hazards of "improving" c:\ , ie root dir ACLs; plan wanted

  • Thread starter Thread starter Tom Rodman
  • Start date Start date
T

Tom Rodman

<pardon me if this is a dup post>

After a fresh install of w2k workstation

the C: drive root directory ACL is:

EVERYONE "full control" ; "this folder, subfolder, files"

Goal:

improve the ACLs on

o the C: drive root directory ACL

o the top level directories below the root diretory of C:\

make the box more "multi-user" friendly, prevent
non administrators from causing problems; prevent
non administrators from writing in directories that are inappropriate -
like c:\ for example

First Stab:

changed the C: drive root directory ACL to:

Administrators "full control" ; "this folder, subfolder, files"
EVERYONE "read execute" ; "this folder, subfolder, files"

consequences noted:

My test "non adminstrator" acct could still run Mozilla, Acrobat reader,
and Gimp, but QuarkExpress silently failed to "come up" when
invoked. The ACL change was done *after* all these apps
were installed.

Any help or "best practices" pointers would be appreciated.
 
Hi Tom,

The following Microsoft Knowledge Base Article has the default permissions for the
root directory on the system drive for Windows XP. This set of permissions has been
thoroughly designed and tested and can be used as a guide for resetting the
permissions for the root directory on the system drive for Windows 2000:

KB327522 - MS02-064: Windows 2000 Default Permissions May Permit Trojan Horse Attack
http://support.microsoft.com/?scid=327522

--
Carrie Garth, Microsoft MVP for Windows 2000
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- c x g

: "Tom Rodman" <Use-Author-Supplied-Address-Header@[127.1]>
: Wrote in message : Sent: Saturday, September 13, 2003 9:19 AM
: <pardon me if this is a dup post>
:
: After a fresh install of w2k workstation
:
: the C: drive root directory ACL is:
:
: EVERYONE "full control" ; "this folder, subfolder, files"
:
: Goal:
:
: improve the ACLs on
:
: o the C: drive root directory ACL
:
: o the top level directories below the root diretory of C:\
:
: make the box more "multi-user" friendly, prevent
: non administrators from causing problems; prevent
: non administrators from writing in directories that are inappropriate -
: like c:\ for example
:
: First Stab:
:
: changed the C: drive root directory ACL to:
:
: Administrators "full control" ; "this folder, subfolder, files"
: EVERYONE "read execute" ; "this folder, subfolder, files"
:
: consequences noted:
:
: My test "non adminstrator" acct could still run Mozilla, Acrobat reader,
: and Gimp, but QuarkExpress silently failed to "come up" when
: invoked. The ACL change was done *after* all these apps
: were installed.
:
: Any help or "best practices" pointers would be appreciated.
: --
: regards,
: Tom Rodman
: pls run for my address:
: perl -e 'print unpack("u", "1\:6UP\,\$\!T\<F\]D\;6\%N\+F\-O\;0H\`");'
:
 
Back
Top