Everyone

  • Thread starter Thread starter Paul Hadfield
  • Start date Start date
P

Paul Hadfield

In a Windows 2000 Domain where every user logs on with a user account to
their Windows 2000 desktop, is there actually any use for the Everyone
group?

Can't I just weed through the NTFS security of my servers/printers etc and
replace Everyone with Users?

Or am I missing something obvious here?

Cheers,
Paul.
 
Before you go through the hassle, is there any way for something to access the
resources if they aren't a user? For instance file shares are commonly
configured to be Everyone FC but the underlying NTFS permissions are locked
down, this means that everyone is really only the people with access to the NTDS
perms. Going through and say changing the ACLs on 100 or 1000 or 5000 shares in
this case would not make a lot of sense. Ditto for file system stuff, if you
have a folder with everyone access but only normal users can get to that folder
because it isn't shared, not an issue.

A security hack is generally going to come in two ways, as a user or as
localsystem. You can't/shouldn't remove localsystem's access to files on your
system and if you securing from everyone to user on the local system for things
that can only be access by user's, you are making up work.

As a general rule though, yes, users or authenticated users should be able to
replace everyone as long as localsystem has a specific ACE for itself as well.
Note that you should test the configs prior to implementing in production, you
should always do that with any change.

joe
 
Thanks Joe.

Out of interest, who is or isn't members of the Everyone group in a Windows
2000 domain?

For example, if a share is set up on a file server that is shared with
Everyone FC and NTFS setting also give Everyone FC, would this mean that
users from machines that are not members of the domain could access this
share without being asked for a username/password?


Cheers,
Paul.
 
This definition has changed a couple of times. At the moment, I believe it is
everyone is pretty much authenticated users unless you have enabled null session
shares. Null session shares and guesst access are the only ways to connect
without supplying creds.

joe
 
Back
Top