ACLs

  • Thread starter Thread starter FruFru
  • Start date Start date
F

FruFru

An employee has just deleted all ACLs from his W2K
computer's hard disc. I can 'get in' to manually re-
create the ACLs but am unsure what rights to assign to
various groups/users. I am most concerned about %
SystemRoot%, C:\Documents and Settings and C:\Program
Files.

1. Does anyone have any advice?
2. How can I prevent this from happening again?
 
FruFru said:
An employee has just deleted all ACLs from his W2K
computer's hard disc. I can 'get in' to manually re-
create the ACLs but am unsure what rights to assign to
various groups/users. I am most concerned about %
SystemRoot%, C:\Documents and Settings and C:\Program
Files.

1. Does anyone have any advice?
Click to expand...

Fire the employee.
2. How can I prevent this from happening again?
Click to expand...

Do not let him have administrative rights. He has proven that he cannot be
trusted.

Do you have another W2K machine to which you can compare the permissions?

Ray at work
 
Fire the employee.


Do not let him have administrative rights. He has proven that he
cannot be trusted.
Click to expand...

Hear, hear.
Do you have another W2K machine to which you can compare the
permissions?
Click to expand...

A lot of the perms might be restored by applying the default security
template. Sorry, I have no details on that handy at the moment other
than KBA 309689
"HOW TO: Apply Predefined Security Templates in Windows 2000"
 
FruFru said:
An employee has just deleted all ACLs from his W2K
computer's hard disc. I can 'get in' to manually re-
create the ACLs but am unsure what rights to assign to
various groups/users. I am most concerned about %
SystemRoot%, C:\Documents and Settings and C:\Program
Files.

1. Does anyone have any advice?
Click to expand...

Hi


HOW TO: Restore the Default NTFS Permissions for Windows 2000
http://support.microsoft.com/default.aspx?scid=KB;en-us;266118

HOW TO: Apply Registry and File System ACLs on Computers That Are Upgraded to
Windows 2000
http://support.microsoft.com/default.aspx?scid=KB;en-us;313205

HOW TO: Apply Predefined Security Templates in Windows 2000
http://support.microsoft.com/default.aspx?scid=KB;en-us;309689

Predefined security templates
http://www.microsoft.com/windows2000/en/professional/help/sag_SCEdefaultpols.htm

Windows 2000 Security Templates Are Incremental
http://support.microsoft.com/default.aspx?scid=KB;en-us;234926
 
Thanks to all for responding - this really helps.

One last query...The employee did not have local
administative rights but rather was a member of the
local "Power Users" group. I assume because it did indeed
happen that this level of authority is sufficient to do
what he did? How can I stop this from happening again
without 'demoting' him to a "User"?
 
Users should be "Users". On my personal machines, I run as "User" and file
bugs/complain against products that require me to have more priviliges
(except on installation, which I temporarily use RUNAS to be Administrator
to install the app).

The nice thing about "Users" is that they are restricted from being able to
screw the machine up -- which sounds like exactly what you need. This "ACL
deletion" would have never happened if the employee was a User.

Ultimately, from an IT perspective, you have to decide whether you're going
to lock down the desktop to lower your support costs, or whether the
flexibility and capability of screwing up the desktop is a cost the company
is willing to bear.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
Thanks to all for responding - this really helps.

One last query...The employee did not have local
administative rights but rather was a member of the
local "Power Users" group. I assume because it did indeed
happen that this level of authority is sufficient to do
what he did? How can I stop this from happening again
without 'demoting' him to a "User"?
 
David Wang said:
Users should be "Users".
Click to expand...

I agree. But that is only because there is no category with lower privs.
Well, there are guests, but their local profiles seem to disappear all the
time... Wait a minute! Maybe that would keep them from saving stuff on the
desktop that should go somewhere in their home directory.
On my personal machines, I run as "User" and file
bugs/complain against products that require me to have more priviliges
(except on installation, which I temporarily use RUNAS to be Administrator
to install the app).
Click to expand...

It should be surprizing how many apps are aware of the possibility of being
run on NTFS. Even if they just considered that part of the app needs to be
read-only, and the config files stored where the user has sufficient privs.
The nice thing about "Users" is that they are restricted from being able to
screw the machine up -- which sounds like exactly what you need. This "ACL
deletion" would have never happened if the employee was a User.

Ultimately, from an IT perspective, you have to decide whether you're going
to lock down the desktop to lower your support costs, or whether the
flexibility and capability of screwing up the desktop is a cost the company
is willing to bear.
Click to expand...

A colleague once explained to a boss who demanded the highest "privileges"
available on their VMS system, simply because he was "the boss of all". My
friend managed to explain to him that these were not really "privileges",
but "responsibilities and obligations", and would require him to come in at
all hours to fix problems.

/Al
 
In microsoft.public.win2000.cmdprompt.admin Al Dunbar [MS-MVP]
wrote:

[ ]
A colleague once explained to a boss who demanded the highest
"privileges" available on their VMS system, simply because he was
"the boss of all". My friend managed to explain to him that these
were not really "privileges", but "responsibilities and
obligations", and would require him to come in at all hours to fix
problems.
Click to expand...
[ ]

LOL! I'll have to try that one someday Al. Might work. <VBG>

Like the executives (who know nothing about computers) just _have_ to
have the most powerful and newest laptop as a status symbol and to
impress others. I often think a few of them might get by with an
emptry (but "cool looking") case. <S>
 
David Wang said:
The nice thing about "Users" is that they are restricted from being able
to screw the machine up -- which sounds like exactly what you need.
This "ACL deletion" would have never happened if the employee was a User.
Click to expand...

Well, that depends on the file system permissions. For example, if the root
directory ACL had Everyone:F (which would be the case if the machine was
upgraded from NT to 2000 and nobody applied the default security template),
then everyone has permission to change the permissions.

Bill
 
Back
Top