C: drive and %systemfolder%

[Guest]

What are best permissions to use on file server? Should everyone have full
access to C: drive? Should evereyone be removed from default anywhere on
sytem folder? Will Group Policy and Terminal Services work if you remove
them? How do you lock yours down?

 

[Steven L Umbach]

No they should not have full access. At best they should have
read/list/execute for the root and system folder. You may be able to remove
them as long as users group has the needed permissions and no legacy
applications or downlevel clients [W9X/NT4.0] require the use of everyone
permissions . The NSA security guide suggests removing them and using
authenticated users in place of everyone and users. If you remove everyone
you may have to give users from trusted domains explicit access FYI to ACL
and user rights such as logon locally or access this computer from the
network. Do NOT however give everyone group deny permissions. The link below
is for several security guides that should be of help. By default XP Pro and
W2003 Server have fairly secure ntfs permissions/user rights if you want to
check one of those operating systems as a guideline. --- Steve

 

[Guest]

I have 2000 file server with settings as you say except for C: drive itself
yet ftp server had got loaded on it. How is this possible through ports that
are in 50000 range or 1024? Can the antivirus server on it be the culprit?

No they should not have full access. At best they should have
read/list/execute for the root and system folder. You may be able to remove
them as long as users group has the needed permissions and no legacy
applications or downlevel clients [W9X/NT4.0] require the use of everyone
permissions . The NSA security guide suggests removing them and using
authenticated users in place of everyone and users. If you remove everyone
you may have to give users from trusted domains explicit access FYI to ACL
and user rights such as logon locally or access this computer from the
network. Do NOT however give everyone group deny permissions. The link below
is for several security guides that should be of help. By default XP Pro and
W2003 Server have fairly secure ntfs permissions/user rights if you want to
check one of those operating systems as a guideline. --- Steve

What are best permissions to use on file server? Should everyone have full
access to C: drive? Should evereyone be removed from default anywhere on
sytem folder? Will Group Policy and Terminal Services work if you remove
them? How do you lock yours down?

 

[Steven L Umbach]

Do you mean that it was hacked with a rouge ftp server installed on it??
That can happen if a user with administrator credentials opened a file,
email attachment, or Internet Explorer malicious download [be careful what
you say OK to and only use red X in upper left hand corner of unwanted pop
up boxes to exit them] that had malware on it and installed the malware. If
weak or no passwords are used the malware may have run a short password
attack against the administrator account. Other infected or hacked computers
on the network could also have been the culprit bypassing the permimiter
firewall. If computers are not kept patched with critical updates an attack
from inside or outside may be able to exploit weakness of the operating
system without administrator access by gaining system access. -- Steve

I have 2000 file server with settings as you say except for C: drive itself
yet ftp server had got loaded on it. How is this possible through ports that
are in 50000 range or 1024? Can the antivirus server on it be the culprit?

No they should not have full access. At best they should have
read/list/execute for the root and system folder. You may be able to remove
them as long as users group has the needed permissions and no legacy
applications or downlevel clients [W9X/NT4.0] require the use of everyone
permissions . The NSA security guide suggests removing them and using
authenticated users in place of everyone and users. If you remove everyone
you may have to give users from trusted domains explicit access FYI to ACL
and user rights such as logon locally or access this computer from the
network. Do NOT however give everyone group deny permissions. The link below
is for several security guides that should be of help. By default XP Pro and
W2003 Server have fairly secure ntfs permissions/user rights if you want to
check one of those operating systems as a guideline. --- Steve

What are best permissions to use on file server? Should everyone have full
access to C: drive? Should evereyone be removed from default anywhere on
sytem folder? Will Group Policy and Terminal Services work if you remove
them? How do you lock yours down?