Re: MS05-51 Patch, and SystemDrive NTFS permissions

From: Tom Che [MSFT] (v-tomche_at_online.microsoft.com)
Date: 10/19/05 

Date: Wed, 19 Oct 2005 11:43:24 GMT

Hi Jim,

Thanks for posting here. Also thanks for our MVP Roger's kindly reply.

Jim, I think Roger is right.

Based on my own tests, on a XP SP2 machine with latest updates, if I remove
Everyone from the ACL of Windows\Registration folder, some symptoms occur
as KB909444; however, if I add the Authenticated Users into the ACL of that
folder with Read & Execute permission, everything works fine on the system.

On another Windows 2000 Server with latest updates, I found that there were
not Everyone entries from the ACLs of C:\, C:\Windows and
C:\Windows\Registration folders but all were Authenticated Users instead.
And the system also works fine.

So, I think if your current 2000 server system has no problem, you may
safely leave it on. And I think you may use the same configuration in
Windows Server 2003, too.

Hope this helps!

Have a nice day!

Sincerely,
Tom Che
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: "Roger Abell [MVP]" <mvpNoSpam@asu.edu>
>References: <OjznT5y0FHA.2328@TK2MSFTNGP10.phx.gbl>
>Subject: Re: MS05-51 Patch, and SystemDrive NTFS permissions
>Date: Mon, 17 Oct 2005 19:48:10 -0700
>Lines: 55
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>X-RFC2646: Format=Flowed; Response
>Message-ID: <uw0Ai540FHA.2964@TK2MSFTNGP10.phx.gbl>
>Newsgroups:
microsoft.public.win2000.security,microsoft.public.windows.server.security
>NNTP-Posting-Host: host131.homesteadhotels.com 65.219.168.131
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.security:7051
microsoft.public.win2000.security:15572
>X-Tomcat-NG: microsoft.public.win2000.security
>
>The info conflicts as they have different origins. The guidance papers
>are, mostly, broadly reviewed and well thought through. KBs are often
>the emission of a content specialist.
>You are not having an issue as the requirement that accounts that should
>be able to access are granted the needed access, view Authenticated Users
>instead of Everyone, but given the needed permissions none-the-less.
>
>--
>Roger Abell
>Microsoft MVP (Windows Server : Security)
>MCDBA, MCSE W2k3+W2k+Nt4
>"Jim Watts" <j.watts@news.postalias> wrote in message
>news:OjznT5y0FHA.2328@TK2MSFTNGP10.phx.gbl...
>> Hi,
>> I need some help with filesystem permissions, related to the MS05-51
>> patch, and the problems it has thrown up. Note, we are NOT suffering the
>> problems, but the information from MS conflicts.
>>
>> KB909444 (http://support.microsoft.com/kb/909444) states that the
MS05-51
>> patch might fail if permissions have been changed on the
>> %windir%\registration. It goes on to say:
>>
>> "Make sure that the Everyone group has one of the following permissions:
-
>> Traverse permissions ("List Folder Contents") on all parent directories,
>> including %systemdrive%, %windir%, and %windir%\registration"
>>
>> However, our standard build procedure for Windows 2000 servers is to
>> REMOVE the Everyone right from the root of the system drive. This is
based
>> on the "Microsoft Security Operations Guide for Windows 2000 Server"
>>
(http://www.microsoft.com/downloads/details.aspx?familyid=F0B7B4EE-201A-4B40
-A0D2-CDD9775AEFF8&displaylang=en),
>> page 63, which says that root permissions should be:
>>
>> Administrators: Full control
>> System: Full control
>> Authenticated Users: Read and Execute, List Folder Contents, and Read
>>
>>
>> What's going on? Why do the two pieces of info not match, why has the
>> patch not destroyed my servers, and what exactly should I have set on
the
>> root of drive C: for a secure server? While we're at it, what should I
>> have on a Windows 2003 server, as the 2003 version of this guide doesn't
>> even mention file system security in the baseline!
>>
>> Many thanks, especially to any MS staff that would care to comment
>>
>> Jim
>> --
>> Jim Watts,
>> Information Systems Services
>> University of Southampton
>>
>>
>>
>
>
>

Relevant Pages

  • Re: File Server Data Migration
    ... Jim, I wish I had a good answer for you but SUS is outside of my area. ... This posting is provided "AS IS" with no warranties, ... I was planning to not set that up on the new server. ...
    (microsoft.public.windows.file_system)
  • Re: OT - newsservers?
    ... I have since found a server that works, ... Speed: 67220 kb Groups: 109673 Posting: Yes ... Username: None Password: None ... Binaries: Yes Location: United States ...
    (sci.geo.geology)
  • RE: OWA - cant send, reply, or show calendar views
    ... Microsoft CSS Online Newsgroup Support ... This posting is provided "AS IS" with no warranties, ... As you mentioned, the OWA work fine on the SBS Server, but it have ... Please try to test it on other client ...
    (microsoft.public.windows.server.sbs)
  • Re: MI5 freak out...
    ... nanny wrote: ... Paul, I did the next best thing: after you heard from weirdo's server, I ... If a user on Altopia is causing it, we may disable their posting ...
    (alt.med.fibromyalgia)
  • Re: userenv and NETLOGON errors
    ... From an ipconfig? ... I never knew doing that from my SBS server would ... Keep posting, I'll keep pointing out that it's FUD. ... security by obsecurity is no security at all. ...
    (microsoft.public.windows.server.sbs)
Quantcast