Re: System Permissions

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/20/04

• Next message: William Hymen: "adding users to shares with scripting"
• Previous message: Miha Pihler: "Re: Patches and hotfixes"
• In reply to: Rob: "Re: System Permissions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 20 Oct 2004 00:22:50 GMT

Because they need access to files in that folder structure to logon, have
policies applied, and run applications. Explorer.exe for instance is
located in the \winnt folder. If you use the free filemon utility from
SysInternals you can see what files are accessed by a user. Taskmanger can
show processes owned by the user and the associated executable. --- Steve

"Rob" <Rob@discussions.microsoft.com> wrote in message
news:50F5BD55-97F6-4F70-ACF6-59B9090658DF@microsoft.com...
> Is there any reason why the Users group is added to the systemroot
> permissions? It is only read and execute but I was just curious why that
> group is even included.
>
> Thanks
>
> "Steven L Umbach" wrote:
>
>> Assuming you do not need guest access to the computer or are using
>> ancient
>> legacy applications you can remove everyone group from the \winnt folder
>> or
>> at best give it read permissions. The link below is to NSA security guide
>> and downloads. If you view their security templates [ .inf file
>> downloads ]
>> for workstation or server you will see that the everyone group is not
>> included for permissions to the \winnt folder. --- Steve
>>
>> http://nsa1.www.conxion.com/win2k/download.htm
>>
>> "Rob" <Rob@discussions.microsoft.com> wrote in message
>> news:8F47A5ED-0FCE-4336-B7AC-E4B41068CF25@microsoft.com...
>> > Is there a best practice for NTFS permissions on the WINNT directory,
>> > the
>> > Everyone group? If someone could lead me to a resource that would be
>> > great.
>>
>>
>>

---

• Next message: William Hymen: "adding users to shares with scripting"
• Previous message: Miha Pihler: "Re: Patches and hotfixes"
• In reply to: Rob: "Re: System Permissions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Startup Script from AD policy ... and I can't place the executable on the same folder ... >>> permissions ... >>> How can I force the workstations to execute this remote file? ... >> Microsoft MVP Scripting and ADSI ... (microsoft.public.windows.server.scripting) Re: Restrict Users from Installing programs ... permissions to the root/drive folder and be sure to check advanced ... applications will try to create a folder during the install. ... Use local Group policy via gpedit.msc. ... (microsoft.public.win2000.networking) Re: remove user exe execute permission ... be able to read or execute the file. ... In NTFS grant - read and execute ... remove the 'read' permission of that folder. ... (microsoft.public.windows.server.security) Re: Unable to load oci.dll ... aspnet has read and execute permissions to the oracle bin ... permissions to the oracle bin folder and it fails. ... (microsoft.public.dotnet.framework.adonet) Re: HP Scanner Creates problem in second account ... It means there is a problem with permissions on either the program folder or ... Try assigning 'read & execute' ... permissions to the limited account username. ... in the view tab of folder options. ... (microsoft.public.windowsxp.help_and_support)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)