Re: System32 permissions

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 08/01/04 

Date: Sun, 1 Aug 2004 10:52:07 -0400

Toby wrote:
> Hi
> I have Win2000 servers on which I need to apply and
> lockdown permissions.
> Obviously the System group will need to have FUll
> permssions and also the administrators group, but I need
> to reduce internal and external vunlerabilities. I've
> created all necessary Group Policies and want to go that
> little further by not allowing normal users to run/access
> prgrams here.
> So far I've given users read, execute and list permissions
> but I need to narrow this down to only the files required
> for them to login successfully.
> I would like to only have System and administrator group
> with permissions in System32 but realise certain files and
> diriectories (ie. Group Policy) need permssions for normal
> users to login successfully. ..
> Does anyone know what they might be...?

This may be OT but:
1) Your server needs to be physically secured - as in, in a locked room so
users can't log into it
2) Users by default don't have log on locally rights to your servers
3) Unless they have admin rights they can't access your admin shares (c$, d$
etc) from across the network
4) You need good password policies for your users (complex passwords are
good, regular pw changes are a must, etc) and you should manually change
your domain admin pw periodically - users should never know it

So I'd say in that case, unless you have admins you don't trust, you don't
need to bother with modifying NTFS permissions on your system volume - it
can get complicated, and I wouldn't mess with it. Just my $.02.

Relevant Pages

  • Re: One domain 2 excahgne servers
    ... administrative groups are like "sites" in Exchange 5.5 - if an admin has ... permissions in a site/AG, he can do what his permissions allow. ... mean by "what else would the two servers share"...they've obviously in the ...
    (microsoft.public.exchange.admin)
  • Re: Moving DCs From Default OU ?
    ... servers over to a third-party, it means you decide to trust them. ... Nothing can block an Admin from gaining access, ... although I don't have permissions I can change them back so I do ...
    (microsoft.public.windows.server.active_directory)
  • Re: Error "The system cannot find the file specified" on files
    ... I will see if my customer can do this for me as I cannot easily get physical ... both of these servers are domain controllers. ... command line utilities and GUI tools, tried to set permissions. ... Security tab in Windows Explorer doesn't appear. ...
    (microsoft.public.windows.file_system)
  • Re: Cant Mount Public Store
    ... Edit to the Exchange Domain Servers group to the servers that own the public ... This sounds like a permissions problem. ...
    (microsoft.public.exchange.setup)
  • Cant Mount the Public Store
    ... Edit to the Exchange Domain Servers group to the servers that own the public ... This sounds like a permissions problem. ...
    (microsoft.public.exchange.admin)