Re: File Permissions
From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 02/04/04
- Previous message: richard: "access denied after changing default domain GPO"
- In reply to: John: "File Permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 03 Feb 2004 23:24:02 GMT
The default full control for everyone on the root folder is a security issue
that has been addressed in XP and Windows 2003. Reducing everyone/users to
read/list /execute on that folder makes a lot of sense. In general it is best
not to change folder permissions on the \winnt folder where users are already
limited and can not run many of the command line executables, but of course
limiting access to those files to regular users is not a bad idea keeping in
mind that a critical update or more likely a service pack may change them all
back to default ntfs permissions. Proper permissions are a key component of
securing a computer, but other steps need to be taken also. Complex passwords,
particularly for the administrator account, and renaming the administrator are
also important as is a firewall, critical update, and virus protection including
scanning emails for basic computer security. --- Steve
"John" <John@somewhere.com> wrote in message
news:MPG.1a89a747d1d6c2d9989680@news.telusplanet.net...
> I use Windows 2000 Workstation on a standalone basis, using an ADSL
> connection to the net.
>
> I think I have figured out how to set permissions in such a way that my
> internet connection does not create a security problem. Recognize that
> I don't have any "credentials" in this area, so in doing any of this on
> your own machine you should be careful. I'm not designing space shuttle
> parts on my machine, so I can experiment a bit.
>
> As administrator, I set permissions on drive c as
>
> Administrators - full control
> System - full control
> Authenticated Users - read, list, execute
>
> I deleted "Everyone - full control"
>
> Then I set each subdirectory in the root directory of drive c so that it
> inherits the permissions from the parent object except for c:\winnt
> which I changed so that it shows as:
>
> Administrators - full control
> System - full control
> Authenticated Users - read
>
> I set this same permission on every *file* in the root directory of
> drive c. While I was there I made boot.ini "read only".
>
> Then I created a new account called John - restricted User ie the
> regular built in "User" group. I logged on with this account and tried
> out all my applications. Some usability issues surfaced, because some
> applications need to write to disk and cannot proceed.
>
> For those I went into the program files subdirectory changed permissions
> by clearing the checkbox that says "inherit permissions from parent" and
> setting them as follows:
>
> Administrators - full control
> System - full control
> John - modify,read & execute,List folder contents, read, write
>
> I set the permissions for John just by clicking on the "modify" box and
> all the rest of the permissions filled in automatically, which is what I
> wanted.
>
> The net result of all this was to give John an account to use while
> connected to the internet, and for general use that doesn't allow him to
> damage anything to do with the system.
>
> John cannot write to the root directory of drive c, change permissions.
> By trying to run them I have learned that John cannot affect anything in
> the Admin tools screen, like modify security settings or stop or start
> services.
>
> I also have set the security settings (as administrator) to improve the
> basic policies, using material from various sources and I have turned
> off many unnecessary (for this machine) services. Result of the latter
> is a double win - faster computer from more memory and better security.
>
> There is still some work to do - like limiting permissions to access
> system32 tools - I think that's a real dog's breakfast of a subdirectory
> and I don't know what too many of these tools are for. This will be a
> long job, item by item.
>
> You have to be careful with setting permissions - really be careful with
> propagating changes "downwards" - maybe even "never do that". You can
> accomplish the same thing by setting each file and subdirectory in a
> given location to "inherit from parent". That way if something goes
> wrong you know what caused it, because you are changing things on more
> of a step by step method. And *do* make sure that "system" and
> "administrators" are the first permissions you add, both with "full
> control". This procedure makes sure that you don't do any permanent
> damage.
>
> I did quite a few other things - like turning off ActiveX etc in IE.
> This causes a problem with Automatic Updates which require them. I
> seemed to fix that my placing the update sites in a "trusted zone".
>
> I wrote this because I think I have learned a "cautious approach" to
> changing file permissions that will benefit other users here:
>
> - start at the top of the subdirectory tree
> - make sure to always add administrators and system (both full control)
> - never propagate anything downwards on a full blast basis
>
> I think we all need a little help here to recover from the default
> scenario of "Everyone - full control" that comes with the default
> installation. Microsoft "oughtta be shot" for that along with quite a
> few other things.
>
> John
- Previous message: richard: "access denied after changing default domain GPO"
- In reply to: John: "File Permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
