Any reason NOT to remove "CREATOR OWNER" from NTFS ACL?

From: eOx (eox_conceptos_at_despammed.com)
Date: 07/21/05

• Next message: CeNo: "sharing my music folder"
• Previous message: Daniel - Rookeycompany: "RE: BulletProof software"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 21 Jul 2005 08:02:21 -0700

I'm setting up an untattended installation for a secure Windows XP
desktop environment and will be rolling out to 10000+ clients.

As part of the "hardening" it seems it may be a good idea to remove the
SID "CREATOR OWNER" from the default ACLs in NTFS.

By default "CREATOR OWNER" has "full control" (apply to subfolder and
files only). This opens the door to misc security headaches such as
granting users "change" on a folder, user creates new folder, user
changes ACL on new folder barring everyone (including AV-tools) except
himself, etc.

Provided that "Administrators" and SYSTEM always have "full control"
(with inherit enabled) on any folder, and "users" have "read" or
"change" as applicable, I can't see any reason to keep "CREATOR OWNER"
in the ACLs.

My tests so far show all systems running smoothly with "CREATOR OWNER"
removed from all NTFS ACLs on the local disk.

Are there any reasons NOT to follow the above strategy?

• Next message: CeNo: "sharing my music folder"
• Previous message: Daniel - Rookeycompany: "RE: BulletProof software"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Users denied access to my documents ... it should have the same acl as say, any profile root folder, ... domain users is the same as users on a windows client. ... There are a set of 3 acls which grant users access. ... (microsoft.public.windows.file_system) Re: Permission to Copy Files to Server Folder But Not Edit Them ... not need creator owner permissions dues to the user either already having ... needed permissions for his user account or via group membership. ... Group Policy to remove the security tab from folder/file properties for ... Select folder only in the apply onto box and hit OK. ... (microsoft.public.security) Re: Permissions question ... who creates the file to delete it by setting CREATOR OWNER to have only ... the delete permission on the parent folder, ... Manny Borges Wrote: ... Do you have CREATOR OWNER permissions on that folder? ... (microsoft.public.windows.server.networking) Re: More before-the-fact advice for 2K and XP? ... > I believe you keyed in too much on the first mention of temp ... That was a standalone comment. ... The temp folder in %systemroot%\temp was a nasty point of contention when ... it looks like the ACLs in that folder are perfect for me. ... (microsoft.public.security) Re: XP Pro file permissions ... File and Folder Permissions ... >> Since the administrator account in question is also a member of the ... the DENY ACL and any other ACLs will take place. ... (microsoft.public.windowsxp.security_admin)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint