The only thing you should do with the share permissions is change "Everyone"
to "Authenticated Users", unless the share should be accessible by guest
accounts. There is a common misconception that Everyone means that
*everyone* on the planet can access the share. On NT or Windows 2000, this
is not the case. To see what I mean, try this:

1. Create a share.
2. Leave the default "Everyone Full Control" permissions on that share.
3. Try to connect to the share with a completely bogus username and
password.
4. Note results.

"Everyone" is not really everyone. Groups in Win2K break down as follows:
Domain Users- all users and computers in a domain, not including the Guest
account.
Authenticated Users- all users in a domain and any trusted domains (the
forest, in the case of Windows 2000), not including the Guest account
Everyone- all users in all trusted domains (in Win2K, the entire forest),
including the Guest account.

With that said, *NTFS* permissions should indeed be implemented as you
mention, although you should be careful about locking down *all* files on
the machine. It is possible to deny the operating system access to its own
files if you aren't careful. To see what I mean by this, try the following:

1. Do not perform this on a machine you're not ready and willing to rebuild.
2. On the root directory (c:\ or whatever is the root of your OS partition),
change the permissions to something like, "Jim Bob Billy Joe- Full Control",
with no other entries in the ACL (no system).
3. Watch the desktop disappear and the machine become unbootable.

So, back to the original premise- there is NOTHING wrong with leaving share
permissions wide open, PROVIDED you use NTFS permissions to control access
to the folder. I will typically change the default share from "Everyone-
Full Control" to "Authenticated Users- Full Control", but that's it. USE
NTFS to control your permissions. It is *not* lazy administration, it is
*smart* administration because you won't inadvertently lock users out of a
share to which they should have access because you've got conflicting share
and NTFS permissions. Additionally, should you have to modify permissions in
the future, you've made it much simpler because you don't have to perform
the same action twice- once for NTFS and once for share permissions. Again,
this isn't *lazy*, it's smart. Work smarter, not harder.

I've seen *numerous* installations where problems could be traced to
administrators setting both share and NTFS permissions without realizing
that all they're doing is adding a layer of complexity in terms of resource
access and troubleshooting. The only time you should be tweaking share
permissions (with the possible exception of switching from Everyone to
Authenticated Users) is when the share resides on a FAT volume and you have
no other mechanism to protect the files. And if your shares reside on a FAT
partition on a server, you've already got bigger problems. FAT does not
belong on server volumes. It doesn't belong on workstation volumes, either,
if the workstations are NT, Win2K or XP.

Just my two cents,

Laura A. Robinson
Technical Instructor/Consultant
MCT, MCSE, CLI, PCLP
IntelliMark Pennsylvania Division
http://www.intellimark-it.com
lrobinsonintellimark-it.com
----- Original Message -----
From: "akomolafe" <dejiprontomail.com>
To: "Jerry Roy" <jroyaxcelerant.com>; "Douglas Cohn"
<Douglas.Cohnhostcentric.com>; <michael.whitelmscae.com>;
"FOCUS-MSSECURITYFOCUS.COM" <FOCUS-MSsecurityfocus.com>
Sent: Wednesday, August 22, 2001 7:17 PM
Subject: Re: Windows 2000's Everyone permission

