Is every user a member of Users?

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

After trying to secure a stand alone PC I have come to the conclusion
that a user that is not a member of group Users, is nevertheless
implicitly part of that group.

Am I correct?
--
Les Desser
(The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

The membership in the Users group is only exactly what
is shown when you view it.
Now, in a default scenario you will see that Interactive
and Authenticated Users are nested within Users.
Due to these any account that logs in locally or any account
that is authenticated (respectively) will become a Users
member during that login/usage.
These groups do not have to be nested within Users, but
when removed one does need to understand what they have
been enabling so that the parts of that which are needed can
be provided.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:cDBxg5Aahd2BFANf@dessergroup.onetel.co.uk...
> After trying to secure a stand alone PC I have come to the conclusion
> that a user that is not a member of group Users, is nevertheless
> implicitly part of that group.
>
> Am I correct?
> --
> Les Desser
> (The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Yes. Anyone who logs on locally for instance is a member of the
authenticated users group which is a member of the users group. Use the "
net localgroup users " to see that and use the gpresult support tool to see
all the groups that a user is a member of. Always be extremely carefully
when configuring deny user rights when adding the users or everyone groups.
Exactly what are you trying to secure? --- Steve



"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:cDBxg5Aahd2BFANf@dessergroup.onetel.co.uk...
> After trying to secure a stand alone PC I have come to the conclusion that
> a user that is not a member of group Users, is nevertheless implicitly
> part of that group.
>
> Am I correct?
> --
> Les Desser
> (The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In article <x5mCd.20234$wu4.14984@attbi_s52>, Steven L Umbach
<n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 01:14:05 writes

>Yes. Anyone who logs on locally for instance is a member of the
>authenticated users group which is a member of the users group. Use the
>" net localgroup users " to see that and use the gpresult support tool
>to see all the groups that a user is a member of.

At least that makes a bit more sense - see below

> Always be extremely carefully when configuring deny user rights when
>adding the users or everyone groups. Exactly what are you trying to
>secure?

I was trying to secure a stand alone W2K Pro PC so that a guest could
browse the web and play some mp3 files but nothing else.

I created a Visitors group and a Visitor user to be its member (rather
then using Gusts/Guest) and Visitor was not a member of Users and
nevertheless Visitor could go anywhere until I removed all permissions
for Users.

I cannot understand having such a security model where Users/User exist
and are granted permissions by default, but if membership of Users is
removed from a user it is STILL a member of Users.

If Users is something special then it should not be possible to assign a
user explicitly to the Users group - something that is done all over the
place by default.

You live and learn - thanks for the quick response. I see bringing
knowledge of a security model from elsewhere to Windows may be
dangerous.

I will pass your response on grc.techtalk where I have come from to get
this sorted.

Thanks again.
--
Les Desser
(The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

The fact that a user can not be removed from the user group is probably to
prevent denial of service attacks against the operating system similar in a
way that the built in administrator account can not be removed from the
local administrators group.

If you wish to restrict a user add that user to a group and then use
ntfs/registry permissions, user rights, and Group Policy to restrict the
user. It is more difficult to use Group Policy to lockdown a user/group on a
stand alone computer though as by default Group Policy applies to all local
users though there are hacks that can change the to exempt local users from
Group Policy. For instance you may be able to use Local Group Policy -
gpedit.msc and restrict the user via user configuration/administrative
tools/system where you can configure the setting for allowed Windows
applications. If left blank the user will only be able to logon to the
operating system and nothing else until you populate the allowed application
list which may be harder than expected as some applications depend on other
executables to run though filemon from SysInternals would be very helpful in
sorting that out. The guest account in Windows 2000 also will not save the
guest user profile when the guest logs off. --- Steve

http://www.jsiinc.com/sube/tip2400/rh2492.htm -- filtering local Group
Policy.

