I created a share on a remote server. ... reviewing it's sharing permissions and security tab permissions "everyone" ... "directory security" tab on the vdir and selecting, edit, edit and manually ...
    (microsoft.public.inetserver.iis)