Re: Allow ONLY "Administrator" and "System" groups full control to



Couldn't of explained it any better Roger.


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:%23dvNNCsMGHA.3896@xxxxxxxxxxxxxxxxxxxxxxx
What is wrong with it is that plain (non-admin) user accounts need access
to a number of areas in order to function at all, or ever to log in.
This includes account that you might want for services, for IIS app pools
or IUsr\IWam user, etc.
All account must be able to access quite a few files in the \Window dir
structure and all will want a profile in Documents and Settings.
Depending on what is done once logged in they will attempt to access
files in Program Files, either for the specific applications or for shared
data, etc.
W2k3 has a fairly reasonable out-of-the-box set of ACLs on the boot
drive. There is some room for tightening when done in the light of the
specific purpose of the server, but for the most part you are better off
leaving the directories under C: that set new permissions inheritance
point alone. Changing C: itself without impacting the distinctly ACLed
subdirectories is relatively safe, as it mostly just limits creation of
new
files and folders at the root level (i.e. Admins full and Users List for
example).
"Ed Flecko" <EdFlecko@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3D71E849-A6A8-413D-B721-9A1013CDB313@xxxxxxxxxxxxxxxx
Hi Allen,
Thanks for your input. :-)

Forgive me; I'm not trying to sound flippant. What's wrong with doing
this?
When you say "it's not a godd idea"...why not? Do you think I will
encounter
some form of difficulties?

I'm, of course, just "thinking out loud", but I can't see why anyone
other
than these two groups would need ANY access (even read permissions) to
the
default directories and their subdirectories.

Ed

"AllenM" wrote:

Well you will accomplish what you're trying to do and that is it will be
secured. However no one will be able to use it other than the
Administrator.
Not a good idea. Leave the root permissions alone and apply your NTFS
permissions at the folder level.


"Ed Flecko" <EdFlecko@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6BA55846-612C-494B-9B6D-95485031FDEC@xxxxxxxxxxxxxxxx
Hi folks,
I'm setting up a new Server 2003-R2 server. I have added the
Administrators
and System groups full control of the C:\ drive, and removed everyone
else. I
see, by default, the C:\ drive has a few other directories and
subdirectories, i.e., "Windows", "Program Files", etc.

Since I'm setting this server up from scratch, in an effort to be as
secure
as possible, is there's anything wrong with selecting the little check
box
"Replace permission entries on all child objects with entries shown
here
that
apply to child objects." I know this will reset all pemissions from
the
root
of C:\ down through all directories, I'm just wondering if I can
expect
headaches or if this might be smart to do? I think it sounds like a
smart
idea.

Comments? Suggestions?

Thank you,
Ed







.