System32 permissions

  • Thread starter Thread starter Toby
  • Start date Start date
T

Toby

Hi
I have Win2000 servers on which I need to apply and
lockdown permissions.
Obviously the System group will need to have FUll
permssions and also the administrators group, but I need
to reduce internal and external vunlerabilities. I've
created all necessary Group Policies and want to go that
little further by not allowing normal users to run/access
prgrams here.
So far I've given users read, execute and list permissions
but I need to narrow this down to only the files required
for them to login successfully.
I would like to only have System and administrator group
with permissions in System32 but realise certain files and
diriectories (ie. Group Policy) need permssions for normal
users to login successfully. ..
Does anyone know what they might be...?
 
Toby said:
Hi
I have Win2000 servers on which I need to apply and
lockdown permissions.
Obviously the System group will need to have FUll
permssions and also the administrators group, but I need
to reduce internal and external vunlerabilities. I've
created all necessary Group Policies and want to go that
little further by not allowing normal users to run/access
prgrams here.
So far I've given users read, execute and list permissions
but I need to narrow this down to only the files required
for them to login successfully.
I would like to only have System and administrator group
with permissions in System32 but realise certain files and
diriectories (ie. Group Policy) need permssions for normal
users to login successfully. ..
Does anyone know what they might be...?
Click to expand...

This may be OT but:
1) Your server needs to be physically secured - as in, in a locked room so
users can't log into it
2) Users by default don't have log on locally rights to your servers
3) Unless they have admin rights they can't access your admin shares (c$, d$
etc) from across the network
4) You need good password policies for your users (complex passwords are
good, regular pw changes are a must, etc) and you should manually change
your domain admin pw periodically - users should never know it

So I'd say in that case, unless you have admins you don't trust, you don't
need to bother with modifying NTFS permissions on your system volume - it
can get complicated, and I wouldn't mess with it. Just my $.02.
 
By default the users group has restricted permissions to the \winnt folder and
can not run many of the binaries unless logged in as an administrator. Keep in
mind that most attacks will be to gain system or administrator access to the
computer in which case full access would be gained to \winnt anyhow. Some have
suggested removing permissions for users/administrators/system from sensitive
binaries and adding a custom group instead to try and minimize that from
happening as suggested in the article below. Service packs, etc may overwrite
files in \winnt however.

http://www.systemexperts.com/tutors/HardenW2K101.pdf

If you are running IIS on a server it is highly recommended to run the IIS
Lockdown tool which among other things will create a group and add it to
sensitive binaries [such as secedit, arp, cacls, netsh, etc] with deny
permissions. The guest account and the accounts used for anonymous website
access are added to that group. The group the IIS Lockdown creates will remain
even if IIS is disabled or removed from the computer.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864

There are some free security guides that are excellent and contain security
templates that can enhance security to the \winnt folder over a default
installation and also discuss several other ways to secure a W2K computer based
on it's role such as user rights, security options, account policy, registry
settings, and services. The links below are for the Windows 2000 Security
Hardening Guide and a general link that includes the NSA Security Guides. These
guides are mostly specific to the operating system and of course measures such
as a properly configured firewall, patch management, and virus protection are
needed. I also recommend that any server be configured like Windows 2003 Server
is out of the box in regards to Internet Explorer security settings as in the
last link. --- Steve

http://www.microsoft.com/technet/security/prodtech/win2000/win2khg/default.mspx
http://www.infosec.uga.edu/windows.html
http://support.microsoft.com/default.aspx?scid=kb;en-us;815141 --- IE enhanced
security settings.
 
Back
Top