"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:yhvaIKBgTf2BFArC@dessergroup.onetel.co.uk...
> In article <x5mCd.20234$wu4.14984@attbi_s52>, Steven L Umbach
> <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 01:14:05 writes
>
>>Yes. Anyone who logs on locally for instance is a member of the
>>authenticated users group which is a member of the users group. Use the "
>>net localgroup users " to see that and use the gpresult support tool to
>>see all the groups that a user is a member of.
>
> At least that makes a bit more sense - see below
>
>> Always be extremely carefully when configuring deny user rights when
>> adding the users or everyone groups. Exactly what are you trying to
>> secure?
>
> I was trying to secure a stand alone W2K Pro PC so that a guest could
> browse the web and play some mp3 files but nothing else.
>
> I created a Visitors group and a Visitor user to be its member (rather
> then using Gusts/Guest) and Visitor was not a member of Users and
> nevertheless Visitor could go anywhere until I removed all permissions for
> Users.
>
> I cannot understand having such a security model where Users/User exist
> and are granted permissions by default, but if membership of Users is
> removed from a user it is STILL a member of Users.
>
> If Users is something special then it should not be possible to assign a
> user explicitly to the Users group - something that is done all over the
> place by default.
>
> You live and learn - thanks for the quick response. I see bringing
> knowledge of a security model from elsewhere to Windows may be dangerous.
>
> I will pass your response on grc.techtalk where I have come from to get
> this sorted.
>
> Thanks again.
> --
> Les Desser
> (The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:e7oCd.275281$5K2.222729@attbi_s03...
> The fact that a user can not be removed from the user group is probably to
> prevent denial of service attacks against the operating system similar in
a
> way that the built in administrator account can not be removed from the
> local administrators group.

Actually not all user are members of the Users group
and this is NOT a "special group" so any user not
a member of the group is not added dynamically.

Such groups include Everyone, Authenticated Users,
Interactive etc.

As Roger says, what you see is what you get EXCEPT
if one of these automatic (or a Global) group is a member
in which case you get all the (current) members of the
included group(s).

User's are added to Users automatically on creation
BY DEFAULT but it can be avoided with certain tools.

For instance the IIS anonymous group is added to Guests
instead.

You cannot remove someone from Users unless you first
get their "default group"(which is mostly for Macintosh
support) change to another group so this also means that
users must be a member of at least one group.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"Herb Martin" <news@LearnQuick.com> wrote in message
news:uTnGE8h8EHA.3012@TK2MSFTNGP09.phx.gbl...
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:e7oCd.275281$5K2.222729@attbi_s03...
> > The fact that a user can not be removed from the user group is probably
to
> > prevent denial of service attacks against the operating system similar
in
> a
> > way that the built in administrator account can not be removed from the
> > local administrators group.
>
> Actually not all user are members of the Users group
> and this is NOT a "special group" so any user not
> a member of the group is not added dynamically.
>
> Such groups include Everyone, Authenticated Users,
> Interactive etc.
>
> As Roger says, what you see is what you get EXCEPT
> if one of these automatic (or a Global) group is a member
> in which case you get all the (current) members of the
> included group(s).
>
> User's are added to Users automatically on creation
> BY DEFAULT but it can be avoided with certain tools.
>
> For instance the IIS anonymous group is added to Guests
> instead.
>
> You cannot remove someone from Users unless you first
> get their "default group"(which is mostly for Macintosh
> support) change to another group so this also means that
> users must be a member of at least one group.
>


. . . for which purpose I sometimes define a Dummy group
that is not used anywhere, except to have accounts' Primary
Group set to Dummy so that they may be removed from their
default (at creation) Primay Group.

Generally I have found that if an account is to be used for
local logon (whether with keyboard or just by logon type)
then that account needs to be in Users (hence INTERACTIVE
being in Users is useful). However, the same does not hold
if the account is only going to make use of network logins.

--
Roger Abell

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In article <e8tCduf8EHA.3820@TK2MSFTNGP11.phx.gbl>, Roger Abell
<mvpNOSpam@asu.edu> Mon, 3 Jan 2005 18:23:36 writes

>The membership in the Users group is only exactly what is shown when
>you view it. Now, in a default scenario you will see that Interactive
>and Authenticated Users are nested within Users.

Please do you have any pointers as to where I can see this on the system
or at least read about it.

> Due to these any account that logs in locally or any account that is
>authenticated (respectively) will become a Users member during that
>login/usage. These groups do not have to be nested within Users, but
>when removed one does need to understand what they have been enabling
>so that the parts of that which are needed can be provided.

More reading - groan!

I am just a starter on the Windows security front, but as I see it:-

Users is a sytem group (like SYSTEM) (I wonder if I can delete it) and
it should not be possible to assign anyone to this group. What strange
mind thought up a structure that allows me to remove membership of a
user from a specific group, but the user still remains (in 99.99% of the
time) a member via a hidden route.

Also, why does Windows put every newly created user explicitly into the
Users group? - and thereby totally confuse poor punters like me.
--
Les Desser
(The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

If you look at a Group with the Users and Groups tools
(Computer Manager) or AD Users/Computer or any
of the common line tools then "what you see if what
you get" as long as you FOLLOW any references to
other groups.

E.g., if GroupA includes GroupB, then the members
of GroupB are effectively members of GroupA.

--
Herb Martin


"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:T30y9wGOMo2BFA+A@dessergroup.onetel.co.uk...
> In article <e8tCduf8EHA.3820@TK2MSFTNGP11.phx.gbl>, Roger Abell
> <mvpNOSpam@asu.edu> Mon, 3 Jan 2005 18:23:36 writes
>
> >The membership in the Users group is only exactly what is shown when
> >you view it. Now, in a default scenario you will see that Interactive
> >and Authenticated Users are nested within Users.
>
> Please do you have any pointers as to where I can see this on the system
> or at least read about it.
>
> > Due to these any account that logs in locally or any account that is
> >authenticated (respectively) will become a Users member during that
> >login/usage. These groups do not have to be nested within Users, but
> >when removed one does need to understand what they have been enabling
> >so that the parts of that which are needed can be provided.
>
> More reading - groan!
>
> I am just a starter on the Windows security front, but as I see it:-
>
> Users is a sytem group (like SYSTEM) (I wonder if I can delete it) and
> it should not be possible to assign anyone to this group. What strange
> mind thought up a structure that allows me to remove membership of a
> user from a specific group, but the user still remains (in 99.99% of the
> time) a member via a hidden route.
>
> Also, why does Windows put every newly created user explicitly into the
> Users group? - and thereby totally confuse poor punters like me.
> --
> Les Desser
> (The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In article <e7oCd.275281$5K2.222729@attbi_s03>, Steven L Umbach
<n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 03:32:31 writes

>If you wish to restrict a user add that user to a group and then use
>ntfs/registry permissions, user rights, and Group Policy
...[Snipped for later reading]

I have taken a different route - maybe causing some damage on the way.
(This is a holiday flat PC so I am not too concerned - more interested
in learning about security issues)

I have removed Users from all security permissions for all
drives/folders and have created my own group to allow a fine level of
control.

Securing Program Files and WINNT[1] took a bit of fiddling to allow
users to run applications.

My Visitor can now play mp3 files in a subfolder of drive to which they
are otherwise barred, and they are barred to all other drives but can
still browse the web and open applications. Other users seem to have
normal access.

[1] WINNT had separate security for each sub-folder - no inheritance. I
have changed that to inherit the settings from WINNT - we will see what
happens in the longer term.
--
Les Desser
(The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:c3DxNlHSWo2BFA+X@dessergroup.onetel.co.uk...
> In article <e7oCd.275281$5K2.222729@attbi_s03>, Steven L Umbach
> <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 03:32:31 writes
>
> >If you wish to restrict a user add that user to a group and then use
> >ntfs/registry permissions, user rights, and Group Policy
> ..[Snipped for later reading]
>
> I have taken a different route - maybe causing some damage on the way.
> (This is a holiday flat PC so I am not too concerned - more interested
> in learning about security issues)

> I have removed Users from all security permissions for all
> drives/folders and have created my own group to allow a fine level of
> control.
>

That's [the principle of giving correct permissions
rather than just defaults] is a really good practice but
few do it, and it can be frustrated by tools like Frontpage
will takes (has traditionally taken?) a very simplistic
attitude to setting the permissions on a web server.

Another good move is to substitute such groups for
most references to Everyone , or at least get
Authenticated Users substituted for it.

> Securing Program Files and WINNT[1] took a bit of fiddling to allow
> users to run applications.


> My Visitor can now play mp3 files in a subfolder of drive to which they
> are otherwise barred, and they are barred to all other drives but can
> still browse the web and open applications. Other users seem to have
> normal access.
>
> [1] WINNT had separate security for each sub-folder - no inheritance. I
> have changed that to inherit the settings from WINNT - we will see what
> happens in the longer term.


--
Herb Martin


> --
> Les Desser
> (The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

That can also work well using a different approach to the same strategy,
particularly on non system folders. I don't like fiddling with permissions
in the \winnt folder without a lot of testing and generally do not recommend
it. However I have not had problems with adding "authenticated users" to
system folder and then removing users and everyone [which NSA security guide
also recommends]. The IIS lockdown tool is interesting in that it will
create a new group and give that group deny permissions to many binaries in
the system folder and other folders on the computer. You can then add a user
to that folder to make sure they do not have access to those binaries [ping,
arp, attrib, etc]. The biggest problems usually arise with deny permissions
in that unintended users, such as administrators, also end up being
affected. Many also seem to forget that not having permissions is an
implicit deny. It is a good idea to take an image of a computer before doing
major changes to permissions. It takes me about 5 minutes to restore a 5 gig
partition from a Ghost image so that I can start over. If you want a good
book on configuring Windows security the Microsoft Windows Security Resource
Kit is a good read and you can buy one from one of the used book vendors on
Amazon for less than ten dollars. I buy a lot of books that way. Many are
books with a bent corner or such that can not be sold as new. For a non
Microsoft perspective the Hacking Exposed Windows 2003 is worth a read. ---
Steve


"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:c3DxNlHSWo2BFA+X@dessergroup.onetel.co.uk...
> In article <e7oCd.275281$5K2.222729@attbi_s03>, Steven L Umbach
> <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 03:32:31 writes
>
>>If you wish to restrict a user add that user to a group and then use
>>ntfs/registry permissions, user rights, and Group Policy
> ..[Snipped for later reading]
>
> I have taken a different route - maybe causing some damage on the way.
> (This is a holiday flat PC so I am not too concerned - more interested in
> learning about security issues)
>
> I have removed Users from all security permissions for all drives/folders
> and have created my own group to allow a fine level of control.
>
> Securing Program Files and WINNT[1] took a bit of fiddling to allow users
> to run applications.
>
> My Visitor can now play mp3 files in a subfolder of drive to which they
> are otherwise barred, and they are barred to all other drives but can
> still browse the web and open applications. Other users seem to have
> normal access.
>
> [1] WINNT had separate security for each sub-folder - no inheritance. I
> have changed that to inherit the settings from WINNT - we will see what
> happens in the longer term.
> --
> Les Desser
> (The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Along this line is a relatively advance technique where
a group is created (e.g., DenyModify) and everyone who
normally has Change permissions is added, e.g., for the
System32 folder this might be applied to ever EXE, DLL,
SYS, Drv, etc (exectuable) and contain the administrators
& even System so that on a "normal day" even admins
cannot update these files.

During upgrades -- one removes the admins or system
and then restores the group afterwards (the permissions
technically stay in effect the whole time on the files but
by logging on and off the admins effective permissions
change.)

Now, it might be the case that some virus, trojan, or
cracker might be able to work through this roadblock,
the practical effect is that practically none of them
will (be able to) do so.

--
Herb Martin


"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:t3BCd.617183$wV.434580@attbi_s54...
> That can also work well using a different approach to the same strategy,
> particularly on non system folders. I don't like fiddling with permissions
> in the \winnt folder without a lot of testing and generally do not
recommend
> it. However I have not had problems with adding "authenticated users" to
> system folder and then removing users and everyone [which NSA security
guide
> also recommends]. The IIS lockdown tool is interesting in that it will
> create a new group and give that group deny permissions to many binaries
in
> the system folder and other folders on the computer. You can then add a
user
> to that folder to make sure they do not have access to those binaries
[ping,
> arp, attrib, etc]. The biggest problems usually arise with deny
permissions
> in that unintended users, such as administrators, also end up being
> affected. Many also seem to forget that not having permissions is an
> implicit deny. It is a good idea to take an image of a computer before
doing
> major changes to permissions. It takes me about 5 minutes to restore a 5
gig
> partition from a Ghost image so that I can start over. If you want a good
> book on configuring Windows security the Microsoft Windows Security
Resource
> Kit is a good read and you can buy one from one of the used book vendors
on
> Amazon for less than ten dollars. I buy a lot of books that way. Many are
> books with a bent corner or such that can not be sold as new. For a non
> Microsoft perspective the Hacking Exposed Windows 2003 is worth a
read. ---
> Steve
>
>
> "Les Desser" <NewsDump1@dessergroup.com> wrote in message
> news:c3DxNlHSWo2BFA+X@dessergroup.onetel.co.uk...
> > In article <e7oCd.275281$5K2.222729@attbi_s03>, Steven L Umbach
> > <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 03:32:31 writes
> >
> >>If you wish to restrict a user add that user to a group and then use
> >>ntfs/registry permissions, user rights, and Group Policy
> > ..[Snipped for later reading]
> >
> > I have taken a different route - maybe causing some damage on the way.
> > (This is a holiday flat PC so I am not too concerned - more interested
in
> > learning about security issues)
> >
> > I have removed Users from all security permissions for all
drives/folders
> > and have created my own group to allow a fine level of control.
> >
> > Securing Program Files and WINNT[1] took a bit of fiddling to allow
users
> > to run applications.
> >
> > My Visitor can now play mp3 files in a subfolder of drive to which they
> > are otherwise barred, and they are barred to all other drives but can
> > still browse the web and open applications. Other users seem to have
> > normal access.
> >
> > [1] WINNT had separate security for each sub-folder - no inheritance. I
> > have changed that to inherit the settings from WINNT - we will see what
> > happens in the longer term.
> > --
> > Les Desser
> > (The Reply-to address IS valid)
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In article <uDy$s7l8EHA.1228@tk2msftngp13.phx.gbl>, Herb Martin
<news@LearnQuick.com> Tue, 4 Jan 2005 07:02:08 writes

>E.g., if GroupA includes GroupB, then the members of GroupB are
>effectively members of GroupA.

I vote that groups should not be able to include other groups

I did write that rather tongue-in-cheek and from a standpoint of someone
who is a starter in the area of Windows security, but on further
reflection it has merit. There is a lot to be said for transparency and
once you embed groups within groups one starts to lose the picture
rather fast.
--
Les Desser
(The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In article <c3DxNlHSWo2BFA+X@dessergroup.onetel.co.uk>, Les Desser
<NewsDump1@dessergroup.com> Tue, 4 Jan 2005 12:01:22 writes

>I have taken a different route - maybe causing some damage on the way.
>(This is a holiday flat PC so I am not too concerned - more interested
>in learning about security issues)

Seems like I have done something

As well as the Visitor user, I have created a standard user who is not a
member of Administrators.

When using that profile (as well as Visitors) I can no longer open .jpg
files. MS Photo Editor opens but then gives the error
"No file format information can be found in the Registry".

If I add that user to Administrators then it works - so it must be some
authority problem.

Thanks in anticipation.
--
Les Desser
(The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I can see the point of view, but in larger environments
seeing that a groupX is composed of groupA, groupB,
and groupC, whereas groupY is composed of groupA
and groupD only is highly useful, where groupA, B, C,
D, etc. are fundemental categories of accounts, such as
by roles that they hold in the corp (or family).
The alternative, just seeing a long list of users in
groupX and groupY is error prone.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:xve6beFmVw2BFAas@dessergroup.onetel.co.uk...
> In article <uDy$s7l8EHA.1228@tk2msftngp13.phx.gbl>, Herb Martin
> <news@LearnQuick.com> Tue, 4 Jan 2005 07:02:08 writes
>
> >E.g., if GroupA includes GroupB, then the members of GroupB are
> >effectively members of GroupA.
>
> I vote that groups should not be able to include other groups
>
> I did write that rather tongue-in-cheek and from a standpoint of someone
> who is a starter in the area of Windows security, but on further
> reflection it has merit. There is a lot to be said for transparency and
> once you embed groups within groups one starts to lose the picture
> rather fast.
> --
> Les Desser
> (The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:xve6beFmVw2BFAas@dessergroup.onetel.co.uk...
> In article <uDy$s7l8EHA.1228@tk2msftngp13.phx.gbl>, Herb Martin
> <news@LearnQuick.com> Tue, 4 Jan 2005 07:02:08 writes
>
> >E.g., if GroupA includes GroupB, then the members of GroupB are
> >effectively members of GroupA.
>
> I vote that groups should not be able to include other groups

Then you will hate NATIVE mode where they can be
arbitrarily nested, e.g., Global in Global ... in Universal
in Universal ... in Local ....

> I did write that rather tongue-in-cheek and from a standpoint of someone
> who is a starter in the area of Windows security, but on further
> reflection it has merit.

It is a practical necessity for large domains, but make
managing even a few hundred users much easier if
you design the structure well.

> There is a lot to be said for transparency and
> once you embed groups within groups one starts to lose the picture
> rather fast.

This probably stems from not setting up the groups
to follow a well-thought out picture -- design -- to
start.

Local groups REALLY represent "a collection of
resources/permissions and/or set of rights for doing
some job" while Global groups really should be
the ones that represent "a bunch of users who should
be given some privelege the same way."

None fo the books tell you that -- most authors
(and therefore admins) continue to think of Local
groups are primarily representing USERS instead
of a set of resources.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

lusrmgr.msc run at a cmd prompt (as you refer to
c:\winnt should I assume this is Windows 2000?)
lets you see the group structure in all existing detail.

Originally Users only held accounts. Later MS invented
Interactive and Authenticated Users and nested these
within. This was as much as anything a response to the
fact that the OS had grown in ways such that if an account
was not a member of Users then things would fail in an
interactive login. It is not just the NTFS permissions in
the system folders, but also a matter of permissions on the
COM components and registry keys, where some grants are
to the Users group.

I think historically the intent was to have Guests, Users,
and Administrators with these three being allowed a tiered
increase in capability. However, thing were IMO not kept
fully clean, and for all practical purposes the distinction
between Guest and any Users member began lost and also
impossible for interactive login. In large part this was a
response to MS observing the common (and reasonable)
practice of removing the default grants to Everyone (which
used to allow Guest to function interactively).

By the way, although it looks like a group in the icon used,
System is best thought of not as a group but as an account.
I think it is treaded as a group because in a stand-alone install
the Local System account (which is used to fire up most of the
core components/services of the OS) is System, but once the
machine is joined to a domain then the domain\Machine$
account also is System.

Aside from accounts and normal groups, you will find some
"group-like" predefined principals used (Interactive, Network,
Authenticated Users, Creator Owner, etc.) whose membership
you cannot adjust. These are like place-holders which get
substitiuted with the "then current" account if the criteria of
the place being held are satisfied. If I have logged in as UserX
at the keyboard, then UserX actually appears in the security
access checks where Interactive is seen when viewing the
definitions, etc..

--
Roger
"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:T30y9wGOMo2BFA+A@dessergroup.onetel.co.uk...
> In article <e8tCduf8EHA.3820@TK2MSFTNGP11.phx.gbl>, Roger Abell
> <mvpNOSpam@asu.edu> Mon, 3 Jan 2005 18:23:36 writes
>
> >The membership in the Users group is only exactly what is shown when
> >you view it. Now, in a default scenario you will see that Interactive
> >and Authenticated Users are nested within Users.
>
> Please do you have any pointers as to where I can see this on the system
> or at least read about it.
>
> > Due to these any account that logs in locally or any account that is
> >authenticated (respectively) will become a Users member during that
> >login/usage. These groups do not have to be nested within Users, but
> >when removed one does need to understand what they have been enabling
> >so that the parts of that which are needed can be provided.
>
> More reading - groan!
>
> I am just a starter on the Windows security front, but as I see it:-
>
> Users is a sytem group (like SYSTEM) (I wonder if I can delete it) and
> it should not be possible to assign anyone to this group. What strange
> mind thought up a structure that allows me to remove membership of a
> user from a specific group, but the user still remains (in 99.99% of the
> time) a member via a hidden route.
>
> Also, why does Windows put every newly created user explicitly into the
> Users group? - and thereby totally confuse poor punters like me.
> --
> Les Desser
> (The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

> Securing Program Files and WINNT[1] took a bit of fiddling to allow
> users to run applications.

Les, you will have also noticed that many of the individual files
have their NTFS permissions explicitly set also.

Let us know what OS version you are using, as things have changed
some between them, and we can refer you to the master file that is
used to set the install default permissions on these folders and files.
The template is actually just a plain text file, and one can do a global
replace on it to change the two characters representing "Users" with
the SID of the custom group - meaning one can come up with a template
that set security so that Users is not used but the custom group has the
settings instead. One can edit the template and then remove the
custom group from the items desired.

I do not really advocate doing this as a standard practice, and there
are so very many (and ill-documented) dependencies; but, the template
does provide for quick reproducability and so facilitate experimentation
especially if combined with something like VMware or VirtualPC where
you just make a copy of the base OS filetree, boot it, fool around, and
delete the copy when done if things are not liked or disasterous.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:c3DxNlHSWo2BFA+X@dessergroup.onetel.co.uk...
> In article <e7oCd.275281$5K2.222729@attbi_s03>, Steven L Umbach
> <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 03:32:31 writes
>
> >If you wish to restrict a user add that user to a group and then use
> >ntfs/registry permissions, user rights, and Group Policy
> ..[Snipped for later reading]
>
> I have taken a different route - maybe causing some damage on the way.
> (This is a holiday flat PC so I am not too concerned - more interested
> in learning about security issues)
>
> I have removed Users from all security permissions for all
> drives/folders and have created my own group to allow a fine level of
> control.
>
> Securing Program Files and WINNT[1] took a bit of fiddling to allow
> users to run applications.
>
> My Visitor can now play mp3 files in a subfolder of drive to which they
> are otherwise barred, and they are barred to all other drives but can
> still browse the web and open applications. Other users seem to have
> normal access.
>
> [1] WINNT had separate security for each sub-folder - no inheritance. I
> have changed that to inherit the settings from WINNT - we will see what
> happens in the longer term.
> --
> Les Desser
> (The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In article <#OdJRdu8EHA.3416@TK2MSFTNGP09.phx.gbl>, Roger Abell
<mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:30:53 writes

>Les, you will have also noticed that many of the individual files have
>their NTFS permissions explicitly set also.
>
>Let us know what OS version you are using

W2K SP4

>, as things have changed some between them, and we can refer you to the
>master file that is used to set the install default permissions on
>these folders and files.

Thanks
--
Les Desser
(The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In article <#OdJRdu8EHA.3416@TK2MSFTNGP09.phx.gbl>, Roger Abell
<mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:30:53 writes

>Les, you will have also noticed that many of the individual files have
>their NTFS permissions explicitly set also.
>
>Let us know what OS version you are using

W2K SP4

>, as things have changed some between them, and we can refer you to the
>master file that is used to set the install default permissions on
>these folders and files.

Thanks
--
Les Desser
(The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In article <umJHL7t8EHA.2196@TK2MSFTNGP11.phx.gbl>, Herb Martin
<news@LearnQuick.com> Tue, 4 Jan 2005 22:20:33 writes

>None fo the books tell you that -- most authors (and therefore admins)
>continue to think of Local groups are primarily representing USERS
>instead of a set of resources.

You have expressed my own thoughts in a few words - I just could not get
at the right ones.

Groups Users and Family (my invention - in case it actually exists) are
chalk and cheese.

Users is an attribute of a logged-on profile and not what I would call a
group. It should not be possible to put an actual user into group
Users. That is a bit like grouping the residents of the UK and putting
the Prime Minister in group Human

I rest my case.
--
Les Desser
(The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
<mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes

>I can see the point of view, but in larger environments seeing that a
>groupX is composed of groupA, groupB, and groupC, whereas groupY is
>composed of groupA and groupD only is highly useful, where groupA, B,
>C, D, etc. are fundemental categories of accounts, such as by roles
>that they hold in the corp (or family). The alternative, just seeing a
>long list of users in groupX and groupY is error prone.

I agree - I withdraw my original statement.

I just wish that that the definition of a group would not be muddied by
having special collections such as Users called the same as a group
created by human intelligence - see my reply to Herb a few minutes ago.
--
Les Desser
(The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

> I just wish that that the definition of a group would not be muddied by
> having special collections such as Users called the same as a group
> created by human intelligence - see my reply to Herb a few minutes ago.

I would really need to disagree with this (false)
distinction -- Users is indeed in every sense a
Group.

It just happens to be a Built-In Group with built-in
behavior which can be critical to getting a system
to work by default.

Even Everyone is a group in the true sense although
this class has it's own name as well: Special Groups.

(Of course it isn't a very GOOD name <grin> and
should have been called Automatic or perhaps best
would have been Dynamic Groups since the OS
automatically assigns users to the special groups
automatically and dynamically when they meet
certain conditions.)

--
Herb Martin


"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk...
> In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
> <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes
>
> >I can see the point of view, but in larger environments seeing that a
> >groupX is composed of groupA, groupB, and groupC, whereas groupY is
> >composed of groupA and groupD only is highly useful, where groupA, B,
> >C, D, etc. are fundemental categories of accounts, such as by roles
> >that they hold in the corp (or family). The alternative, just seeing a
> >long list of users in groupX and groupY is error prone.
>
> I agree - I withdraw my original statement.
>
> --
> Les Desser
> (The Reply-to address IS valid)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

As Herb indicated Users is a group.
Nothing magic about it. The membership of Users is
clearly viewable, and Users contains nothing other than
what is there, clearly viewable.

Today, the use made of Users would fit IMO fairly
closely to "the group that allows its members to log
into the machine at the keyboard and use it"
In other words, the Users group is pretty much the
grouping of accounts that can use the machine.

There are groups, just plain old normal groups,
like Users. These come in two forms. The predefined
groups and what I term custom groups which have been
defined by the user/owner of the machine.

There are a couple kinds of things that are used as if
they were groups and/or that function like groups, but
over the membership in which one has no control.
These are things like Everyone, Authenticated Users,
Interactive, Network, Anonymous Users, Creator Owner,
Creator Group, Self, . .. These all have set, defined
meanings and uses, which I believe you could discover
by reading into the Resource Kits.
www.reskits.com

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk...
> In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
> <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes
>
> >I can see the point of view, but in larger environments seeing that a
> >groupX is composed of groupA, groupB, and groupC, whereas groupY is
> >composed of groupA and groupD only is highly useful, where groupA, B,
> >C, D, etc. are fundemental categories of accounts, such as by roles
> >that they hold in the corp (or family). The alternative, just seeing a
> >long list of users in groupX and groupY is error prone.
>
> I agree - I withdraw my original statement.
>
> I just wish that that the definition of a group would not be muddied by
> having special collections such as Users called the same as a group
> created by human intelligence - see my reply to Herb a few minutes ago.
> --
> Les Desser
> (The Reply-to address IS valid)