Shared permissions vs. security

Archived from groups: microsoft.public.win2000.security (More info?)

I have been trying to make our network more secure by setting each
workstation hardrive shared between Domain Admins with Full Control rights.

What is the difference between setting this permission and selecting the
Security tab to have the same permissions except adding the SYSTEM and user
at that workstation?

We have W2K SP4 workstations on a SBS 2003 server.
7 answers Last reply
More about shared permissions security
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    System basically means operating system and you generally want to give
    system full control as it would have by default. Not having the system with
    full control possibly can break some things with backups being an example of
    a possibility.

    If you add "user" or a user account then that user will have full control
    over that folder/file which means that the user can read, list, execute,
    write, delete, and change permissions. Generally this is considered
    excessive permissions for a user other than something like their home folder
    or user profile folder. A basic security principle is that of least
    privilege which means a user will only have the necessary rights and
    permissions to do their job. Then they will be much less likely to
    accidentally delete folders/files or install software that they should not -
    maybe even a Trojan. The link below explains more on folder permissions.

    http://support.microsoft.com/default.aspx?kbid=300691
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419 --- mostly
    applies to Windows 2000 also

    Your subject mentions "shared". If you mean network shares then keep in mind
    that share permissions work together with folder/ntfs permissions. Share
    permissions only apply when a use accesses a share via the network.
    Folder/ntfs permissions apply to a local logon or network access. If share
    permissions conflict with folder/ntfs permissions for a network user the
    most restrictive permission will apply to the user. In other words if a user
    has only read access to a share but full control to the folder/ntfs
    permissions. That user will only have to read/list/execute access over the
    network for the share contents. --- Steve


    "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
    news:11866EDF-64D0-481C-A70B-89E483C48D01@microsoft.com...
    >I have been trying to make our network more secure by setting each
    > workstation hardrive shared between Domain Admins with Full Control
    > rights.
    >
    > What is the difference between setting this permission and selecting the
    > Security tab to have the same permissions except adding the SYSTEM and
    > user
    > at that workstation?
    >
    > We have W2K SP4 workstations on a SBS 2003 server.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Can you recommend a security setting that I can enter to keep viruses like
    Backdoor.Trojan from propogating through (allowing people to work on the
    network and yet not allow THINGS or hackers permission to run amock).

    "Carl Gross" wrote:

    > I have been trying to make our network more secure by setting each
    > workstation hardrive shared between Domain Admins with Full Control rights.
    >
    > What is the difference between setting this permission and selecting the
    > Security tab to have the same permissions except adding the SYSTEM and user
    > at that workstation?
    >
    > We have W2K SP4 workstations on a SBS 2003 server.
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    I can't recommend settings but use the principle of least privilege. If a
    user does not need to write to a share then give them only read.list/execute
    permissions.

    As far as hackers and worms make sure that users are forced to use strong
    passwords via security policy, that the users are not local administrators
    if they do not need be, that you keep all your computers current with
    critical security updates from Windows updates, that all computers have
    antivirus installed that can keep itself current with updates automatically
    and that the antivirus runs in autoprotect mode and scans ALL email
    attachments, and you have a firewall that protects your network. Microsoft
    makes a free tool called Microsoft Baseline Security Analyzer that can scan
    all your computers looking for basic vulnerabilities as shown at the link
    below.

    http://www.microsoft.com/technet/security/tools/mbsahome.mspx

    Microsoft also offers a free guide call Antivirus in Depth that is excellent
    in education users on what malware is, how it propagates, how to detect it,
    how to eliminate it, and how to prevent it. See the link below if
    interested. The last link is a online guide from Microsoft for securing
    small businesses. --- Steve

    http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
    --- Anti Virus in Depth.
    http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx


    "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
    news:18033C22-B195-4B50-91B8-208938BB23EE@microsoft.com...
    > Can you recommend a security setting that I can enter to keep viruses like
    > Backdoor.Trojan from propogating through (allowing people to work on the
    > network and yet not allow THINGS or hackers permission to run amock).
    >
    > "Carl Gross" wrote:
    >
    >> I have been trying to make our network more secure by setting each
    >> workstation hardrive shared between Domain Admins with Full Control
    >> rights.
    >>
    >> What is the difference between setting this permission and selecting the
    >> Security tab to have the same permissions except adding the SYSTEM and
    >> user
    >> at that workstation?
    >>
    >> We have W2K SP4 workstations on a SBS 2003 server.
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    I have had to make some changes to some of the shares and groups because they
    were too insecure. Since then, I have had to add each user manually to each
    workstation with Power User privileges in order to do enything.

