Re: Documentation of proper NTFS ACLs

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/10/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 10 Dec 2002 16:25:47 -0500

I find that documentation on this is harder to find, probably because you
can open up the Group Policy templates that come with Windows
[windowsroot\security\templates\ folder] using Notepad to see what the
permissions are there. You can use the Group Policy MMC to compare the
templates with your current computer policy to see what needs to be changed,
and you can use the SECEDIT command to apply just the NTFS file permissions
part of the templates.

Other information:

http://securityadmin.info/faq.htm#4.43

"Douglas Swiggum" <Swiggum@Waisman.Wisc.Edu> wrote in message
news:014e01c2a08e$8f62c410$d6f82ecf@TK2MSFTNGXA13...
> Has Microsoft documented proper NTFS ACL listings
> for system folders in Windows 2000 and Windows XP?
>
> The folders of interest are:
>
> C:\
> C:\Documents and Settings
> C:\Documents and Settings\All Users
> C:\Documents and Settings\All Users\Desktop
> C:\Documents and Settings\All Users\Start Menu
>
> The last two are shipped from Dell and Gateway with
> Windows XP as "Everyone - Full Control"; probably other
> OEMs as well. This effectively eliminates all borders
> between users when these systems are added to what is
> thought to be a secure network.
>
> In order to clean up the mess, it would be nice to
> know what the proper ACL settings should be. It would
> also be nice if Microsoft provided a tool for applying
> these ACLs. The CACLS.EXE command is not my idea of
> such a tool. What is needed is some kind of NTFS
> auditing tool that can tell you which common system
> resources are at risk, and then help to plug the holes.
>
> Documentation for other sensative system resources,
> like C:\Program Files, C:\Windows, etc. would also
> be helpful.
>
> This vulnerability is partially described at
> http://www.kb.cert.org/vuls/id/361065 and
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-
> 0034
>
> Regards,
> Douglas Swiggum
> University of Wisconsin, Madison

Relevant Pages

  • Re: Documentation of proper NTFS ACLs
    ... can open up the Group Policy templates that come with Windows ... > for system folders in Windows 2000 and Windows XP? ...
    (microsoft.public.windowsxp.security_admin)
  • Re: lock folders
    ... Any Administrator can take ownership of files and folders on the system. ... This can be changed in the Group Policy Editor. ... MS-MVP Windows XP/ Windows Smart Display ... >>that i can hide them(with password requirement). ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Cant find info about 11-10-09 Word update
    ... Without trying to follow in detail or completely understand the process by which you've transferred your Works templates to Word, it sounds as if you've probably done it in a reasonable way. ... In Act II, I became aware that Word 2007 Help, if you searched it for information on exclusion dictionaries, was linking to my article. ... I now have 37 topical folders at the root of my Word 2007 ... folder in Windows Explorer. ...
    (microsoft.public.word.application.errors)
  • Re: Setting a registry entry using a Group Policy
    ... >Templates to use with Group Policy settings in a Windows ...
    (microsoft.public.windows.server.active_directory)
  • Re: Word loads templates VERY slowly
    ... Why you should NOT multipost: ... 750+ document templates that are used in MS Word. ... Under windows 2000, ... list of the same templates / folders. ...
    (microsoft.public.word.docmanagement)