Re: Default NTFS permissions too liberal on newly created volumes

I can't answer for Microsoft though maybe such decisions were made at a time
when the scales tipped more toward functionality then security and it was up
to users and admins to configure permissions for their needs from there but
it sounds like your users had excessive share permissions. If they only had
read share permissions they would not have been able to create folders. The
Windows 2003 Server Security Guide and the Threats and Countermeasures Guide
are free for those who want to learn how to lock down their operating
systems from baseline with guidance on legacy, enterprise, and high security
scenarios. They are available at the links below. --- Steve

http://www.microsoft.com/technet/security/default.mspx
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx

"Mike M" <nospam@xxxxxxxxxx> wrote in message
news:OxMXcj8HGHA.140@xxxxxxxxxxxxxxxxxxxxxxx
> Windows 2003 SP1 server here...
>
> I created a folder called "public" under the z:\ drive, shared it as
> "public", and verified that all users in my department had read-only
> permissions via a certain group. All seemed well until I saw legit data
> folders popping up in this shared folder that was allegedly read-only save
> for the admins. The user was able to create folders and files in the
> public share that was supposed to be read-only!!!
>
> Well...
>
> It seems to me that configuring a secondary volume, named as Drive Z:,
> brings liberal permissions to the root of the drive for the USERS group.
> Drilling down into the advanced security settings window shows 3 separate
> entries for the local-server\USERS group:
>
> --Read & Execute, This folder, subfolders and files
> --Create Folders/Append Data, This folder and subfolders
> --Create Files / Write Data, Subfolders only
>
> I looked at the other servers that we've built and all have the same
> all-too-liberal permission settings for the USERS group. It seems to me
> that USERS can do everything but delete files by default.
>
> Why is Microsoft allowing the USERS group such liberal permissions by
> default? It was a no-brainer to remove the EVERYONE group to tighten
> things up, but this issue seems to make things more difficult to lock-down
> security on file servers. Am I missing something???
>
>
> TIA,
> Mike
>
>
>


.

Relevant Pages

  • Re: security only works on my PC
    ... Go to Tools, Security, Permissions. ... Click on the Groups option and select the Users Group. ... Just open Windows Explorer and double click the 'secure' ...
    (microsoft.public.access.security)
  • Re: Password Protect IExplore
    ... You can protect the files and folders you store on your computer to make ... To set, view, change, or remove special permissions for files and folders ... clear the Inherit from parent the permission entries that apply ... To configure security so that the subfolders and files will not ...
    (microsoft.public.internet.explorer.ieak)
  • Re: Administrator/User security issues
    ... i have setup all the accounts, ... folders for testing the security. ... permissions but the admin. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Missing Administrative Tools Option?
    ... You restrict access by assigning permissions to drives, folders and files. ... How Do I Get the Security Tab in Properties - XP Home ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Administrator/Limited User security issues
    ... > folders for testing the security. ... > permissions but the admin. ... > ownership of the folder. ...
    (microsoft.public.windowsxp.security_admin)