Minimum Win2K File System Permissions

[Poontos]

Out of the box, Win2K's file permissions propagate the "Everyone" group with Full Access to the root of the system drive.

Not for me, thank you!

I have tried the following from the NT 4.0 days and my Office 2000 icon associatation busted and could not find anything on Google or MSKB.

OS Drive:

Administrators - Full Access
System - Full Access
Authenicated Users: Read

And propagated all the way through the main drive. Obviously much better than Everyone with Full Access, but not enough for Office 2000 to be happy.


So, in your security policies on workstations, servers, etc. that run Windows 2000, what are your base file permissions for the system drive?

 

[Saltin]

The Everyone group tends to scare people.
"What's this?! Eveyone !??"
Hehe. It's poorly worded.

The everyone group membership includes
1) All the user accounts on your system
2) The system account

I've troubleshot lots of boxes where the user decided he didnt like the sound of the "everyone" account, so they up and removed it. That's ok..... but they did not put the system account in! Error's ensue (pagefile errors being an early symptom).

So, beside the system account, the other accounts in the Everyone group are your user accounts, and the guest account,(guest account is disabled by default in XP and 2k. Never enable it.)

That makes the Everyone group as big a security concern as your user accounts and the system account.
Enforce strong password policies and regular password changes.
Stay patched.

Finally, the Everyone group isnt entirely propogated down the tree. Look at the Program Files folder (as an example).

Hope this helps

 

[Poontos]

A better word would have been, it inherits the Everyone from the root of the drive, rather than propagate, my mistake.

So you leave the Everyone at the top with Full Access in your security policies?

"That makes the Everyone group as big a security concern as your user accounts and the system account.
Enforce strong password policies and regular password changes.
Stay patched."

Well, if you have one user account and one system account and very strong passwords, what are your policies on the file permissions? Leave 'em? :Q

Basically what I am getting at, is what folders need more than Admin, System, and Authenticated Users for the system to function properly?

In my experiences, having a folder with Admin and System full access only and propagated down, is as tight as conviently possible.

Thanks for the response.

 

[Saltin]

<< Well, if you have one user account and one system account and very strong passwords, what are your policies on the file permissions? Leave 'em? >>



User Accounts get access to what they need/require. Nothing more, nothing less.

As I stated earlier, the Everyone group can be found at the root of the drive, fine, but this does not imply that

1) The everyone group has full control of the entire drive
2) All folders have the Everyone group

From an administrative standpoint, yes, I generally leave the permissions at the root of the drive and the system files alone. You should too. I also don't change User profile folder permissions.
I don't change them becuase it isnt necessary.

As for apps/file server folders/etc, they get the System account, the Admin, and whatever users need access.