[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    Re: ntfs perms question
From:       Eric <ews () tellurian ! net>
Date:       2002-03-29 20:50:43
[Download RAW message or body]

I once new guy who decided that he'd be the only person ever accessing his 
system - he'd heard about issues wrt Everyone, so he re-ACLed his box from 
the root of C (and propogated down) so that Admin (himself) had Full 
control, and everything else was removed (including System).

Imagine the look on his face when he rebooted his system and it didn't come 
up.  Nada - nothing.  He had to re-install his OS.

So, yes, System needs F access to necessary system files - else the system 
can't read the files it needs to boot.

I created a template for IIS5 servers that re-ACLs most executable content 
to remove Everyone and User perms.  This assumes that only admins will be 
using the box locally. Template is here:
http://www.systemexperts.com/win2k/web_secure.inf

I also created a script for NT4 that would re-ACL a system and replace 
Everyone with AuthUsers.  It is available here:
http://online.securityfocus.com/data/tools/securent.zip




At 10:15 AM 3/29/2002 -0500, James Ruddy wrote:
>SYSTEM:F should be on the system drive and any folders that customer 
>services etc are located. Generally though for a system that has users 
>logging in interactivly removing everyone from the root of each partition 
>is close to enough.
>
>For web servers and like (anonymous) article: Minimum NTFS Permissions 
>Required for IIS 5.0 to Work (Q271071) is what I would start with and open 
>permissions as you require.
>
>
>Jim
>
>>From: "Michael Perez" <mperez@taltrade.com>
>>To: <FOCUS-MS@SECURITYFOCUS.COM>
>>Subject: ntfs perms question
>>Date: Thu, 28 Mar 2002 10:05:58 -0600
>>
>>When locking down NTFS permissions from everyone:F would you recommend 
>>including system:F or leaving system off completely.  I want to harden 
>>all local drives on all our servers.
>>
>>Thanks
>>
>>Michael Perez
>>
>>
>>
>>This electronic mail message and any attached files contain information 
>>intended for the exclusive use of the individual or entity to whom it is 
>>addressed and may contain information that is proprietary, privileged, 
>>confidential and/or exempt from disclosure under applicable law.  If you 
>>are not the intended recipient, you are hereby notified that any viewing, 
>>copying, disclosure or distribution of this information may be subject to 
>>legal restriction or sanction.  Please notify the sender, by electronic 
>>mail or telephone, of any unintended recipients and delete the original 
>>message without making any copies.
>
>
>
>
>_________________________________________________________________
>Chat with friends online, try MSN Messenger: http://messenger.msn.com

[prev in list] [next in list] [prev in thread] [next in thread]