Security Basics mailing list archives

RE: Win2000 Directory Permissions

From: "Sander de Rijk" <sander () derijk org>
Date: Tue, 1 Apr 2003 23:16:22 +0200

I would say change EVERYTHING to admin+system full control and users
instead of everyone read permissions. Besides that change the repair
indeed to no access for the users.

No need for power users. No need for creator owner.
The documents and settings folder will take care of itself with those
permissions and if users need write access because of certain apps
Like for example c:\temp do that on the folder

That should be sufficient

For IIS however I would suggest u use the lockdown tool (be carefull
with the urlscan) to secure your server. It also takes care of the
entire NTFS settings of the IIS user

Greetz,
Sander

-----Original Message-----
From: Simon Taplin [mailto:SimonT () lantic net] 
Posted At: zondag 30 maart 2003 13:20
Posted To: Security Focus Mailings
Conversation: Win2000 Directory Permissions
Subject: Win2000 Directory Permissions

I'v been running the permission settings below on my NT4 workstation
PC's
for students. I'm now upgrading the machines to Win2000. Do I need to
change
any of the settings below for Workstations and Servers? Especially the
server running IIS?

I got these from the TechRepublic newsletter.

Simon


On these folders:

* \Winnt
* \Winnt\system
* \Winnt\system32
* \Winnt\system32\config
* \Winnt\system32\drivers

Apply these permissions:

* Administrators: Full Control
* Creator Owner: Full Control
* Everyone: Read
* System: Full Control

On \Winnt\repair, the only permission you should set is Administrators:
Full Control.

On \Winnt\system32\spool, apply these permissions:

* Administrators: Full Control
* Creator Owner: Full Control
* Everyone: Read
* Power Users: Change
* System: Full Control

On Boot.ini, Ntdetect.com, and Ntldr, apply:

* Administrators: Full Control
* System: Full Control

On Autoexec.bat and Config.sys, apply:

* Everyone: Read
* Administrators: Full Control


---
This mail is hopefully virus free as it has been
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.465 / Virus Database: 263 - Release Date: 2003/03/25


-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfsbl1


-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-security-basics

Current thread:

RE: Win2000 Directory Permissions Sander de Rijk (Apr 01)
- <Possible follow-ups>
- RE: Win2000 Directory Permissions Chris Berry (Apr 02)