Re: Allow ONLY "Administrator" and "System" groups full control to



Couldn't of explained it any better Roger.


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:%23dvNNCsMGHA.3896@xxxxxxxxxxxxxxxxxxxxxxx
What is wrong with it is that plain (non-admin) user accounts need access
to a number of areas in order to function at all, or ever to log in.
This includes account that you might want for services, for IIS app pools
or IUsr\IWam user, etc.
All account must be able to access quite a few files in the \Window dir
structure and all will want a profile in Documents and Settings.
Depending on what is done once logged in they will attempt to access
files in Program Files, either for the specific applications or for shared
data, etc.
W2k3 has a fairly reasonable out-of-the-box set of ACLs on the boot
drive. There is some room for tightening when done in the light of the
specific purpose of the server, but for the most part you are better off
leaving the directories under C: that set new permissions inheritance
point alone. Changing C: itself without impacting the distinctly ACLed
subdirectories is relatively safe, as it mostly just limits creation of
new
files and folders at the root level (i.e. Admins full and Users List for
example).
"Ed Flecko" <EdFlecko@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3D71E849-A6A8-413D-B721-9A1013CDB313@xxxxxxxxxxxxxxxx
Hi Allen,
Thanks for your input. :-)

Forgive me; I'm not trying to sound flippant. What's wrong with doing
this?
When you say "it's not a godd idea"...why not? Do you think I will
encounter
some form of difficulties?

I'm, of course, just "thinking out loud", but I can't see why anyone
other
than these two groups would need ANY access (even read permissions) to
the
default directories and their subdirectories.

Ed

"AllenM" wrote:

Well you will accomplish what you're trying to do and that is it will be
secured. However no one will be able to use it other than the
Administrator.
Not a good idea. Leave the root permissions alone and apply your NTFS
permissions at the folder level.


"Ed Flecko" <EdFlecko@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6BA55846-612C-494B-9B6D-95485031FDEC@xxxxxxxxxxxxxxxx
Hi folks,
I'm setting up a new Server 2003-R2 server. I have added the
Administrators
and System groups full control of the C:\ drive, and removed everyone
else. I
see, by default, the C:\ drive has a few other directories and
subdirectories, i.e., "Windows", "Program Files", etc.

Since I'm setting this server up from scratch, in an effort to be as
secure
as possible, is there's anything wrong with selecting the little check
box
"Replace permission entries on all child objects with entries shown
here
that
apply to child objects." I know this will reset all pemissions from
the
root
of C:\ down through all directories, I'm just wondering if I can
expect
headaches or if this might be smart to do? I think it sounds like a
smart
idea.

Comments? Suggestions?

Thank you,
Ed







.



Relevant Pages

  • Re: Virtual Directory - Permission Denied with fso CopyFile
    ... TestUser (normal user account with same credentials on all machines). ... I created a share on a remote server. ... reviewing it's sharing permissions and security tab permissions "everyone" ... "directory security" tab on the vdir and selecting, edit, edit and manually ...
    (microsoft.public.inetserver.iis)
  • Re: Subject: access denied to images (again)
    ... The site collection has the Office SharePoint Server Publishing Infrastructure feature activated. ... Does the issue only occurr on one root site or occurred on all root ... Perhaps this sites child sites should all load the quick launch page rather than the Navigation page? ... site with admin account and then try to view the site on the server? ...
    (microsoft.public.sharepoint.portalserver)
  • RE: SBS 2003/member Web Server and ISUR access
    ... NTFS permissions for the directories and files ... the IIS content directories have the following permissions. ... Server Extensions, ASPNET, SQL Server and other software is installed. ... The IUSR_MachineName account has the following permissions. ...
    (microsoft.public.windows.server.sbs)
  • Re: Virtual Directory - Permission Denied with fso CopyFile
    ... TestUser (normal user account with same credentials on all machines). ... I logged into the IIS server as vdirUser and simply typed ... open and I had read and write permissions to the share. ... I logged off and back into the IIS server as the administrator and deleted ...
    (microsoft.public.inetserver.iis)
  • Re: Server Unavailable - ASP.NET 2.0 on Windows XP
    ... The error message is "Server Application Unavailable". ... The user account I've ... Please review the permissions outlined in this article. ... So I switched to that directory in Command Prompt and tried the ...
    (microsoft.public.dotnet.framework.aspnet)