    I have also been changing the Security settings on each persons hard drive
    (default is Everyone - Full Control) and in some cases I need to make them
    Administrators to make install/uninstall easier. This works on most people,
    but some are perplexing me by not allowing me to install some software
    (antivirus updates in particular) and saving of temporary files for network
    applications.

    "Steven L Umbach" wrote:

    > I can't recommend settings but use the principle of least privilege. If a
    > user does not need to write to a share then give them only read.list/execute
    > permissions.
    >
    > As far as hackers and worms make sure that users are forced to use strong
    > passwords via security policy, that the users are not local administrators
    > if they do not need be, that you keep all your computers current with
    > critical security updates from Windows updates, that all computers have
    > antivirus installed that can keep itself current with updates automatically
    > and that the antivirus runs in autoprotect mode and scans ALL email
    > attachments, and you have a firewall that protects your network. Microsoft
    > makes a free tool called Microsoft Baseline Security Analyzer that can scan
    > all your computers looking for basic vulnerabilities as shown at the link
    > below.
    >
    > http://www.microsoft.com/technet/security/tools/mbsahome.mspx
    >
    > Microsoft also offers a free guide call Antivirus in Depth that is excellent
    > in education users on what malware is, how it propagates, how to detect it,
    > how to eliminate it, and how to prevent it. See the link below if
    > interested. The last link is a online guide from Microsoft for securing
    > small businesses. --- Steve
    >
    > http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
    > --- Anti Virus in Depth.
    > http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx
    >
    >
    > "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
    > news:18033C22-B195-4B50-91B8-208938BB23EE@microsoft.com...
    > > Can you recommend a security setting that I can enter to keep viruses like
    > > Backdoor.Trojan from propogating through (allowing people to work on the
    > > network and yet not allow THINGS or hackers permission to run amock).
    > >
    > > "Carl Gross" wrote:
    > >
    > >> I have been trying to make our network more secure by setting each
    > >> workstation hardrive shared between Domain Admins with Full Control
    > >> rights.
    > >>
    > >> What is the difference between setting this permission and selecting the
    > >> Security tab to have the same permissions except adding the SYSTEM and
    > >> user
    > >> at that workstation?
    > >>
    > >> We have W2K SP4 workstations on a SBS 2003 server.
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Did you have to make the users power users or administrators only after you
    changed permissions?? If so your changes are counterproductive in that they
    caused the users to be members of privileged groups which is something you
    want to avoid. There is nothing wrong with a user having full control or
    write/modify permissions to a folder if that is what they need to do their
    job but a normal user would not need full control to everything like an
    administrators would. For the drive root folder I usually give
    administrators and system full control and users have read/list/execute.

    Regular users will not be able to install most software and that will
    require that an administrator do such or the use of Group Policy to assign
    ..msi applications to the user or computer via Group Policy. If you as an
    administrator are having trouble installing an application or saving
    temporary files then permissions are too restrictive to the related folders.
    By default administrators and system have full control to all folders on the
    computer. There are free tools such as filemon from SysInternals that can
    help you track down when permissions are too restrictive. You could start
    filemon right before you try to update the antivirus for instance and then
    stop filemon from logging when the update fails and look in the filemon log
    for "access denied" entries which will show what file/folder you need to
    tweak permissions on.

    http://www.sysinternals.com/ntw2k/source/filemon.shtml

    In general when tweaking permissions start out with what you think should
    work and if that fails allow greater permissions until everything works.
    Windows Office applications can be a challenge in that they use temporary
    files that the user needs write and modify permissions for so you will need
    to give users greater permissions to those folders. Keep in mind that you
    can use creator owner [usually shown and with full control by default] in
    folder permissions so that the person who creates the file and becomes owner
    will receive permissions that the creator owner shows.

