Re: Everyone Group
From: Steven Umbach (n9zrou_at_nscomcast.com)
Date: 11/18/03
- Next message: Steven Umbach: "Re: Advertising page"
- Previous message: Lex: "Advertising page"
- In reply to: R.N. \(Roger\) Folsom: "Everyone Group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 18 Nov 2003 04:22:01 GMT
The everyone group does have excessive permissions on a default W2K installation
for the root folder. Generally you can remove it and substitute the users group
with read/list/execute permissions. Of the special accounts you mention, the
system account needs to be in ntfs permissions and usually the creator owner
group has permissions also. The administrators group has full control to all
folders on the computer in a default installation. See the KB link below on MS
recommendations to change the permissions on the root folder. The Windows 2000
Security Hardening Guide is a free download that is an excellent read that has
specific recommendations for ntfs permissions as well as security policy. ---
Steve
http://support.microsoft.com/?scid=327522
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prod
tech/win2000/win2khg/default.asp
http://tinyurl.com/vgd5 -- Same link as above, shorter.
http://www.infosec.uga.edu/windows.html
"R.N. (Roger) Folsom" <anonymous@discussions.microsoft.com> wrote in message
news:01eb01c3ad80$a4eb0270$a601280a@phx.gbl...
> For security, I am considering removing the Everyone Group
> from the NTFS Permissions for the root folders (C:\ and
> D:\) of my Win2k sp4 notebook.
>
> As replacements, I will add at least
> Administrator
> Power Users
>
> And if recommended here, I will add also Users and Backup
> Operators (the Guest account is disabled), although those
> groups are empty.
>
> This is a single user computer, with only one user, and two
> accouts: Administrator, and my non-administrative Power
> User account (which I wish was a mere User account, except
> that I need to use some Legacy applications).
>
> The computer is NOT attached to a Domain, but (when at
> home) it is attached to a workgroup (peer-to-peer) NetBEUI
> network, with two additional computers, both Win98se
> notebooks. It is connected to the internet, but it is NOT
> running a website and it needs no remote access.
>
> My Question is: Does the Everyone group include the
> following accounts, which for some reason are listed in ALL
> CAPS in Win2k permissions tabs:
>
> ANONYMOUS LOGON
> BATCH
> CREATOR OWNER
> CREATOR GROUP
> DIALUP
> INTERACTIVE
> NETWORK
> SERVICE
> SYSTEM
> TERMINAL SERVER USER
>
> If the Everyone group DOES include the above All Caps
> accounts, then if I remove Everyone from NTFS C: and D:
> permissions I assume that I would need to add NTFS
> permissions for at least SERVICE and SYSTEM, and perhaps
> also CREATOR OWNER and GROUP, INTERACTIVE, and NETWORK.
>
> But if the Everyone group does NOT include these All Caps
> accounts, then I would assume that removing the Everyone
> group would NOT require me to add permissions for these All
> Caps accounts, because the operating system would already
> be giving them whatever access they need.
>
> So I need to know whether or not the Everyone group does or
> does not include these All Caps groups, and in any case I
> need to know whether I need to add permissions for these
> All Caps groups as part of replacing the Everyone group.
>
> Thanks for any help.
>
> Roger Folsom
- Next message: Steven Umbach: "Re: Advertising page"
- Previous message: Lex: "Advertising page"
- In reply to: R.N. \(Roger\) Folsom: "Everyone Group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
