Re: Minimum NTFS Permissions on the SystemDrive

Hi,

This is (probably) not the answer you are looking for -- but still, I hope
it helps.

Security configuration guidance support
http://support.microsoft.com/?id=885409

File system and registry access control list modifications

Microsoft Windows XP and Microsoft Windows Server 2003 have considerably
tightened system permissions. You can no longer use the Anonymous security
identifier (SID) in the Everyone group. Because of these changes to the core
operating system of Windows XP and of Windows Server 2003, extensive changes
to file permissions on the root of the operating system are no longer
required.

Additional ACL changes may invalidate all or most of the application
compatibility testing that is performed by Microsoft. Frequently, changes
such as these have not undergone the in-depth testing that Microsoft has
performed on other settings. Support cases and field experience has shown
that ACL edits change the fundamental behavior of the operating system,
frequently in unintended ways. These changes affect application
compatibility and stability and reduce functionality, both in terms of
performance and capability.

Because of these changes, we do not recommend that you modify file system
ACLs on files that are included with the operating system on production
systems. We recommend that you evaluate any additional ACL changes against a
known threat to understand any potential advantages the changes may lend to
a specific configuration. For these reasons, our guides make only very
minimal ACL changes and only to Windows 2000. For Windows 2000, several
minor changes are required. These changes are described in the Windows 2000
Security Hardening Guide.

Extensive permission changes that are propagated throughout the registry and
file system cannot be undone. New folders, such as user profile folders that
were not present at the original installation of the operating system, may
be affected. Therefore, if you remove a Group Policy setting that performs
ACL changes, or you apply the system defaults, you cannot roll back the
original ACLs.

Changes to the ACL in the %SystemDrive% folder may cause the following
scenarios:
* The Recycle Bin no longer functions as designed, and files cannot be
recovered.
* A reduction of security that lets a non-administrator view the contents of
the administrator's Recycle Bin.
* The failure of user profiles to function as expected.
* A reduction of security that provides interactive users with read access
to some or to all user profiles on the system.
* Performance problems when many ACL edits are loaded into a Group Policy
object that includes long logon times or repeated restarts of the target
system.
* Performance problems, including system slowdowns, every 16 hours or so as
Group Policy settings are reapplied.
* Application compatibility problems or application crashes.
To help you remove the worst results of such file and registry permissions,
Microsoft will provide commercially reasonable efforts in line with your
support contract. However, currently, you cannot roll back these changes. We
can guarantee only that you can return to the recommended out-of-the-box
settings by reformatting your hard disk drive and by reinstalling the
operating system.

For example, modifications to registry ACLs affect large parts of the
registry hives and may cause systems to no longer function as expected.
Modifying the ACLs on single registry keys poses less of a problem to many
systems. However, we recommend that you carefully consider and test these
changes before you implement them. Again, we can only guarantee that you can
return to the recommended out-of-the-box settings if you reformat and
reinstall the operating system.

--
Mike
Microsoft MVP - Windows Security

<skhair@xxxxxxxxxxxxx> wrote in message
news:1147363824.786947.294060@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

What are the minimum permissions that should be applied to;

1) The root of the system drive (e.g. c:\)
2) The Windows folder
3) The Program files directory
4) Any other important directories

Thanks in advance for any help.



.

Relevant Pages

  • Re: security software problem
    ... Click the Advanced tab to see where it loads in the registry. ... Windows Explorer download Hijack This: ... > decided to uninstall and upgrade to f-secure's internet security suite. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Found HWS.EXE & INSTALL.DAT Pls Advise
    ... Reg fixes plus learning of a way of to get into the Registry when all the ... MUI file in it's bliue border, prior to booting into Windows. ... works through the hang then my Personal Settings loaded. ... tight security settings on both your Anti-Virus and your Browser security ...
    (microsoft.public.windowsxp.general)
  • RE: Internet explorer - internet options - no security tab
    ... See if you have set Local policy (in Windows 2000/XP) at ... This solution involves modifying Registry. ... "Security_Options_Edit" which prevents users from changing security zone ... Depending on your operating system it is found in ...\Windows System or ...
    (microsoft.public.windows.inetexplorer.ie6.ieak)
  • Re: XP Less Secure than 98 for Sharing Files.. Conclusion
    ... I have posted in here before to say that I use MS's Security ... certain extent a Windows box. ... to fiddle with the registry _by hand_ to achieve the desired result. ... documents, newsgroups or whatever, needs nothing more than the Poledit tool ...
    (microsoft.public.windowsxp.security_admin)
  • Re: 40% of computers are belong to our botnets
    ... You might want to look ACL before doing sys admin work on Windows ... Properties -> Security." ... Is the file system NTFS or FAT? ...
    (comp.os.linux.misc)