    To answer the question for your original concern about worms and hackers in
    more detail be sure to follow these basic steps as a minimum.

    -- Require all users to use a complex password and that they are
    periodically changed and enforce via password policy. Make sure that users
    do not share passwords. If users are not currently using strong passwords
    make sure they are forced to do such because you can implement a new
    password policy but until a user changes their password it will not be in
    effect. No or weak passwords are by far the largest vulnerability you can
    have on your network

    -- Verify that membership in the administrators group on all computers is
    what you expect and kept to a minimum.

    -- Use a properly configured firewall to protect your network and
    periodically check it by doing a self scan at a sites such as
    http://scan.sygatetech.com/ .

    -- Make sure that your computers are kept current with critical security
    updates at Windows Updates. Your computers can be configured to do such
    automatically. Use MBSA to scan your computers periodically to make sure
    such is happening.

    -- All computers must be running a quality antivirus program. That program
    must scan ALL email attachments, be kept current with virus definitions
    which can be done automatically, and run in "autoprotect" mode. At least
    weekly full scans must be scheduled on each computer.

    -- Disable unneeded services on all computers including file and print
    sharing on workstations that do not need to offer shares/printers or be
    managed remotely via Computer Management. MBSA can help check for unneeded
    services.

    -- Never logon to a domain workstation that is not a known secured admin
    workstation as a domain administrator. Use a local administrator account
    instead.

    -- If at all possible make sure workstation users are regular users and not
    administrators or power user.

    Though having proper share permissions is important all the above is much
    more important than share permissions to controlling worms and hackers. ---
    Steve


    "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
    news:8EB83F35-F6D8-4E28-A830-EFF305720C66@microsoft.com...
    >I have had to make some changes to some of the shares and groups because
    >they
    > were too insecure. Since then, I have had to add each user manually to
    > each
    > workstation with Power User privileges in order to do enything.
    >
    > I have also been changing the Security settings on each persons hard drive
    > (default is Everyone - Full Control) and in some cases I need to make them
    > Administrators to make install/uninstall easier. This works on most
    > people,
    > but some are perplexing me by not allowing me to install some software
    > (antivirus updates in particular) and saving of temporary files for
    > network
    > applications.
    >
    > "Steven L Umbach" wrote:
    >
    >> I can't recommend settings but use the principle of least privilege. If a
    >> user does not need to write to a share then give them only
    >> read.list/execute
    >> permissions.
    >>
    >> As far as hackers and worms make sure that users are forced to use strong
    >> passwords via security policy, that the users are not local
    >> administrators
    >> if they do not need be, that you keep all your computers current with
    >> critical security updates from Windows updates, that all computers have
    >> antivirus installed that can keep itself current with updates
    >> automatically
    >> and that the antivirus runs in autoprotect mode and scans ALL email
    >> attachments, and you have a firewall that protects your network.
    >> Microsoft
    >> makes a free tool called Microsoft Baseline Security Analyzer that can
    >> scan
    >> all your computers looking for basic vulnerabilities as shown at the link
    >> below.
    >>
    >> http://www.microsoft.com/technet/security/tools/mbsahome.mspx
    >>
    >> Microsoft also offers a free guide call Antivirus in Depth that is
    >> excellent
    >> in education users on what malware is, how it propagates, how to detect
    >> it,
    >> how to eliminate it, and how to prevent it. See the link below if
    >> interested. The last link is a online guide from Microsoft for securing
    >> small businesses. --- Steve
    >>
    >> http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
    >> --- Anti Virus in Depth.
    >> http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx
    >>
    >>
    >> "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
    >> news:18033C22-B195-4B50-91B8-208938BB23EE@microsoft.com...
    >> > Can you recommend a security setting that I can enter to keep viruses
    >> > like
    >> > Backdoor.Trojan from propogating through (allowing people to work on
    >> > the
    >> > network and yet not allow THINGS or hackers permission to run amock).
    >> >
    >> > "Carl Gross" wrote:
    >> >
    >> >> I have been trying to make our network more secure by setting each
    >> >> workstation hardrive shared between Domain Admins with Full Control
    >> >> rights.
    >> >>
    >> >> What is the difference between setting this permission and selecting
    >> >> the
    >> >> Security tab to have the same permissions except adding the SYSTEM and
    >> >> user
    >> >> at that workstation?
    >> >>
    >> >> We have W2K SP4 workstations on a SBS 2003 server.
    >>
    >>
    >>
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    So lets say I have for Local Security (set on the workstation HD) for an
    Intern (lets say):

