Re: deny access to all but 1 folder

Hi TP,

OK, I see your point 1 about users being able to create subfolders
off the root. But it's not really a security issue in my view,
merely a nuisance.
I never thought of your point 2, since I keep all utilities on a
network share.

You are absolutely right, if you want to run a tight ship, you
should change the permissions, but I didn't want to confuse the
issue of this thread, it's confusing enough as it is :-)

Thanks for pointing this out, though!

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"TP" <tperson.knowspamn@xxxxxxxxxxxxxxx> wrote on 29 maj 2007 in
microsoft.public.windows.terminal_services:

Hi Vera,

One of the standard things I do is tighten the default
permissions on the root of C: because they are too weak. Two
points:

1. By default they allow any user to create a subfolder off the
root, and other users will be able to read the contents of this
folder. I don't want users cluttering up the root of C: with
their folders (many times created without much thought or
unintentionally).

2. If I create a folder off the root, I prefer that *by default*
normal users do not have access to it. For example, I may store
copies of installation programs and utilities--I don't want
normal users to have access to those, and I do not want to have
to *explicitly* set permissions on each new folder so that users
are denied. This follows the principle of least privilege.

I agree with you that the default permissions are not the cause
of the OP's problems, but I wanted to point out to you that they
are too weak and it is good practice to further restrict them.

I restrict other areas as well, (like Program Files), but that
is a topic for another day. :-)

-TP

Vera Noest [MVP] wrote:
Do not change the default NTFS permissions on the root of C: ,
or any folder beneath C:\Windows. The default permissions are
what they should be.

For the Borland and Developers folders, just set the NTFS
permissions as you want them to be.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
.

Relevant Pages

  • Re: Default permissions for the "Default User" account folder
    ... > I gather that Windows uses the permissions from this ... > folder when adding new user accounts. ... > Full - Administrators - This folder, subfolders, and files ... and have created several templates ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Why do some folders/registry keys have 2 permissions instead of 1?
    ... > I'm trying to write a script that will compare permissions for a large ... But if you check the folder or registry key's ... > group/user when it only needed to save one ACE. ... > gives Full Control to myuser for subfolders and files, ...
    (microsoft.public.win2000.general)
  • Re: Why do some folders/registry keys have 2 permissions instead of 1?
    ... > I'm trying to write a script that will compare permissions for a large ... But if you check the folder or registry key's ... > group/user when it only needed to save one ACE. ... > gives Full Control to myuser for subfolders and files, ...
    (microsoft.public.win2000.registry)
  • Re: Why do some folders/registry keys have 2 permissions instead of 1?
    ... > I'm trying to write a script that will compare permissions for a large ... But if you check the folder or registry key's ... > group/user when it only needed to save one ACE. ... > gives Full Control to myuser for subfolders and files, ...
    (microsoft.public.win2000.security)
  • Re: NTFS Permissions
    ... > I want to be able to secure my network file shares through NTFS permissions so that users cannot accidently delete subfolders or the root foler of their file share but have come across an interesting problem. ... > Then I have a test group called test1 with a bunch of users in the test group and I apply this group to have modify permissions on the test folder. ... Grant the users Read, Write, and Execute perms on the given folder, ...
    (microsoft.public.windows.server.general)