RE: tighten security...question for Patrick Rouse
From: Paul Young (anonymous_at_discussions.microsoft.com)
Date: 03/27/04
- Next message: Ray: "Trying to Reach Vera Noest--Word 2002 problem"
- Previous message: Vera Noest [MVP]: "Re: Please Help!"
- In reply to: Patrick Rouse [MVP]: "RE: tighten security...question for Patrick Rouse"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 27 Mar 2004 05:17:22 -0800
Patrick,
Thank you for your reply.
This is for a test build of a TS that will shortly be
implemented in a production environment. I am also
following KB278295 for further lockdown. Do not fret, I
am not going to lock out the Administrator account. I am
aware of Authenticated Users needing to be changed to some
security group that I create.
I really appreciate your time ( and your web site ).
Paul
>-----Original Message-----
>Paul, I only recommend making these changes to a new
build or a test system, as they may break programs you've
already installed. I have a base Server OS build that I
use that has these settings, then I relax security on
specific files or directories as needed by specific
applications. Doing this in reverse order may cause
unexpected results.
>
>I use these settings for C:\ & C:\Program Files:
>
>Local Administrators Group, CREATOR OWNER, & System -
Full Control <Not Inherited>(This Folder, Subfolders &
Files)
>Authenticated Users - Read & Execute <Not Inherited>
(This Folder, Subfolders & Files)
>
>********************
>I do NOT, NOT, NOT "Replace permission entries on all
child objects..." which would definitely break the OS.
>********************
>
>Windows 2000 & 2003 have different default permission
sets, where in 2000 Everyone has "Full Control" by
Default, in 2003 this is NOT the default. In my opinion
if Microsoft ever wants to make Windows secure they won't
let you logon interactively with an admin account, i.e.
you'd only be able to use the "Run as" or "Add/Remove
Programs" (which prompts for Administrative credentials)
and the spread of spyware/malware and most viruses would
decrease significantly
>
>Patrick Rouse
>Microsoft MVP - Terminal Server
>http://www.workthin.com
>
> ----- Paul Young wrote: -----
>
> Patrick,
>
> I have seen several of your posts where you share
with the
> NewsGroup how to secure the Terminal Server with
NTFS
> permissions.
>
> You have stated that you lock down the C:\ and the
> C:\Program Files directories with Administrators,
System
> and Creator/Owner ( Full Control ) and Authenticated
Users
> ( Read and Execute ). Assumption is that this is on
a
> Terminal Server running on a WIN2000 Member Server.
>
> I have three questions for you:
>
> A) on the C:\ - are these permissions for This
folder and
> files or for This folder, sub-folders and files?
>
> B) I am sure that the Adminsitrators is the local
> Administrators group. How about the Authenticated
Users
> and System? There is a Domain account (
mydomain\system )
> as well as a local account ( termserv\system ). My
guess
> is that both are the local account.
>
> C) on the C:\Program Files - these permissions would
have
> to be for This folder, sub-folder and files? I
should
> remove the default permissions and manually enter
what you
> have suggested.
>
> Thank you,
>
> Paul
>
>.
>
- Next message: Ray: "Trying to Reach Vera Noest--Word 2002 problem"
- Previous message: Vera Noest [MVP]: "Re: Please Help!"
- In reply to: Patrick Rouse [MVP]: "RE: tighten security...question for Patrick Rouse"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
