Share Permissions on NETLOGON and SYSVOL

From: Research Services (key_at_lamar.n0-sp@m.colostate.edu.NO)
Date: 12/28/04

• Next message: paul: "Re: Need help with HTTPS"
• Previous message: Yoshihiro Kawabata: "Windows 2003 SP1's ICF support mulitple IP ?"
• Next in thread: Roger Abell [MVP]: "Re: Share Permissions on NETLOGON and SYSVOL"
• Reply: Roger Abell [MVP]: "Re: Share Permissions on NETLOGON and SYSVOL"
• Reply: Steven L Umbach: "Re: Share Permissions on NETLOGON and SYSVOL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 28 Dec 2004 08:09:35 -0700

Share Permissions on NETLOGON and SYSVOL

We have been tightening down the security on our Windows 2003 and Windows
2000 Domain Controllers, we are a Child Domain within an Active Directory
Forest.

We are looking at the default share permissions on the NETLOGON and SYSVOL
shares on the DCs and noticed that 'Everyone' has Read on both shares, and
Authenticated Users has Full Control on SYSVOL.

According to the Microsoft KB article below, Authenticated Users should only
have Read access to SYSVOL.

Authenticated Users Group Has Too Many Permissions to the SYSVOL Network
Share

http://support.microsoft.com/default.aspx?scid=kb;en-us;812538

However, we are wondering if we can safely remove 'Everyone' from both
shares, and remove 'Authenticated Users' from SYSVOL, and substitute 'Domain
Users' with Read on both shares instead.

If this "safe" as far as NOT breaking AD Replication, user logons, startup
scripts, GPOs, etc.?

Considering that we have set RestrictAnonymous to '2' (Anonymous users have
no access without explicit anonymous permissions) AND
everyoneincludesanonymous to '0' (The local Everyone group does not include
anonymous users) on all of our Windows 2000 and Windows 2003 Domain
Controllers (within our own Child Domain).

Thank you for any input or feedback.

---

• Next message: paul: "Re: Need help with HTTPS"
• Previous message: Yoshihiro Kawabata: "Windows 2003 SP1's ICF support mulitple IP ?"
• Next in thread: Roger Abell [MVP]: "Re: Share Permissions on NETLOGON and SYSVOL"
• Reply: Roger Abell [MVP]: "Re: Share Permissions on NETLOGON and SYSVOL"
• Reply: Steven L Umbach: "Re: Share Permissions on NETLOGON and SYSVOL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Share Permissions on NETLOGON and SYSVOL ... to the SYSVOL share for replication or something else... ... >permissions to the shares as recommended. ... >everyone and authenticated users groups. ... >> Share Permissions on NETLOGON and SYSVOL ... (microsoft.public.windows.server.security) Re: Share Permissions on NETLOGON and SYSVOL ... I would suggest leaving it with everyone and authenticated users for read ... permissions to the shares as recommended. ... security and sysvol "share" permissions were never listed as a concern. ... (microsoft.public.windows.server.security) Re: Share Permissions on NETLOGON and SYSVOL ... precisely Authenticated Users. ... >>> Share Permissions on NETLOGON and SYSVOL ... >>> shares, and Authenticated Users has Full Control on SYSVOL. ... (microsoft.public.windows.server.security) Re: Share Permissions on NETLOGON and SYSVOL ... So then would it be safe to Remove 'Authenticated Users' and it replace it ... >> Share Permissions on NETLOGON and SYSVOL ... >> shares, and Authenticated Users has Full Control on SYSVOL. ... (microsoft.public.windows.server.security) Re: shares too visible ... That would then qualify as an Authenticated Users member. ... We have a single domain in the forest and all users do login. ... many of the shares were visible. ... I have a member server also running Windows 2003. ... (microsoft.public.windows.server.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2004-12