MS05-51 Patch, and SystemDrive NTFS permissions

[Jim Watts]

Hi,
I need some help with filesystem permissions, related to the MS05-51 patch,
and the problems it has thrown up. Note, we are NOT suffering the problems,
but the information from MS conflicts.

KB909444 (http://support.microsoft.com/kb/909444) states that the MS05-51
patch might fail if permissions have been changed on the
%windir%\registration. It goes on to say:

"Make sure that the Everyone group has one of the following permissions: -
Traverse permissions ("List Folder Contents") on all parent directories,
including %systemdrive%, %windir%, and %windir%\registration"

However, our standard build procedure for Windows 2000 servers is to REMOVE
the Everyone right from the root of the system drive. This is based on the
"Microsoft Security Operations Guide for Windows 2000 Server"
(http://www.microsoft.com/downloads/...EE-201A-4B40-A0D2-CDD9775AEFF8&displaylang=en),
page 63, which says that root permissions should be:

Administrators: Full control
System: Full control
Authenticated Users: Read and Execute, List Folder Contents, and Read


What's going on? Why do the two pieces of info not match, why has the patch
not destroyed my servers, and what exactly should I have set on the root of
drive C: for a secure server? While we're at it, what should I have on a
Windows 2003 server, as the 2003 version of this guide doesn't even mention
file system security in the baseline!

Many thanks, especially to any MS staff that would care to comment

Jim

 

[Roger Abell [MVP]]

The info conflicts as they have different origins. The guidance papers
are, mostly, broadly reviewed and well thought through. KBs are often
the emission of a content specialist.
You are not having an issue as the requirement that accounts that should
be able to access are granted the needed access, view Authenticated Users
instead of Everyone, but given the needed permissions none-the-less.

 

[Tom Che [MSFT]]

Hi Jim,

Thanks for posting here. Also thanks for our MVP Roger's kindly reply.

Jim, I think Roger is right.

Based on my own tests, on a XP SP2 machine with latest updates, if I remove
Everyone from the ACL of Windows\Registration folder, some symptoms occur
as KB909444; however, if I add the Authenticated Users into the ACL of that
folder with Read & Execute permission, everything works fine on the system.

On another Windows 2000 Server with latest updates, I found that there were
not Everyone entries from the ACLs of C:\, C:\Windows and
C:\Windows\Registration folders but all were Authenticated Users instead.
And the system also works fine.

So, I think if your current 2000 server system has no problem, you may
safely leave it on. And I think you may use the same configuration in
Windows Server 2003, too.

Hope this helps!

Have a nice day!

Sincerely,
Tom Che
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------