Sign in with
Sign up | Sign in
Your question

Shared permissions vs. security

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
May 19, 2005 1:55:31 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I have been trying to make our network more secure by setting each
workstation hardrive shared between Domain Admins with Full Control rights.

What is the difference between setting this permission and selecting the
Security tab to have the same permissions except adding the SYSTEM and user
at that workstation?

We have W2K SP4 workstations on a SBS 2003 server.
Anonymous
a b 8 Security
May 20, 2005 1:25:07 AM

Archived from groups: microsoft.public.win2000.security (More info?)

System basically means operating system and you generally want to give
system full control as it would have by default. Not having the system with
full control possibly can break some things with backups being an example of
a possibility.

If you add "user" or a user account then that user will have full control
over that folder/file which means that the user can read, list, execute,
write, delete, and change permissions. Generally this is considered
excessive permissions for a user other than something like their home folder
or user profile folder. A basic security principle is that of least
privilege which means a user will only have the necessary rights and
permissions to do their job. Then they will be much less likely to
accidentally delete folders/files or install software that they should not -
maybe even a Trojan. The link below explains more on folder permissions.

http://support.microsoft.com/default.aspx?kbid=300691
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419 --- mostly
applies to Windows 2000 also

Your subject mentions "shared". If you mean network shares then keep in mind
that share permissions work together with folder/ntfs permissions. Share
permissions only apply when a use accesses a share via the network.
Folder/ntfs permissions apply to a local logon or network access. If share
permissions conflict with folder/ntfs permissions for a network user the
most restrictive permission will apply to the user. In other words if a user
has only read access to a share but full control to the folder/ntfs
permissions. That user will only have to read/list/execute access over the
network for the share contents. --- Steve



"Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
news:11866EDF-64D0-481C-A70B-89E483C48D01@microsoft.com...
>I have been trying to make our network more secure by setting each
> workstation hardrive shared between Domain Admins with Full Control
> rights.
>
> What is the difference between setting this permission and selecting the
> Security tab to have the same permissions except adding the SYSTEM and
> user
> at that workstation?
>
> We have W2K SP4 workstations on a SBS 2003 server.
Anonymous
a b 8 Security
May 20, 2005 3:17:20 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Can you recommend a security setting that I can enter to keep viruses like
Backdoor.Trojan from propogating through (allowing people to work on the
network and yet not allow THINGS or hackers permission to run amock).

"Carl Gross" wrote:

> I have been trying to make our network more secure by setting each
> workstation hardrive shared between Domain Admins with Full Control rights.
>
> What is the difference between setting this permission and selecting the
> Security tab to have the same permissions except adding the SYSTEM and user
> at that workstation?
>
> We have W2K SP4 workstations on a SBS 2003 server.
Related resources
Anonymous
a b 8 Security
May 20, 2005 6:04:23 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I can't recommend settings but use the principle of least privilege. If a
user does not need to write to a share then give them only read.list/execute
permissions.

As far as hackers and worms make sure that users are forced to use strong
passwords via security policy, that the users are not local administrators
if they do not need be, that you keep all your computers current with
critical security updates from Windows updates, that all computers have
antivirus installed that can keep itself current with updates automatically
and that the antivirus runs in autoprotect mode and scans ALL email
attachments, and you have a firewall that protects your network. Microsoft
makes a free tool called Microsoft Baseline Security Analyzer that can scan
all your computers looking for basic vulnerabilities as shown at the link
below.

http://www.microsoft.com/technet/security/tools/mbsahom...

Microsoft also offers a free guide call Antivirus in Depth that is excellent
in education users on what malware is, how it propagates, how to detect it,
how to eliminate it, and how to prevent it. See the link below if
interested. The last link is a online guide from Microsoft for securing
small businesses. --- Steve

http://www.microsoft.com/technet/security/topics/server...
--- Anti Virus in Depth.
http://www.microsoft.com/smallbusiness/gtm/securityguid...


"Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
news:18033C22-B195-4B50-91B8-208938BB23EE@microsoft.com...
> Can you recommend a security setting that I can enter to keep viruses like
> Backdoor.Trojan from propogating through (allowing people to work on the
> network and yet not allow THINGS or hackers permission to run amock).
>
> "Carl Gross" wrote:
>
>> I have been trying to make our network more secure by setting each
>> workstation hardrive shared between Domain Admins with Full Control
>> rights.
>>
>> What is the difference between setting this permission and selecting the
>> Security tab to have the same permissions except adding the SYSTEM and
>> user
>> at that workstation?
>>
>> We have W2K SP4 workstations on a SBS 2003 server.
Anonymous
a b 8 Security
May 27, 2005 2:14:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I have had to make some changes to some of the shares and groups because they
were too insecure. Since then, I have had to add each user manually to each
workstation with Power User privileges in order to do enything.

I have also been changing the Security settings on each persons hard drive
(default is Everyone - Full Control) and in some cases I need to make them
Administrators to make install/uninstall easier. This works on most people,
but some are perplexing me by not allowing me to install some software
(antivirus updates in particular) and saving of temporary files for network
applications.

"Steven L Umbach" wrote:

> I can't recommend settings but use the principle of least privilege. If a
> user does not need to write to a share then give them only read.list/execute
> permissions.
>
> As far as hackers and worms make sure that users are forced to use strong
> passwords via security policy, that the users are not local administrators
> if they do not need be, that you keep all your computers current with
> critical security updates from Windows updates, that all computers have
> antivirus installed that can keep itself current with updates automatically
> and that the antivirus runs in autoprotect mode and scans ALL email
> attachments, and you have a firewall that protects your network. Microsoft
> makes a free tool called Microsoft Baseline Security Analyzer that can scan
> all your computers looking for basic vulnerabilities as shown at the link
> below.
>
> http://www.microsoft.com/technet/security/tools/mbsahom...
>
> Microsoft also offers a free guide call Antivirus in Depth that is excellent
> in education users on what malware is, how it propagates, how to detect it,
> how to eliminate it, and how to prevent it. See the link below if
> interested. The last link is a online guide from Microsoft for securing
> small businesses. --- Steve
>
> http://www.microsoft.com/technet/security/topics/server...
> --- Anti Virus in Depth.
> http://www.microsoft.com/smallbusiness/gtm/securityguid...
>
>
> "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
> news:18033C22-B195-4B50-91B8-208938BB23EE@microsoft.com...
> > Can you recommend a security setting that I can enter to keep viruses like
> > Backdoor.Trojan from propogating through (allowing people to work on the
> > network and yet not allow THINGS or hackers permission to run amock).
> >
> > "Carl Gross" wrote:
> >
> >> I have been trying to make our network more secure by setting each
> >> workstation hardrive shared between Domain Admins with Full Control
> >> rights.
> >>
> >> What is the difference between setting this permission and selecting the
> >> Security tab to have the same permissions except adding the SYSTEM and
> >> user
> >> at that workstation?
> >>
> >> We have W2K SP4 workstations on a SBS 2003 server.
>
>
>
Anonymous
a b 8 Security
May 27, 2005 5:35:50 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Did you have to make the users power users or administrators only after you
changed permissions?? If so your changes are counterproductive in that they
caused the users to be members of privileged groups which is something you
want to avoid. There is nothing wrong with a user having full control or
write/modify permissions to a folder if that is what they need to do their
job but a normal user would not need full control to everything like an
administrators would. For the drive root folder I usually give
administrators and system full control and users have read/list/execute.

Regular users will not be able to install most software and that will
require that an administrator do such or the use of Group Policy to assign
..msi applications to the user or computer via Group Policy. If you as an
administrator are having trouble installing an application or saving
temporary files then permissions are too restrictive to the related folders.
By default administrators and system have full control to all folders on the
computer. There are free tools such as filemon from SysInternals that can
help you track down when permissions are too restrictive. You could start
filemon right before you try to update the antivirus for instance and then
stop filemon from logging when the update fails and look in the filemon log
for "access denied" entries which will show what file/folder you need to
tweak permissions on.

http://www.sysinternals.com/ntw2k/source/filemon.shtml

In general when tweaking permissions start out with what you think should
work and if that fails allow greater permissions until everything works.
Windows Office applications can be a challenge in that they use temporary
files that the user needs write and modify permissions for so you will need
to give users greater permissions to those folders. Keep in mind that you
can use creator owner [usually shown and with full control by default] in
folder permissions so that the person who creates the file and becomes owner
will receive permissions that the creator owner shows.

To answer the question for your original concern about worms and hackers in
more detail be sure to follow these basic steps as a minimum.

-- Require all users to use a complex password and that they are
periodically changed and enforce via password policy. Make sure that users
do not share passwords. If users are not currently using strong passwords
make sure they are forced to do such because you can implement a new
password policy but until a user changes their password it will not be in
effect. No or weak passwords are by far the largest vulnerability you can
have on your network

-- Verify that membership in the administrators group on all computers is
what you expect and kept to a minimum.

-- Use a properly configured firewall to protect your network and
periodically check it by doing a self scan at a sites such as
http://scan.sygatetech.com/ .

-- Make sure that your computers are kept current with critical security
updates at Windows Updates. Your computers can be configured to do such
automatically. Use MBSA to scan your computers periodically to make sure
such is happening.

-- All computers must be running a quality antivirus program. That program
must scan ALL email attachments, be kept current with virus definitions
which can be done automatically, and run in "autoprotect" mode. At least
weekly full scans must be scheduled on each computer.

-- Disable unneeded services on all computers including file and print
sharing on workstations that do not need to offer shares/printers or be
managed remotely via Computer Management. MBSA can help check for unneeded
services.

-- Never logon to a domain workstation that is not a known secured admin
workstation as a domain administrator. Use a local administrator account
instead.

-- If at all possible make sure workstation users are regular users and not
administrators or power user.

Though having proper share permissions is important all the above is much
more important than share permissions to controlling worms and hackers. ---
Steve


"Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
news:8EB83F35-F6D8-4E28-A830-EFF305720C66@microsoft.com...
>I have had to make some changes to some of the shares and groups because
>they
> were too insecure. Since then, I have had to add each user manually to
> each
> workstation with Power User privileges in order to do enything.
>
> I have also been changing the Security settings on each persons hard drive
> (default is Everyone - Full Control) and in some cases I need to make them
> Administrators to make install/uninstall easier. This works on most
> people,
> but some are perplexing me by not allowing me to install some software
> (antivirus updates in particular) and saving of temporary files for
> network
> applications.
>
> "Steven L Umbach" wrote:
>
>> I can't recommend settings but use the principle of least privilege. If a
>> user does not need to write to a share then give them only
>> read.list/execute
>> permissions.
>>
>> As far as hackers and worms make sure that users are forced to use strong
>> passwords via security policy, that the users are not local
>> administrators
>> if they do not need be, that you keep all your computers current with
>> critical security updates from Windows updates, that all computers have
>> antivirus installed that can keep itself current with updates
>> automatically
>> and that the antivirus runs in autoprotect mode and scans ALL email
>> attachments, and you have a firewall that protects your network.
>> Microsoft
>> makes a free tool called Microsoft Baseline Security Analyzer that can
>> scan
>> all your computers looking for basic vulnerabilities as shown at the link
>> below.
>>
>> http://www.microsoft.com/technet/security/tools/mbsahom...
>>
>> Microsoft also offers a free guide call Antivirus in Depth that is
>> excellent
>> in education users on what malware is, how it propagates, how to detect
>> it,
>> how to eliminate it, and how to prevent it. See the link below if
>> interested. The last link is a online guide from Microsoft for securing
>> small businesses. --- Steve
>>
>> http://www.microsoft.com/technet/security/topics/server...
>> --- Anti Virus in Depth.
>> http://www.microsoft.com/smallbusiness/gtm/securityguid...
>>
>>
>> "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
>> news:18033C22-B195-4B50-91B8-208938BB23EE@microsoft.com...
>> > Can you recommend a security setting that I can enter to keep viruses
>> > like
>> > Backdoor.Trojan from propogating through (allowing people to work on
>> > the
>> > network and yet not allow THINGS or hackers permission to run amock).
>> >
>> > "Carl Gross" wrote:
>> >
>> >> I have been trying to make our network more secure by setting each
>> >> workstation hardrive shared between Domain Admins with Full Control
>> >> rights.
>> >>
>> >> What is the difference between setting this permission and selecting
>> >> the
>> >> Security tab to have the same permissions except adding the SYSTEM and
>> >> user
>> >> at that workstation?
>> >>
>> >> We have W2K SP4 workstations on a SBS 2003 server.
>>
>>
>>
Anonymous
a b 8 Security
May 27, 2005 7:05:15 PM

Archived from groups: microsoft.public.win2000.security (More info?)

So lets say I have for Local Security (set on the workstation HD) for an
Intern (lets say):

Administrator (Local) FC
Domain Admin FC
CREATER OWNER FC
Intern Read/Write/List/Execute
SYSTEM FC
Intern Supervisor Read/Write/List/Execute

Would that give me the proper security? Maybe if I took away Domain Admin
(since I'm not supposed to log on as a domain admin)?

"Steven L Umbach" wrote:

> Did you have to make the users power users or administrators only after you
> changed permissions?? If so your changes are counterproductive in that they
> caused the users to be members of privileged groups which is something you
> want to avoid. There is nothing wrong with a user having full control or
> write/modify permissions to a folder if that is what they need to do their
> job but a normal user would not need full control to everything like an
> administrators would. For the drive root folder I usually give
> administrators and system full control and users have read/list/execute.
>
> Regular users will not be able to install most software and that will
> require that an administrator do such or the use of Group Policy to assign
> ..msi applications to the user or computer via Group Policy. If you as an
> administrator are having trouble installing an application or saving
> temporary files then permissions are too restrictive to the related folders.
> By default administrators and system have full control to all folders on the
> computer. There are free tools such as filemon from SysInternals that can
> help you track down when permissions are too restrictive. You could start
> filemon right before you try to update the antivirus for instance and then
> stop filemon from logging when the update fails and look in the filemon log
> for "access denied" entries which will show what file/folder you need to
> tweak permissions on.
>
> http://www.sysinternals.com/ntw2k/source/filemon.shtml
>
> In general when tweaking permissions start out with what you think should
> work and if that fails allow greater permissions until everything works.
> Windows Office applications can be a challenge in that they use temporary
> files that the user needs write and modify permissions for so you will need
> to give users greater permissions to those folders. Keep in mind that you
> can use creator owner [usually shown and with full control by default] in
> folder permissions so that the person who creates the file and becomes owner
> will receive permissions that the creator owner shows.
>
> To answer the question for your original concern about worms and hackers in
> more detail be sure to follow these basic steps as a minimum.
>
> -- Require all users to use a complex password and that they are
> periodically changed and enforce via password policy. Make sure that users
> do not share passwords. If users are not currently using strong passwords
> make sure they are forced to do such because you can implement a new
> password policy but until a user changes their password it will not be in
> effect. No or weak passwords are by far the largest vulnerability you can
> have on your network
>
> -- Verify that membership in the administrators group on all computers is
> what you expect and kept to a minimum.
>
> -- Use a properly configured firewall to protect your network and
> periodically check it by doing a self scan at a sites such as
> http://scan.sygatetech.com/ .
>
> -- Make sure that your computers are kept current with critical security
> updates at Windows Updates. Your computers can be configured to do such
> automatically. Use MBSA to scan your computers periodically to make sure
> such is happening.
>
> -- All computers must be running a quality antivirus program. That program
> must scan ALL email attachments, be kept current with virus definitions
> which can be done automatically, and run in "autoprotect" mode. At least
> weekly full scans must be scheduled on each computer.
>
> -- Disable unneeded services on all computers including file and print
> sharing on workstations that do not need to offer shares/printers or be
> managed remotely via Computer Management. MBSA can help check for unneeded
> services.
>
> -- Never logon to a domain workstation that is not a known secured admin
> workstation as a domain administrator. Use a local administrator account
> instead.
>
> -- If at all possible make sure workstation users are regular users and not
> administrators or power user.
>
> Though having proper share permissions is important all the above is much
> more important than share permissions to controlling worms and hackers. ---
> Steve
>
>
> "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
> news:8EB83F35-F6D8-4E28-A830-EFF305720C66@microsoft.com...
> >I have had to make some changes to some of the shares and groups because
> >they
> > were too insecure. Since then, I have had to add each user manually to
> > each
> > workstation with Power User privileges in order to do enything.
> >
> > I have also been changing the Security settings on each persons hard drive
> > (default is Everyone - Full Control) and in some cases I need to make them
> > Administrators to make install/uninstall easier. This works on most
> > people,
> > but some are perplexing me by not allowing me to install some software
> > (antivirus updates in particular) and saving of temporary files for
> > network
> > applications.
> >
> > "Steven L Umbach" wrote:
> >
> >> I can't recommend settings but use the principle of least privilege. If a
> >> user does not need to write to a share then give them only
> >> read.list/execute
> >> permissions.
> >>
> >> As far as hackers and worms make sure that users are forced to use strong
> >> passwords via security policy, that the users are not local
> >> administrators
> >> if they do not need be, that you keep all your computers current with
> >> critical security updates from Windows updates, that all computers have
> >> antivirus installed that can keep itself current with updates
> >> automatically
> >> and that the antivirus runs in autoprotect mode and scans ALL email
> >> attachments, and you have a firewall that protects your network.
> >> Microsoft
> >> makes a free tool called Microsoft Baseline Security Analyzer that can
> >> scan
> >> all your computers looking for basic vulnerabilities as shown at the link
> >> below.
> >>
> >> http://www.microsoft.com/technet/security/tools/mbsahom...
> >>
> >> Microsoft also offers a free guide call Antivirus in Depth that is
> >> excellent
> >> in education users on what malware is, how it propagates, how to detect
> >> it,
> >> how to eliminate it, and how to prevent it. See the link below if
> >> interested. The last link is a online guide from Microsoft for securing
> >> small businesses. --- Steve
> >>
> >> http://www.microsoft.com/technet/security/topics/server...
> >> --- Anti Virus in Depth.
> >> http://www.microsoft.com/smallbusiness/gtm/securityguid...
> >>
> >>
> >> "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
> >> news:18033C22-B195-4B50-91B8-208938BB23EE@microsoft.com...
> >> > Can you recommend a security setting that I can enter to keep viruses
> >> > like
> >> > Backdoor.Trojan from propogating through (allowing people to work on
> >> > the
> >> > network and yet not allow THINGS or hackers permission to run amock).
> >> >
> >> > "Carl Gross" wrote:
> >> >
> >> >> I have been trying to make our network more secure by setting each
> >> >> workstation hardrive shared between Domain Admins with Full Control
> >> >> rights.
> >> >>
> >> >> What is the difference between setting this permission and selecting
> >> >> the
> >> >> Security tab to have the same permissions except adding the SYSTEM and
> >> >> user
> >> >> at that workstation?
> >> >>
> >> >> We have W2K SP4 workstations on a SBS 2003 server.
> >>
> >>
> >>
>
>
>
Anonymous
a b 8 Security
May 27, 2005 10:03:50 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If they need to write to that folder [which should not be the drive/root
folder] then that would be correct. If they need to delete files then they
would also need modify. On a domain computer domain admins are in the local
administrators group by default so you are giving redundant permissions.
Simply give "administrators" full control instead of administrator and
domain admin. Keep in mind that on the "system" drive where the operating
system is installed that the drive/root folder permissions do not propagate
nor should be forced down to other folders such as \winnt, \documents and
settings\, or program files. The subfolders of a default installation
already have restricted permissions [as shown in first link below] where by
default regular users have not more than read/list/execute permissions to
everything but their profile folder and possibly parts of the all users
profile folder. If the drive in question is not a "system" drive but an
additional drive or partition then the permissions you set on the drive/root
folder will probably propagate down.

It is best practice not to logon as a domain admin to domain workstation
that is not known to be 100 percent secure. The reason is a malicious user
could have installed a program to capture your keystrokes or
malware/malicious scripts could now have domain admin powers once you logon.
But that is your call though you did ask for ideas to reduce threats from
worms and hacking.

The second link below I found shows Microsoft's recommendation for the
drive/root folder permissions. --- Steve


http://support.microsoft.com/default.aspx?scid=kb;en-us;244600#appliesto
http://support.microsoft.com/?scid=327522


"Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
news:50669274-BD17-464B-A88A-A78C8788C1D0@microsoft.com...
> So lets say I have for Local Security (set on the workstation HD) for an
> Intern (lets say):
>
> Administrator (Local) FC
> Domain Admin FC
> CREATER OWNER FC
> Intern Read/Write/List/Execute
> SYSTEM FC
> Intern Supervisor Read/Write/List/Execute
>
> Would that give me the proper security? Maybe if I took away Domain Admin
> (since I'm not supposed to log on as a domain admin)?
>
> "Steven L Umbach" wrote:
>
>> Did you have to make the users power users or administrators only after
>> you
>> changed permissions?? If so your changes are counterproductive in that
>> they
>> caused the users to be members of privileged groups which is something
>> you
>> want to avoid. There is nothing wrong with a user having full control or
>> write/modify permissions to a folder if that is what they need to do
>> their
>> job but a normal user would not need full control to everything like an
>> administrators would. For the drive root folder I usually give
>> administrators and system full control and users have read/list/execute.
>>
>> Regular users will not be able to install most software and that will
>> require that an administrator do such or the use of Group Policy to
>> assign
>> ..msi applications to the user or computer via Group Policy. If you as an
>> administrator are having trouble installing an application or saving
>> temporary files then permissions are too restrictive to the related
>> folders.
>> By default administrators and system have full control to all folders on
>> the
>> computer. There are free tools such as filemon from SysInternals that can
>> help you track down when permissions are too restrictive. You could start
>> filemon right before you try to update the antivirus for instance and
>> then
>> stop filemon from logging when the update fails and look in the filemon
>> log
>> for "access denied" entries which will show what file/folder you need to
>> tweak permissions on.
>>
>> http://www.sysinternals.com/ntw2k/source/filemon.shtml
>>
>> In general when tweaking permissions start out with what you think should
>> work and if that fails allow greater permissions until everything works.
>> Windows Office applications can be a challenge in that they use temporary
>> files that the user needs write and modify permissions for so you will
>> need
>> to give users greater permissions to those folders. Keep in mind that you
>> can use creator owner [usually shown and with full control by default] in
>> folder permissions so that the person who creates the file and becomes
>> owner
>> will receive permissions that the creator owner shows.
>>
>> To answer the question for your original concern about worms and hackers
>> in
>> more detail be sure to follow these basic steps as a minimum.
>>
>> -- Require all users to use a complex password and that they are
>> periodically changed and enforce via password policy. Make sure that
>> users
>> do not share passwords. If users are not currently using strong passwords
>> make sure they are forced to do such because you can implement a new
>> password policy but until a user changes their password it will not be in
>> effect. No or weak passwords are by far the largest vulnerability you can
>> have on your network
>>
>> -- Verify that membership in the administrators group on all computers is
>> what you expect and kept to a minimum.
>>
>> -- Use a properly configured firewall to protect your network and
>> periodically check it by doing a self scan at a sites such as
>> http://scan.sygatetech.com/ .
>>
>> -- Make sure that your computers are kept current with critical security
>> updates at Windows Updates. Your computers can be configured to do such
>> automatically. Use MBSA to scan your computers periodically to make sure
>> such is happening.
>>
>> -- All computers must be running a quality antivirus program. That
>> program
>> must scan ALL email attachments, be kept current with virus definitions
>> which can be done automatically, and run in "autoprotect" mode. At least
>> weekly full scans must be scheduled on each computer.
>>
>> -- Disable unneeded services on all computers including file and print
>> sharing on workstations that do not need to offer shares/printers or be
>> managed remotely via Computer Management. MBSA can help check for
>> unneeded
>> services.
>>
>> -- Never logon to a domain workstation that is not a known secured admin
>> workstation as a domain administrator. Use a local administrator account
>> instead.
>>
>> -- If at all possible make sure workstation users are regular users and
>> not
>> administrators or power user.
>>
>> Though having proper share permissions is important all the above is much
>> more important than share permissions to controlling worms and
>> ackers. ---
>> Steve
>>
>>
>> "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
>> news:8EB83F35-F6D8-4E28-A830-EFF305720C66@microsoft.com...
>> >I have had to make some changes to some of the shares and groups because
>> >they
>> > were too insecure. Since then, I have had to add each user manually to
>> > each
>> > workstation with Power User privileges in order to do enything.
>> >
>> > I have also been changing the Security settings on each persons hard
>> > drive
>> > (default is Everyone - Full Control) and in some cases I need to make
>> > them
>> > Administrators to make install/uninstall easier. This works on most
>> > people,
>> > but some are perplexing me by not allowing me to install some software
>> > (antivirus updates in particular) and saving of temporary files for
>> > network
>> > applications.
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> I can't recommend settings but use the principle of least privilege.
>> >> If a
>> >> user does not need to write to a share then give them only
>> >> read.list/execute
>> >> permissions.
>> >>
>> >> As far as hackers and worms make sure that users are forced to use
>> >> strong
>> >> passwords via security policy, that the users are not local
>> >> administrators
>> >> if they do not need be, that you keep all your computers current with
>> >> critical security updates from Windows updates, that all computers
>> >> have
>> >> antivirus installed that can keep itself current with updates
>> >> automatically
>> >> and that the antivirus runs in autoprotect mode and scans ALL email
>> >> attachments, and you have a firewall that protects your network.
>> >> Microsoft
>> >> makes a free tool called Microsoft Baseline Security Analyzer that can
>> >> scan
>> >> all your computers looking for basic vulnerabilities as shown at the
>> >> link
>> >> below.
>> >>
>> >> http://www.microsoft.com/technet/security/tools/mbsahom...
>> >>
>> >> Microsoft also offers a free guide call Antivirus in Depth that is
>> >> excellent
>> >> in education users on what malware is, how it propagates, how to
>> >> detect
>> >> it,
>> >> how to eliminate it, and how to prevent it. See the link below if
>> >> interested. The last link is a online guide from Microsoft for
>> >> securing
>> >> small businesses. --- Steve
>> >>
>> >> http://www.microsoft.com/technet/security/topics/server...
>> >> --- Anti Virus in Depth.
>> >> http://www.microsoft.com/smallbusiness/gtm/securityguid...
>> >>
>> >>
>> >> "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
>> >> news:18033C22-B195-4B50-91B8-208938BB23EE@microsoft.com...
>> >> > Can you recommend a security setting that I can enter to keep
>> >> > viruses
>> >> > like
>> >> > Backdoor.Trojan from propogating through (allowing people to work on
>> >> > the
>> >> > network and yet not allow THINGS or hackers permission to run
>> >> > amock).
>> >> >
>> >> > "Carl Gross" wrote:
>> >> >
>> >> >> I have been trying to make our network more secure by setting each
>> >> >> workstation hardrive shared between Domain Admins with Full Control
>> >> >> rights.
>> >> >>
>> >> >> What is the difference between setting this permission and
>> >> >> selecting
>> >> >> the
>> >> >> Security tab to have the same permissions except adding the SYSTEM
>> >> >> and
>> >> >> user
>> >> >> at that workstation?
>> >> >>
>> >> >> We have W2K SP4 workstations on a SBS 2003 server.
>> >>
>> >>
>> >>
>>
>>
>>
!