Re: compatws.inf (Security Template)
From: John Lambert[MSFT] (johnla@online.microsoft.com)
Date: 04/17/03
- Next message: Dave: "Re: Internet Options for email not per-user?"
- Previous message: John Lambert[MSFT]: "Restrict Access"
- In reply to: Roger Abell [MVP]: "Re: compatws.inf (Security Template)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "John Lambert[MSFT]" <johnla@online.microsoft.com> Date: Wed, 16 Apr 2003 22:08:19 -0700
>From the online help:
Compatible (Compatws.inf)
Default permissions for workstations and servers are
primarily granted to three local groups: Administrators,
Power Users, and Users. Administrators have the most
privileges while Users have the least. Because of this,
you can significantly improve the security, reliability,
and total cost of system ownership by:
Making sure that end users are members of the Users
group.
Deploying applications that can be run successfully by
members of the Users group.
People with User privileges can successfully run
applications that take part in the Windows Logo Program
for Software. However, Users may not be able to run
applications that do not meet the requirements of the
program. If other applications must be supported, there
are two options:
Allow members of the Users group to be members of the
Power Users group.
Relax the default permissions that are granted to the
Users group.
Since Power Users have inherent capabilities, such as
creating users, groups, printers, and shares, some
administrators would rather relax the default User
permissions than allow end users to be members of the
Power Users group. This is precisely what the Compatible
template is for. The Compatible template changes the
default file and registry permissions that are granted to
Users in a manner that is consistent with the
requirements of most applications that do not belong to
the Windows Logo Program for Software. Additionally,
since it is assumed that the administrator that is
applying the Compatible template does not want end users
to be Power Users, the Compatible template also removes
all members of the Power Users group. For more
information, see Default security settings.
The Compatible template should not be applied to domain
controllers. For example, do not import the Compatible
template to the Default Domain policy or Default Domain
Controller policy.
John Lambert[MSFT]
This posting is provided "AS IS" with no warranties, and
confers no rights.
>-----Original Message-----
>What you need to do is make a console for templates,
>running mmc and then adding the Security Templates
>snap-in. With this console, when you open the
compatws.inf
>template you will find that the only settings in it are
a few
>in the Filesystem section and many in the Registry
section.
>For example, if you look you will see that Users group
is
>granted Modify on %ProgramFiles% by this template.
>Not all settings in compatws.inf are different from
those
>in other templates, so you would need to edit out the
>registry and filesystem sections from this and the setup
>security template in order to diff them to actually see
>exactly which of the many registry settings are
different.
>
>--
>Roger Abell
>MS MVP (Security, Windows), MCDBA, MCSE both
>Associate Expert - Windows XP ExpertZone
>http://www.microsoft.com/windowsxp/expertzone
>
>"Lester Gorveatt" <lestergorveatt@hotmail.com> wrote in
message news:02d401c3028e$7d454890$3301280a@phx.gbl...
>> Can anyone tell me specifically, what security changes
are
>> made when the compatws,inf security template is
applied?
>>
>> Thank you
>.
>
- Next message: Dave: "Re: Internet Options for email not per-user?"
- Previous message: John Lambert[MSFT]: "Restrict Access"
- In reply to: Roger Abell [MVP]: "Re: compatws.inf (Security Template)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