> You want to lock down your server as much as possible. Why would you
prefer
> leaving the default "everyone Full" share permission to actually removing
> the "everyone" group and actually specifying the group you want to share
> your stuff for?
>
> This is not personal and not directed at anyone, but that is lazy
> administration, if I've ever seen one.
>
> Deji
> ----- Original Message -----
> From: "Jerry Roy" <jroyaxcelerant.com>
> To: "Douglas Cohn" <Douglas.Cohnhostcentric.com>; "akomolafe"
> <dejiprontomail.com>; <michael.whitelmscae.com>;
> "FOCUS-MSSECURITYFOCUS.COM" <FOCUS-MSsecurityfocus.com>
> Sent: Wednesday, August 22, 2001 3:52 PM
> Subject: RE: Windows 2000's Everyone permission
>
>
> > Leaving share permissions as they stand is totally correct. You can set
> > them as full control and still lock down the entire domain IF you follow
> > the rules.
> >
> > 1) Share permissions are ONLY for those who come across the wire.
> > 2) You should not give log on locally right to any user to logon to ANY
> > DC, That is why it is there.
> > 3) NTFS Permissons will prevent them from accessing the resource if used
> > correctly.
> >
> > Scenario:
> >
> > Johnny wants to access a file on a server from his workstation. The
> > Folder which the file is shared is called "data" and has the Full
> > Control share permission applied to the everyone group. (Everyone is a
> > Member of the "Everyone Group". There is also an NTFS permission on the
> > "data" folder of Read. This is also applied to the everyone group (as an
> > example) What is Johnny's effective permission? READ! Why?
> > What prevents Johnny from access the file and changing it on the DC? The
> > Log on Locally right is not given to him, a Normal User.
> >
> > When 2 or more share permissions are applied, the effective permission
> > becomes least Restrictive
> > When 2 or more NTFS permissions are applied, the effective permission
> > also becomes least Restrictive
> > When Share and NTFS Permissions are Combined, The effective permission
> > becomes MOST restrictive.
> >
> > Best Regards,
> >
> > Jerry Roy
> >
> > -----Original Message-----
> > From: Douglas Cohn [mailto:Douglas.Cohnhostcentric.com]
> > Sent: Wednesday, August 22, 2001 2:50 PM
> > To: akomolafe; michael.whitelmscae.com; FOCUS-MSSECURITYFOCUS.COM
> > Subject: RE: Windows 2000's Everyone permission
> >
> >
> > I would like to see this information as well. We have always used the
> > share permissions only since there should be no way to gain direct
> > access to the drives remotely and none of our servers have physical
> > access available.
> >
> > Doug
> >
> > -----Original Message-----
> > From: akomolafe
> > Sent: Wed 8/22/2001 2:45 PM
> > To: michael.whitelmscae.com; 'FOCUS-MSSECURITYFOCUS.COM'
> > Cc:
> > Subject: Re: Windows 2000's Everyone permission
> >
> >
> >
> > "leave share perms as they stand"? Which Microsoft document says
> > that?
> >
> > Deji
> >
> > ----- Original Message -----
> > From: "Michael R. White" <michael.whitelmscae.com>
> > To: "'FOCUS-MSSECURITYFOCUS.COM'" <FOCUS-MSsecurityfocus.com>
> > Sent: Wednesday, August 22, 2001 11:09 AM
> > Subject: RE: Windows 2000's Everyone permission
> >
> >
> > > You have be careful where you make the permissions
> > modifications, share
> > > perms (sharing tab) and/or NTFS perms (security tab). Mixing
> > the perms
> > will
> > > create problems remotely. Microsoft's recommendation is to
> > leave share
> > > perms as they stand, and modify NTFS perms as you see fit.
> > This covers
> > > remote and local access without confusing your perms.
> > >
> > > Regards,
> > >
> > > Michael
> > > LMSCADSI
> > >
> > >
> > > -----Original Message-----
> > > From: Damon Brinkley [mailto:damonbetcoinc.com]
> > > Sent: Wednesday, August 22, 2001 9:58 AM
> > > To: 'phoebe'; 'FOCUS-MSSECURITYFOCUS.COM'
> > > Subject: RE: Windows 2000's Everyone permission
> > >
> > >
> > > The first thing I do when I install a Windows 2000 OS is to
> > remove the
> > > permissions Everyone has to everything on the system. I then
> > go back and
> > > create users and groups and give them permissions as needed.
> > I don't know
> > > why Microsoft has the default giving the Everyone group those
> > permissions
> > > but I think they should be removed upon installing for obvious
> > security
> > > reasons.
> > >
> > > -----Original Message-----
> > > From: phoebe [mailto:phoebetollon.net]
> > > Sent: Wednesday, August 22, 2001 7:02 AM
> > > To: 'FOCUS-MSSECURITYFOCUS.COM'
> > > Subject: Windows 2000's Everyone permission
> > >
> > >
> > > Hi all,
> > >
> > > Could someone give me some advice if I remove the permission
> > as below,
> > >
> > > - Everyone at root c:\
> > > - Everyone at c:\winnt\system\*.exe
> > > - Everyone and Users at c:\winnt\system32\*.cpl
> > > - Everyone and Users at c:\winnt\system32\*.msc
> > > - Everyone and Users at c:\winnt\system32\*.msi
> > >
> > > But, I will assign "Administrators" and "System" with Full
> > Control to all
> > > those files which took "Everyone" out.
> > >
> > > Please advice.
> > >
> > > Thanks,
> > >
> > > Regards,
> > > Phoebe
> > >
> > > ---
> > > Incoming mail is certified Virus Free.
> > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > Version: 6.0.273 / Virus Database: 143 - Release Date:
> > 8/16/2001
> > >
> > > ---
> > > Outgoing mail is certified Virus Free.
> > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > Version: 6.0.273 / Virus Database: 143 - Release Date:
> > 8/16/2001
> > >
> >
> >
> >
> >
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]