    Administrator (Local) FC
    Domain Admin FC
    CREATER OWNER FC
    Intern Read/Write/List/Execute
    SYSTEM FC
    Intern Supervisor Read/Write/List/Execute

    Would that give me the proper security? Maybe if I took away Domain Admin
    (since I'm not supposed to log on as a domain admin)?

    "Steven L Umbach" wrote:

    > Did you have to make the users power users or administrators only after you
    > changed permissions?? If so your changes are counterproductive in that they
    > caused the users to be members of privileged groups which is something you
    > want to avoid. There is nothing wrong with a user having full control or
    > write/modify permissions to a folder if that is what they need to do their
    > job but a normal user would not need full control to everything like an
    > administrators would. For the drive root folder I usually give
    > administrators and system full control and users have read/list/execute.
    >
    > Regular users will not be able to install most software and that will
    > require that an administrator do such or the use of Group Policy to assign
    > ..msi applications to the user or computer via Group Policy. If you as an
    > administrator are having trouble installing an application or saving
    > temporary files then permissions are too restrictive to the related folders.
    > By default administrators and system have full control to all folders on the
    > computer. There are free tools such as filemon from SysInternals that can
    > help you track down when permissions are too restrictive. You could start
    > filemon right before you try to update the antivirus for instance and then
    > stop filemon from logging when the update fails and look in the filemon log
    > for "access denied" entries which will show what file/folder you need to
    > tweak permissions on.
    >
    > http://www.sysinternals.com/ntw2k/source/filemon.shtml
    >
    > In general when tweaking permissions start out with what you think should
    > work and if that fails allow greater permissions until everything works.
    > Windows Office applications can be a challenge in that they use temporary
    > files that the user needs write and modify permissions for so you will need
    > to give users greater permissions to those folders. Keep in mind that you
    > can use creator owner [usually shown and with full control by default] in
    > folder permissions so that the person who creates the file and becomes owner
    > will receive permissions that the creator owner shows.
    >
    > To answer the question for your original concern about worms and hackers in
    > more detail be sure to follow these basic steps as a minimum.
    >
    > -- Require all users to use a complex password and that they are
    > periodically changed and enforce via password policy. Make sure that users
    > do not share passwords. If users are not currently using strong passwords
    > make sure they are forced to do such because you can implement a new
    > password policy but until a user changes their password it will not be in
    > effect. No or weak passwords are by far the largest vulnerability you can
    > have on your network
    >
    > -- Verify that membership in the administrators group on all computers is
    > what you expect and kept to a minimum.
    >
    > -- Use a properly configured firewall to protect your network and
    > periodically check it by doing a self scan at a sites such as
    > http://scan.sygatetech.com/ .
    >
    > -- Make sure that your computers are kept current with critical security
    > updates at Windows Updates. Your computers can be configured to do such
    > automatically. Use MBSA to scan your computers periodically to make sure
    > such is happening.
    >
    > -- All computers must be running a quality antivirus program. That program
    > must scan ALL email attachments, be kept current with virus definitions
    > which can be done automatically, and run in "autoprotect" mode. At least
    > weekly full scans must be scheduled on each computer.
    >
    > -- Disable unneeded services on all computers including file and print
    > sharing on workstations that do not need to offer shares/printers or be
    > managed remotely via Computer Management. MBSA can help check for unneeded
    > services.
    >
    > -- Never logon to a domain workstation that is not a known secured admin
    > workstation as a domain administrator. Use a local administrator account
    > instead.
    >
    > -- If at all possible make sure workstation users are regular users and not
    > administrators or power user.
    >
    > Though having proper share permissions is important all the above is much
    > more important than share permissions to controlling worms and hackers. ---
    > Steve
    >
    >
    > "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
    > news:8EB83F35-F6D8-4E28-A830-EFF305720C66@microsoft.com...
