Re: Everyone
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 12/17/04
- Next message: Petri Kuorikoski: "Re: How to disable browser master election from Group Policy"
- Previous message: Joe Richards [MVP]: "Re: Querying a Computer property"
- In reply to: Paul Hadfield: "Re: Everyone"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 17 Dec 2004 00:13:27 -0500
This definition has changed a couple of times. At the moment, I believe it is
everyone is pretty much authenticated users unless you have enabled null session
shares. Null session shares and guesst access are the only ways to connect
without supplying creds.
joe
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Paul Hadfield wrote: > Thanks Joe. > > Out of interest, who is or isn't members of the Everyone group in a Windows > 2000 domain? > > For example, if a share is set up on a file server that is shared with > Everyone FC and NTFS setting also give Everyone FC, would this mean that > users from machines that are not members of the domain could access this > share without being asked for a username/password? > > > Cheers, > Paul. > > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message > news:OgUMnke4EHA.2572@tk2msftngp13.phx.gbl... > >>Before you go through the hassle, is there any way for something to access >>the resources if they aren't a user? For instance file shares are commonly >>configured to be Everyone FC but the underlying NTFS permissions are >>locked down, this means that everyone is really only the people with >>access to the NTDS perms. Going through and say changing the ACLs on 100 >>or 1000 or 5000 shares in this case would not make a lot of sense. Ditto >>for file system stuff, if you have a folder with everyone access but only >>normal users can get to that folder because it isn't shared, not an issue. >> >>A security hack is generally going to come in two ways, as a user or as >>localsystem. You can't/shouldn't remove localsystem's access to files on >>your system and if you securing from everyone to user on the local system >>for things that can only be access by user's, you are making up work. >> >>As a general rule though, yes, users or authenticated users should be able >>to replace everyone as long as localsystem has a specific ACE for itself >>as well. Note that you should test the configs prior to implementing in >>production, you should always do that with any change. >> >> joe >> >>-- >>Joe Richards Microsoft MVP Windows Server Directory Services >>www.joeware.net >> >> >>Paul Hadfield wrote: >> >>>In a Windows 2000 Domain where every user logs on with a user account to >>>their Windows 2000 desktop, is there actually any use for the Everyone >>>group? >>> >>>Can't I just weed through the NTFS security of my servers/printers etc >>>and replace Everyone with Users? >>> >>>Or am I missing something obvious here? >>> >>>Cheers, >>>Paul. >>> > >
- Next message: Petri Kuorikoski: "Re: How to disable browser master election from Group Policy"
- Previous message: Joe Richards [MVP]: "Re: Querying a Computer property"
- In reply to: Paul Hadfield: "Re: Everyone"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
