Access Control to Drives

TheMSsForum.com: The Microsoft Software Forum

My HD has two partitions: C: (operating system and programs) and D: (data).

The Operating System is Windows 2000 Pro.

While checking the PROPERTIES --> SECURITY settings, I found that:

For Drive C, User â??EVERYONEâ?? has â??FULL ACCESS CONTROLâ??.

For Drive D, there are three users with â??FULL ACCESS CONTROLâ??:

Administrator,
UserA (that me),
S-1-5-21-121â?¦(long string)

Since there is no network, both drives are set to â??Donâ??t shareâ??.

Questions:

1. What is the proper security setting for Drive C and Drive D?

2. What is the third mysterious user that has control of Drive D? Should I
remove it?

3. Should I change the security setting if I install an external hard drive
for back-up?

Thank you for your help.
Top

Re: Access Control to Drives by Arek

Arek
Sat Sep 24 03:26:49 CDT 2005

"ATK31" <ATK31@discussions.microsoft.com> wrote in message
news:43574B39-3C8F-42C2-B2CA-AF1C849C6736@microsoft.com...
> My HD has two partitions: C: (operating system and programs) and D:
> (data).
>
> The Operating System is Windows 2000 Pro.
>
> While checking the PROPERTIES --> SECURITY settings, I found that:
>
> For Drive C, User â??EVERYONEâ?? has â??FULL ACCESS CONTROLâ??.
>
> For Drive D, there are three users with â??FULL ACCESS CONTROLâ??:
>
> Administrator,
> UserA (that me),
> S-1-5-21-121â?¦(long string)
>
> Since there is no network, both drives are set to â??Donâ??t shareâ??.
>
> Questions:
>
> 1. What is the proper security setting for Drive C and Drive D?
>
> 2. What is the third mysterious user that has control of Drive D? Should I
> remove it?
>
> 3. Should I change the security setting if I install an external hard
> drive
> for back-up?
>
> Thank you for your help.
>
>

I would recommend the following:

SYSTEM - Full Control
Administrators - Full Control
CREATOR OWNER - Full Control
Everyone - Read & Execute
Users - Read & Execute

You could probably get away with Everyone, if you really want to feel more
secure ;)

As for the long string (SID), have you imported the hard disk from another
computer? Or, have you used it before as a secondary HDD while primary was
reformatted? My guess is that this SID belongs to account which no longer
exist (was part of the "old" operating system or the system where the HDD
was previously installed). Hence, you could get rid of it.

If you want to use the HDD as a backup, I would suggest to assign similar
permissions as above, just to keep it clean.

--
Arek Iskra
MVP for Windows Server - Software Distribution


Top

Re: Access Control to Drives by ATK31

ATK31
Sat Sep 24 04:27:02 CDT 2005

Dear Mr. Iskra,

Thank you for your response.

>>>>> You could probably get away with Everyone if you really want to feel more secure ;)

The DEFAULT setting of WINDOWS is Full Access Control to â??EVERYONEâ??! This
seems like a serious security threat.

>>>>> As for the long string (SID), â?¦ have you used it before as a secondary HDD while primary was reformatted?

The â??mysteriousâ?? user S-1-5-21-121â?¦ is listed as a User for Drive D. I had
indeed recently reinstalled WINDOWS to Drive C.
Is this what you suggest had installed the strange user?

Should I change the security setting for Drive C and Drive D if I wish to
make a FULL BACK-UP (â??IMAGEâ??) to an EXTERNAL hard drive?
E.g., should I allow SHARE?

Thank you very much for your kind help.
Top

Re: Access Control to Drives by Arek

Arek
Sat Sep 24 04:41:16 CDT 2005

"ATK31" <ATK31@discussions.microsoft.com> wrote in message
news:9D1B91FE-DDB9-4D94-8D4C-878BDB33705E@microsoft.com...
> Dear Mr. Iskra,
>
> Thank you for your response.
>
>>>>>> You could probably get away with Everyone if you really want to feel
>>>>>> more secure ;)
>
> The DEFAULT setting of WINDOWS is Full Access Control to â??EVERYONEâ??! This
> seems like a serious security threat.

Yes it does. I was suggesting Read & Execute (default in XP and 2003), but
as I mentioned - if you feel you want to be even more secure, remove
Everyone altogether. As long as you keep the other groups/users in.