    > >I have had to make some changes to some of the shares and groups because
    > >they
    > > were too insecure. Since then, I have had to add each user manually to
    > > each
    > > workstation with Power User privileges in order to do enything.
    > >
    > > I have also been changing the Security settings on each persons hard drive
    > > (default is Everyone - Full Control) and in some cases I need to make them
    > > Administrators to make install/uninstall easier. This works on most
    > > people,
    > > but some are perplexing me by not allowing me to install some software
    > > (antivirus updates in particular) and saving of temporary files for
    > > network
    > > applications.
    > >
    > > "Steven L Umbach" wrote:
    > >
    > >> I can't recommend settings but use the principle of least privilege. If a
    > >> user does not need to write to a share then give them only
    > >> read.list/execute
    > >> permissions.
    > >>
    > >> As far as hackers and worms make sure that users are forced to use strong
    > >> passwords via security policy, that the users are not local
    > >> administrators
    > >> if they do not need be, that you keep all your computers current with
    > >> critical security updates from Windows updates, that all computers have
    > >> antivirus installed that can keep itself current with updates
    > >> automatically
    > >> and that the antivirus runs in autoprotect mode and scans ALL email
    > >> attachments, and you have a firewall that protects your network.
    > >> Microsoft
    > >> makes a free tool called Microsoft Baseline Security Analyzer that can
    > >> scan
    > >> all your computers looking for basic vulnerabilities as shown at the link
    > >> below.
    > >>
    > >> http://www.microsoft.com/technet/security/tools/mbsahome.mspx
    > >>
    > >> Microsoft also offers a free guide call Antivirus in Depth that is
    > >> excellent
    > >> in education users on what malware is, how it propagates, how to detect
    > >> it,
    > >> how to eliminate it, and how to prevent it. See the link below if
    > >> interested. The last link is a online guide from Microsoft for securing
    > >> small businesses. --- Steve
    > >>
    > >> http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
    > >> --- Anti Virus in Depth.
    > >> http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx
    > >>
    > >>
    > >> "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
    > >> news:18033C22-B195-4B50-91B8-208938BB23EE@microsoft.com...
    > >> > Can you recommend a security setting that I can enter to keep viruses
    > >> > like
    > >> > Backdoor.Trojan from propogating through (allowing people to work on
    > >> > the
    > >> > network and yet not allow THINGS or hackers permission to run amock).
    > >> >
    > >> > "Carl Gross" wrote:
    > >> >
    > >> >> I have been trying to make our network more secure by setting each
    > >> >> workstation hardrive shared between Domain Admins with Full Control
    > >> >> rights.
    > >> >>
    > >> >> What is the difference between setting this permission and selecting
    > >> >> the
    > >> >> Security tab to have the same permissions except adding the SYSTEM and
    > >> >> user
    > >> >> at that workstation?
    > >> >>
    > >> >> We have W2K SP4 workstations on a SBS 2003 server.
    > >>
    > >>
    > >>
    >
    >
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    If they need to write to that folder [which should not be the drive/root
    folder] then that would be correct. If they need to delete files then they
    would also need modify. On a domain computer domain admins are in the local
    administrators group by default so you are giving redundant permissions.
    Simply give "administrators" full control instead of administrator and
    domain admin. Keep in mind that on the "system" drive where the operating
    system is installed that the drive/root folder permissions do not propagate
    nor should be forced down to other folders such as \winnt, \documents and
    settings\, or program files. The subfolders of a default installation
    already have restricted permissions [as shown in first link below] where by
    default regular users have not more than read/list/execute permissions to
    everything but their profile folder and possibly parts of the all users
    profile folder. If the drive in question is not a "system" drive but an
    additional drive or partition then the permissions you set on the drive/root
    folder will probably propagate down.

    It is best practice not to logon as a domain admin to domain workstation
    that is not known to be 100 percent secure. The reason is a malicious user
    could have installed a program to capture your keystrokes or
    malware/malicious scripts could now have domain admin powers once you logon.
    But that is your call though you did ask for ideas to reduce threats from
    worms and hacking.

