Default Permissions

TheMSsForum.com: The Microsoft Software Forum

Hi!

Can someone explain why the default permissions in every harddrives and
partitions in Windows 2003 Server look like they do? For example if you look
at advanced settings on security the "Users" group will appear with three
different settings. And what is the reason to put the "System" group there.
We feel like we want to remove all the default security and only leave the
Administrators as default with full control and then add the permission we
need in the subfolders.
Top

RE: Default Permissions by chris

chris
Thu Dec 23 09:49:04 CST 2004

When I look at the default permissions on 2003 here, I do not see "users" in
3 places. Can you elaborate on what you are seeing/looking at? As far as
system goes. I would not remove that, especially from any windows
directories etc. Could be dangerous

"Jarno" wrote:

> Hi!
>
> Can someone explain why the default permissions in every harddrives and
> partitions in Windows 2003 Server look like they do? For example if you look
> at advanced settings on security the "Users" group will appear with three
> different settings. And what is the reason to put the "System" group there.
> We feel like we want to remove all the default security and only leave the
> Administrators as default with full control and then add the permission we
> need in the subfolders.
Top

Re: Default Permissions by Steve

Steve
Thu Dec 23 12:35:15 CST 2004

The default permissions on Windows Server 2003 are much tighter than they
were on Windows 2000. Further tinkering usually isn't necessary and can have
adverse side effects. Please consult the Windows Server 2003 Security Guide
for good guidance on the things that you can do to further enhance the security
of your computers by grouping them into "roles" and automatically applying
(through group policy) consistent security settings that are appropriate
for machines based on what the machines are doing.

http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.mspx

Steve Riley
steriley@microsoft.com



> Hi!
>
> Can someone explain why the default permissions in every harddrives
> and partitions in Windows 2003 Server look like they do? For example
> if you look at advanced settings on security the "Users" group will
> appear with three different settings. And what is the reason to put
> the "System" group there. We feel like we want to remove all the
> default security and only leave the Administrators as default with
> full control and then add the permission we need in the subfolders.
>


Top

Re: Default Permissions by Roger

Roger
Thu Dec 23 15:50:05 CST 2004

When you look at the generalized view in the ACL editor you see only
ACEs that have flags set so that it will apply to
"This folder, subfolders, and files"
When you look using the advanced view you see all ACEs in the ACL
(at least for NTFS objects).
Users has a grant of read/execute that is a generic read, for this
folder (where the ACL is), subfolders and files. This means it is
inherited on down to anywhere within that does not block inheritance.
The other two ACEs that you see grant folder only permissions, and
carry no permissions on the contained files.
One allows Users members to create new folders in the folder with
the ACL (at the root of the drive if we speak of a new partition), and
the other allows Users members to create new files within subfolders
of the one holding the ACL.
Once a Users group member has exercised these abilities to create
a new object, then the generic grant to Creator Owner allows that
account to have full control over what it has created.

For many purposes these are rather reasonable settings, but for
others they are not. Remember defaults are just that, defaults.
It is not possible to prescribe something that is correct for all
circumstances. If you feel you have different needs, then yes, you
are supposed to set the ACLing to fit your needs. However, be
very careful that you understand what you are doing when you
modify the ACLing on the boot partition (the one containing the
Windows directory).

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Jarno" <Jarno@discussions.microsoft.com> wrote in message
news:7957D368-D179-424E-AE61-6FE83C058BC6@microsoft.com...
> Hi!
>
> Can someone explain why the default permissions in every harddrives and
> partitions in Windows 2003 Server look like they do? For example if you
> look
> at advanced settings on security the "Users" group will appear with three
> different settings. And what is the reason to put the "System" group
> there.
> We feel like we want to remove all the default security and only leave the
> Administrators as default with full control and then add the permission we
> need in the subfolders.


Top