> The â??mysteriousâ?? user S-1-5-21-121â?¦ is listed as a User for Drive D. I had
> indeed recently reinstalled WINDOWS to Drive C.
> Is this what you suggest had installed the strange user?

It might be any of the user accounts you have been using in the previous OS
installation. New (reinstalled) copy of Windows simply doesn't have that SID
in its security database, hence it cannot translate SID to username. As long
as you are able to access the data on D, you should be fine deleting it.
>
> Should I change the security setting for Drive C and Drive D if I wish to
> make a FULL BACK-UP (â??IMAGEâ??) to an EXTERNAL hard drive?
> E.g., should I allow SHARE?

Share applies only if you need to access the resource over network. Since
the drive will be connected locally, all you have to do is to make sure that
your Backup software (and you, for that matter) can access the other HDD. If
it is not already there, add SYSTEM, Administrators, CREATOR OWNER and Users
to the permissions. Similar to what I proposed in my previous post.

> Thank you very much for your kind help.

You are welcome :)

--
Arek Iskra
MVP for Windows Server - Software Distribution


Top

Re: Access Control to Drives by ATK31

ATK31
Sat Sep 24 06:38:01 CDT 2005

Dear Mr. Iskra,

Thank you very much for your detailed response.

ATK31
Top

Re: Access Control to Drives by Steven

Steven
Sat Sep 24 09:57:40 CDT 2005

Just to clarify in Windows 2000 if you dig further you should see that
everyone has full control only to the root/drive folder for the system
drive. If you look under the \winnt folder for instance that should not be
the case. MS did change that behavior in XP/2003 and I agree with what Arek
suggests though you may want to remove everyone and users and replace with
authenticated users for read/list/execute. The mysterious sid is a user or
group that the operating system no longer has a name to map to. For a non
domain computer you could safely remove the sid from permissions lists.
Usually this happens when a user or group was created and then deleted from
users and groups but still remains in permissions and/or user rights lists.
The link below is to a KB article that discusses the root folder excessive
permissions in Windows 2000. --- Steve

http://support.microsoft.com/?scid=327522

"ATK31" <ATK31@discussions.microsoft.com> wrote in message
news:9D1B91FE-DDB9-4D94-8D4C-878BDB33705E@microsoft.com...
> Dear Mr. Iskra,
>
> Thank you for your response.
>
>>>>>> You could probably get away with Everyone if you really want to feel
>>>>>> more secure ;)
>
> The DEFAULT setting of WINDOWS is Full Access Control to "EVERYONE"! This
> seems like a serious security threat.
>
>>>>>> As for the long string (SID), . have you used it before as a
>>>>>> secondary HDD while primary was reformatted?
>
> The "mysterious" user S-1-5-21-121. is listed as a User for Drive D. I had
> indeed recently reinstalled WINDOWS to Drive C.
> Is this what you suggest had installed the strange user?
>
> Should I change the security setting for Drive C and Drive D if I wish to
> make a FULL BACK-UP ("IMAGE") to an EXTERNAL hard drive?
> E.g., should I allow SHARE?
>
> Thank you very much for your kind help.


Top

Re: Access Control to Drives by Arek

Arek
Sun Sep 25 05:52:30 CDT 2005

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OWwinhRwFHA.624@TK2MSFTNGP11.phx.gbl...
> Just to clarify in Windows 2000 if you dig further you should see that
> everyone has full control only to the root/drive folder for the system
> drive. If you look under the \winnt folder for instance that should not be
> the case. MS did change that behavior in XP/2003 and I agree with what
> Arek suggests though you may want to remove everyone and users and replace
> with authenticated users for read/list/execute. The mysterious sid is a
> user or group that the operating system no longer has a name to map to.
> For a non domain computer you could safely remove the sid from permissions
> lists. Usually this happens when a user or group was created and then
> deleted from users and groups but still remains in permissions and/or user
> rights lists. The link below is to a KB article that discusses the root
> folder excessive permissions in Windows 2000. --- Steve
>
> http://support.microsoft.com/?scid=327522
>


Thanks a lot Steve for clarification. Yup, adding Authenticated Users is yet
another way to deal with this scenario.

--
Arek Iskra
MVP for Windows Server - Software Distribution


Top