System32 permissions

Archived from groups: microsoft.public.win2000.security (More info?)

Hi
I have Win2000 servers on which I need to apply and
lockdown permissions.
Obviously the System group will need to have FUll
permssions and also the administrators group, but I need
to reduce internal and external vunlerabilities. I've
created all necessary Group Policies and want to go that
little further by not allowing normal users to run/access
prgrams here.
So far I've given users read, execute and list permissions
but I need to narrow this down to only the files required
for them to login successfully.
I would like to only have System and administrator group
with permissions in System32 but realise certain files and
diriectories (ie. Group Policy) need permssions for normal
users to login successfully. ..
Does anyone know what they might be...?
2 answers Last reply
More about system32 permissions
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Toby wrote:
    > Hi
    > I have Win2000 servers on which I need to apply and
    > lockdown permissions.
    > Obviously the System group will need to have FUll
    > permssions and also the administrators group, but I need
    > to reduce internal and external vunlerabilities. I've
    > created all necessary Group Policies and want to go that
    > little further by not allowing normal users to run/access
    > prgrams here.
    > So far I've given users read, execute and list permissions
    > but I need to narrow this down to only the files required
    > for them to login successfully.
    > I would like to only have System and administrator group
    > with permissions in System32 but realise certain files and
    > diriectories (ie. Group Policy) need permssions for normal
    > users to login successfully. ..
    > Does anyone know what they might be...?

    This may be OT but:
    1) Your server needs to be physically secured - as in, in a locked room so
    users can't log into it
    2) Users by default don't have log on locally rights to your servers
    3) Unless they have admin rights they can't access your admin shares (c$, d$
    etc) from across the network
    4) You need good password policies for your users (complex passwords are
    good, regular pw changes are a must, etc) and you should manually change
    your domain admin pw periodically - users should never know it

    So I'd say in that case, unless you have admins you don't trust, you don't
    need to bother with modifying NTFS permissions on your system volume - it
    can get complicated, and I wouldn't mess with it. Just my $.02.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    By default the users group has restricted permissions to the \winnt folder and
    can not run many of the binaries unless logged in as an administrator. Keep in
    mind that most attacks will be to gain system or administrator access to the
    computer in which case full access would be gained to \winnt anyhow. Some have
    suggested removing permissions for users/administrators/system from sensitive
    binaries and adding a custom group instead to try and minimize that from
    happening as suggested in the article below. Service packs, etc may overwrite
    files in \winnt however.

    http://www.systemexperts.com/tutors/HardenW2K101.pdf

    If you are running IIS on a server it is highly recommended to run the IIS
    Lockdown tool which among other things will create a group and add it to
    sensitive binaries [such as secedit, arp, cacls, netsh, etc] with deny
    permissions. The guest account and the accounts used for anonymous website
    access are added to that group. The group the IIS Lockdown creates will remain
    even if IIS is disabled or removed from the computer.

    http://support.microsoft.com/default.aspx?scid=kb%3BEN-US%3B325864

    There are some free security guides that are excellent and contain security
    templates that can enhance security to the \winnt folder over a default
    installation and also discuss several other ways to secure a W2K computer based
    on it's role such as user rights, security options, account policy, registry
    settings, and services. The links below are for the Windows 2000 Security
    Hardening Guide and a general link that includes the NSA Security Guides. These
    guides are mostly specific to the operating system and of course measures such
    as a properly configured firewall, patch management, and virus protection are
    needed. I also recommend that any server be configured like Windows 2003 Server
    is out of the box in regards to Internet Explorer security settings as in the
    last link. --- Steve

    http://www.microsoft.com/technet/security/prodtech/win2000/win2khg/default.mspx
    http://www.infosec.uga.edu/windows.html
    http://support.microsoft.com/default.aspx?scid=kb;en-us;815141 --- IE enhanced
    security settings.

    "Toby" <anonymous@discussions.microsoft.com> wrote in message
    news:827e01c477c5$bde01b20$a501280a@phx.gbl...
    >
    > Hi
    > I have Win2000 servers on which I need to apply and
    > lockdown permissions.
    > Obviously the System group will need to have FUll
    > permssions and also the administrators group, but I need
    > to reduce internal and external vunlerabilities. I've
    > created all necessary Group Policies and want to go that
    > little further by not allowing normal users to run/access
    > prgrams here.
    > So far I've given users read, execute and list permissions
    > but I need to narrow this down to only the files required
    > for them to login successfully.
    > I would like to only have System and administrator group
    > with permissions in System32 but realise certain files and
    > diriectories (ie. Group Policy) need permssions for normal
    > users to login successfully. ..
    > Does anyone know what they might be...?
    >
Ask a new question

Read More

System32 Permissions Windows