tighten security...question for Patrick Rouse

  • Thread starter Thread starter Paul Young
  • Start date Start date
P

Paul Young

Patrick,

I have seen several of your posts where you share with the
NewsGroup how to secure the Terminal Server with NTFS
permissions.

You have stated that you lock down the C:\ and the
C:\Program Files directories with Administrators, System
and Creator/Owner ( Full Control ) and Authenticated Users
( Read and Execute ). Assumption is that this is on a
Terminal Server running on a WIN2000 Member Server.

I have three questions for you:

A) on the C:\ - are these permissions for This folder and
files or for This folder, sub-folders and files?

B) I am sure that the Adminsitrators is the local
Administrators group. How about the Authenticated Users
and System? There is a Domain account ( mydomain\system )
as well as a local account ( termserv\system ). My guess
is that both are the local account.

C) on the C:\Program Files - these permissions would have
to be for This folder, sub-folder and files? I should
remove the default permissions and manually enter what you
have suggested.

Thank you,

Paul
 
Paul, I only recommend making these changes to a new build or a test system, as they may break programs you've already installed. I have a base Server OS build that I use that has these settings, then I relax security on specific files or directories as needed by specific applications. Doing this in reverse order may cause unexpected results.

I use these settings for C:\ & C:\Program Files

Local Administrators Group, CREATOR OWNER, & System - Full Control <Not Inherited>(This Folder, Subfolders & Files)
Authenticated Users - Read & Execute <Not Inherited> (This Folder, Subfolders & Files)

*******************
I do NOT, NOT, NOT "Replace permission entries on all child objects..." which would definitely break the OS
*******************

Windows 2000 & 2003 have different default permission sets, where in 2000 Everyone has "Full Control" by Default, in 2003 this is NOT the default. In my opinion if Microsoft ever wants to make Windows secure they won't let you logon interactively with an admin account, i.e. you'd only be able to use the "Run as" or "Add/Remove Programs" (which prompts for Administrative credentials) and the spread of spyware/malware and most viruses would decrease significantl

Patrick Rous
Microsoft MVP - Terminal Serve
http://www.workthin.co

----- Paul Young wrote: ----

Patrick

I have seen several of your posts where you share with the
NewsGroup how to secure the Terminal Server with NTFS
permissions

You have stated that you lock down the C:\ and the
C:\Program Files directories with Administrators, System
and Creator/Owner ( Full Control ) and Authenticated Users
( Read and Execute ). Assumption is that this is on a
Terminal Server running on a WIN2000 Member Server

I have three questions for you

A) on the C:\ - are these permissions for This folder and
files or for This folder, sub-folders and files

B) I am sure that the Adminsitrators is the local
Administrators group. How about the Authenticated Users
and System? There is a Domain account ( mydomain\system
as well as a local account ( termserv\system ). My guess
is that both are the local account

C) on the C:\Program Files - these permissions would have
to be for This folder, sub-folder and files? I should
remove the default permissions and manually enter what you
have suggested

Thank you

Pau
 
Patrick,

Thank you for your reply.

This is for a test build of a TS that will shortly be
implemented in a production environment. I am also
following KB278295 for further lockdown. Do not fret, I
am not going to lock out the Administrator account. I am
aware of Authenticated Users needing to be changed to some
security group that I create.

I really appreciate your time ( and your web site ).

Paul
-----Original Message-----
Paul, I only recommend making these changes to a new
build or a test system, as they may break programs you've
already installed. I have a base Server OS build that I
use that has these settings, then I relax security on
specific files or directories as needed by specific
applications. Doing this in reverse order may cause
unexpected results.
I use these settings for C:\ & C:\Program Files:

Local Administrators Group, CREATOR OWNER, & System -
Full Control said:
Authenticated Users - Read & Execute <Not Inherited>
(This Folder, Subfolders & Files)
********************
I do NOT, NOT, NOT "Replace permission entries on all
child objects..." which would definitely break the OS.
********************

Windows 2000 & 2003 have different default permission
sets, where in 2000 Everyone has "Full Control" by
Default, in 2003 this is NOT the default. In my opinion
if Microsoft ever wants to make Windows secure they won't
let you logon interactively with an admin account, i.e.
you'd only be able to use the "Run as" or "Add/Remove
Programs" (which prompts for Administrative credentials)
and the spread of spyware/malware and most viruses would
decrease significantly
 
Back
Top