Re: 'Everyone' permissions on C Drive

From: Tomothy Quntington-Flitoris (IainMcLaren35@spamtwatter.hotmail.com)
Date: 10/05/02 

From: "Tomothy Quntington-Flitoris" <IainMcLaren35@spamtwatter.hotmail.com>
Date: Sat, 05 Oct 2002 09:56:06 -0700

"Roger Abell [MVP]" <mvpNOSPAM@asu.edu> squrted these wordjisms deep
inside the bumtube of the newstwat in news:uoqiVbIbCHA.1668@tkmsftngp09:

> Hi,
>
> Before you go changing permissions on the WIndows partitions,
> notice that while the root, in this case C:\, may have loose looking
> permissions, almost all directories under it usually have different
> permissions.

In my case all top level directories in the root show the 'Everyone'
permission. Which is really why I'm concerned.

If you try to change from C:\ on down, you will
> very possibly worsen the filesystem security, particularly within
> .\Windows, .\Program Files, .\Documents and Settings

That's what I'm afraid of!

>
> Everyone does mean everyone that is able to authenticate to
> your machine as some account that it recognizes, or anonymously
> if that has been enabled. To limit Everyone to being who you
> actually want, make sure that you do not enable the Guest account.

Oneof the first things I did when I unpacked my machione was ensure that
the guest account is disabled. But how do you mean 'anonymously' if that
has been enabled? Do you mean that disabling the Guest account is
sufficient to prevent anyone without an account that I have defined
myself from accessing my files? Or is there something I should do to
check that named pipes/shares cannot be accessed anonymously, or is that
one of the features of the Local Security Policy editor that is in the
Pro version but not home, that you allude to in the next bit?

>
> There are policies that control just precisely how Everyone is
> related to anonymous accesses. However, AIUI these are not
> accessible in Home due to lack of the tool, and not being a Home
> version user, I cannot inform you further. I would assume that
> they have shipped with some reasonable and safe setting, but . . .
>

Yes, I would bloody well hope so, but I'm concerned in case they haven't!
THanks for your help anyway

> --
> Roger Abell
> MS MVP (Security, Windows), MCDBA, MCSE both
> Associate Expert - Windows XP ExpertZone
> http://www.microsoft.com/windowsxp/expertzone
>
> "Tomothy Quntington-Flitoris" <IainMcLaren35@spamtwatter.hotmail.com>
> wrote in message
> news:Xns929EA34D54D33IainMcLaren35sdpamtw@207.46.239.39...
>> Using XP Home SP1 (Compaq Presario 6140 OEM install) here, and I've
>> just noticed that the file permissions on my C drive (single volume
>> hard drive) are set by default to 'Everyone', with full access!
>>
>> Does 'Everyone' mean 'Everyone with a defined account on this
>> machine' or 'anyone and everyone on the planet if they can get in'?
>>
>> I ask because I fear it is the latter. That presumably means that
>> anyone who is able to access my machine has full access to the drive.
>> I have taken some precautions - all accounts have strong passwords, I
>> have NetBIOS over TCP/IP disabled, file and printer sharing turned
>> off, and Remote Assistance disabled, I run as a limited user day to
>> day, and it is firewalled via ZoneAlarm Pro.
>>
>> However it would seem that these precautions are undermined if anyone
>> can access the root of my machine (if, say the firewall errors out
>> and I don't notice). So, I'm sure this still must be an unnecessary
>> security risk. This machine is not networked locally, except to the
>> interweb via cable modem.
>>
>> I am starting to think that I should remove the 'everyone' permission
>> and grant the system, admin, and user accounts only individual access
>> - my reasoning being that access would be denied to anyone else
>> without a specifically defined account. I am concerned that if I
>> don't do this 100% correctly my machine's stability will be affected.
>> It's running flawlessly now, and I don't want to interfere with
>> defaul t settings too much in case it starts to play up.
>>
>> I would appreciate some advice on this.
>>
>> Thanks in advance
>>
>> Iain
>
>
>

Relevant Pages

  • Consider Windows XP File Security and Group Policies
    ... If you are running Windows XP and are using the NTFS file system, ... Account from being able to purge its history footprint files. ... Changing Folder permissions to Read-Execute instead of Full ... you globally apply Full Control for the Administrators group and the SYSTEM ...
    (microsoft.public.windowsxp.general)
  • Re: Of mice and men
    ... >> This is no different to many environments OS - even windows. ... With their own account, and guest accounts set ... > root password, but they cannot "run as root" without it. ... > it will tell you that you do not have disk access. ...
    (comp.lang.cobol)
  • Re: Cannot copy and paste
    ... - click on all of them and make sure your account hasn't been denied any ... - I think that if there are no permissions listed then it uses a default ... if this is the cause then add the everyone group to all six security windows ... my computer is virus free. ...
    (microsoft.public.win2000.general)
  • Re: Server Unavailable - ASP.NET 2.0 on Windows XP
    ... Try granting access permissions to the appropiate account, ... I have a ASP.NET 2.0 site that works on the Windows 2000 Server. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Password Protecting Folders and Files
    ... All permissions are granted to accounts. ... the account either needs ... Microsoft MVP (Windows Server System: ... > folder in which I would like to protect. ...
    (microsoft.public.windowsxp.security_admin)