    The second link below I found shows Microsoft's recommendation for the
    drive/root folder permissions. --- Steve


    http://support.microsoft.com/default.aspx?scid=kb;en-us;244600#appliesto
    http://support.microsoft.com/?scid=327522


    "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
    news:50669274-BD17-464B-A88A-A78C8788C1D0@microsoft.com...
    > So lets say I have for Local Security (set on the workstation HD) for an
    > Intern (lets say):
    >
    > Administrator (Local) FC
    > Domain Admin FC
    > CREATER OWNER FC
    > Intern Read/Write/List/Execute
    > SYSTEM FC
    > Intern Supervisor Read/Write/List/Execute
    >
    > Would that give me the proper security? Maybe if I took away Domain Admin
    > (since I'm not supposed to log on as a domain admin)?
    >
    > "Steven L Umbach" wrote:
    >
    >> Did you have to make the users power users or administrators only after
    >> you
    >> changed permissions?? If so your changes are counterproductive in that
    >> they
    >> caused the users to be members of privileged groups which is something
    >> you
    >> want to avoid. There is nothing wrong with a user having full control or
    >> write/modify permissions to a folder if that is what they need to do
    >> their
    >> job but a normal user would not need full control to everything like an
    >> administrators would. For the drive root folder I usually give
    >> administrators and system full control and users have read/list/execute.
    >>
    >> Regular users will not be able to install most software and that will
    >> require that an administrator do such or the use of Group Policy to
    >> assign
    >> ..msi applications to the user or computer via Group Policy. If you as an
    >> administrator are having trouble installing an application or saving
    >> temporary files then permissions are too restrictive to the related
    >> folders.
    >> By default administrators and system have full control to all folders on
    >> the
    >> computer. There are free tools such as filemon from SysInternals that can
    >> help you track down when permissions are too restrictive. You could start
    >> filemon right before you try to update the antivirus for instance and
    >> then
    >> stop filemon from logging when the update fails and look in the filemon
    >> log
    >> for "access denied" entries which will show what file/folder you need to
    >> tweak permissions on.
    >>
    >> http://www.sysinternals.com/ntw2k/source/filemon.shtml
    >>
    >> In general when tweaking permissions start out with what you think should
    >> work and if that fails allow greater permissions until everything works.
    >> Windows Office applications can be a challenge in that they use temporary
    >> files that the user needs write and modify permissions for so you will
    >> need
    >> to give users greater permissions to those folders. Keep in mind that you
    >> can use creator owner [usually shown and with full control by default] in
    >> folder permissions so that the person who creates the file and becomes
    >> owner
    >> will receive permissions that the creator owner shows.
    >>
    >> To answer the question for your original concern about worms and hackers
    >> in
    >> more detail be sure to follow these basic steps as a minimum.
    >>
    >> -- Require all users to use a complex password and that they are
    >> periodically changed and enforce via password policy. Make sure that
    >> users
    >> do not share passwords. If users are not currently using strong passwords
    >> make sure they are forced to do such because you can implement a new
    >> password policy but until a user changes their password it will not be in
    >> effect. No or weak passwords are by far the largest vulnerability you can
    >> have on your network
    >>
    >> -- Verify that membership in the administrators group on all computers is
    >> what you expect and kept to a minimum.
    >>
    >> -- Use a properly configured firewall to protect your network and
    >> periodically check it by doing a self scan at a sites such as
    >> http://scan.sygatetech.com/ .
    >>
    >> -- Make sure that your computers are kept current with critical security
    >> updates at Windows Updates. Your computers can be configured to do such
    >> automatically. Use MBSA to scan your computers periodically to make sure
    >> such is happening.
    >>
    >> -- All computers must be running a quality antivirus program. That
    >> program
    >> must scan ALL email attachments, be kept current with virus definitions
    >> which can be done automatically, and run in "autoprotect" mode. At least
