Re: Default NTFS permissions too liberal on newly created volumes

you are right. The disk root is secured exactly you have found. User only
cannot create anything directly in the root. Lower, they can create their
own folders and files and to their own object they have full control.

Restrict the root folder permissions either manually or by GPO.


O.




"Mike M" <nospam@xxxxxxxxxx> wrote in message
news:OxMXcj8HGHA.140@xxxxxxxxxxxxxxxxxxxxxxx
> Windows 2003 SP1 server here...
>
> I created a folder called "public" under the z:\ drive, shared it as
> "public", and verified that all users in my department had read-only
> permissions via a certain group. All seemed well until I saw legit data
> folders popping up in this shared folder that was allegedly read-only save
> for the admins. The user was able to create folders and files in the
> public share that was supposed to be read-only!!!
>
> Well...
>
> It seems to me that configuring a secondary volume, named as Drive Z:,
> brings liberal permissions to the root of the drive for the USERS group.
> Drilling down into the advanced security settings window shows 3 separate
> entries for the local-server\USERS group:
>
> --Read & Execute, This folder, subfolders and files
> --Create Folders/Append Data, This folder and subfolders
> --Create Files / Write Data, Subfolders only
>
> I looked at the other servers that we've built and all have the same
> all-too-liberal permission settings for the USERS group. It seems to me
> that USERS can do everything but delete files by default.
>
> Why is Microsoft allowing the USERS group such liberal permissions by
> default? It was a no-brainer to remove the EVERYONE group to tighten
> things up, but this issue seems to make things more difficult to lock-down
> security on file servers. Am I missing something???
>
>
> TIA,
> Mike
>
>
>


.

Relevant Pages

  • Re: Our server hacked and tagged. MS docs suck!
    ... If you are getting issues with deleting folders even though you have ... > Ya we did that and 'permission denied' still, somewhere> down the tree of the folder it experiences a permissions> error..Unfortunately we are unable to go down the tree of> the directory but I will look closer at the permissions> and owner. ... I was thinking these> directories might have some kind of root somewhere that we> could delete and get rid of them, but as you said, I will> look at it as simply files and folders. ... >>Please note I cannot respond to e-mailed questions. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Users accessing C$
    ... group had Allow rights to 'Create folders & append data' on this root. ... >> or other computer with the possible exception of their user profile if they ... >> or run applications from they need no permissions on other folders. ...
    (microsoft.public.win2000.security)
  • Re: Windows 2000 Server - Everyone
    ... I noticed on all of the Folders in Windows Explorer ... I generaly remove hte everyone group, and add the following permissions: ... The domain users group will be a member of the users group and the ...
    (microsoft.public.win2000.general)
  • Re: Why does Everyone have Full Control of everthing?
    ... On *MY* XP Pro system at home all files and folders *DO* inherit ... looked the XP system I use at work, and the permissions are set ... My root at work has permissions ...
    (microsoft.public.windowsxp.general)
  • Re: Default NTFS permissions too liberal on newly created volumes
    ... with no permissions and force all people to always have to set NTFS ... permissions when a new partition is formatted ?? ... The user was able to create folders and files in the ... > brings liberal permissions to the root of the drive for the USERS group. ...
    (microsoft.public.windows.server.security)