    >> weekly full scans must be scheduled on each computer.
    >>
    >> -- Disable unneeded services on all computers including file and print
    >> sharing on workstations that do not need to offer shares/printers or be
    >> managed remotely via Computer Management. MBSA can help check for
    >> unneeded
    >> services.
    >>
    >> -- Never logon to a domain workstation that is not a known secured admin
    >> workstation as a domain administrator. Use a local administrator account
    >> instead.
    >>
    >> -- If at all possible make sure workstation users are regular users and
    >> not
    >> administrators or power user.
    >>
    >> Though having proper share permissions is important all the above is much
    >> more important than share permissions to controlling worms and
    >> ackers. ---
    >> Steve
    >>
    >>
    >> "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
    >> news:8EB83F35-F6D8-4E28-A830-EFF305720C66@microsoft.com...
    >> >I have had to make some changes to some of the shares and groups because
    >> >they
    >> > were too insecure. Since then, I have had to add each user manually to
    >> > each
    >> > workstation with Power User privileges in order to do enything.
    >> >
    >> > I have also been changing the Security settings on each persons hard
    >> > drive
    >> > (default is Everyone - Full Control) and in some cases I need to make
    >> > them
    >> > Administrators to make install/uninstall easier. This works on most
    >> > people,
    >> > but some are perplexing me by not allowing me to install some software
    >> > (antivirus updates in particular) and saving of temporary files for
    >> > network
    >> > applications.
    >> >
    >> > "Steven L Umbach" wrote:
    >> >
    >> >> I can't recommend settings but use the principle of least privilege.
    >> >> If a
    >> >> user does not need to write to a share then give them only
    >> >> read.list/execute
    >> >> permissions.
    >> >>
    >> >> As far as hackers and worms make sure that users are forced to use
    >> >> strong
    >> >> passwords via security policy, that the users are not local
    >> >> administrators
    >> >> if they do not need be, that you keep all your computers current with
    >> >> critical security updates from Windows updates, that all computers
    >> >> have
    >> >> antivirus installed that can keep itself current with updates
    >> >> automatically
    >> >> and that the antivirus runs in autoprotect mode and scans ALL email
    >> >> attachments, and you have a firewall that protects your network.
    >> >> Microsoft
    >> >> makes a free tool called Microsoft Baseline Security Analyzer that can
    >> >> scan
    >> >> all your computers looking for basic vulnerabilities as shown at the
    >> >> link
    >> >> below.
    >> >>
    >> >> http://www.microsoft.com/technet/security/tools/mbsahome.mspx
    >> >>
    >> >> Microsoft also offers a free guide call Antivirus in Depth that is
    >> >> excellent
    >> >> in education users on what malware is, how it propagates, how to
    >> >> detect
    >> >> it,
    >> >> how to eliminate it, and how to prevent it. See the link below if
    >> >> interested. The last link is a online guide from Microsoft for
    >> >> securing
    >> >> small businesses. --- Steve
    >> >>
    >> >> http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
    >> >> --- Anti Virus in Depth.
    >> >> http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx
    >> >>
    >> >>
    >> >> "Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
    >> >> news:18033C22-B195-4B50-91B8-208938BB23EE@microsoft.com...
    >> >> > Can you recommend a security setting that I can enter to keep
    >> >> > viruses
    >> >> > like
    >> >> > Backdoor.Trojan from propogating through (allowing people to work on
    >> >> > the
    >> >> > network and yet not allow THINGS or hackers permission to run
    >> >> > amock).
    >> >> >
    >> >> > "Carl Gross" wrote:
    >> >> >
    >> >> >> I have been trying to make our network more secure by setting each
    >> >> >> workstation hardrive shared between Domain Admins with Full Control
    >> >> >> rights.
    >> >> >>
    >> >> >> What is the difference between setting this permission and
    >> >> >> selecting
    >> >> >> the
    >> >> >> Security tab to have the same permissions except adding the SYSTEM
    >> >> >> and
    >> >> >> user
    >> >> >> at that workstation?
    >> >> >>
    >> >> >> We have W2K SP4 workstations on a SBS 2003 server.
    >> >>
    >> >>
    >> >>
    >>
    >>
    >>
Ask a new question

Read More

Security Workstations Permissions Windows