On Windows 2000 / 2003 Server the default permissions on my C & D drives
include

Administrators
Domain User
Everyone

And a few others...

On a test server I have changed this to just Administrators & Domain Users
and allowed this to go through to all other folders.

Is this safe to do ??

With the default setting, IIS installed and running ASP, I can browse all
files on my hard disks, via the browser, using just a couple of simple asp
files... This is a big security risk..

With the changed settings, everything is fine !

Any Advice / comments ?

Thanks

Make sure that the System account (NT Authority) has full control of the
%systemdrive% and or the drive the pagefile is located on.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows NT/2000 Operating Systems]
http://www.microsoft.com/protect.

"Tom" wrote:
| On Windows 2000 / 2003 Server the default permissions on my C & D drives
| include
|
| Administrators
| Domain User
| Everyone
|
| And a few others...
|
| On a test server I have changed this to just Administrators & Domain Users
| and allowed this to go through to all other folders.
|
| Is this safe to do ??
|
| With the default setting, IIS installed and running ASP, I can browse all
| files on my hard disks, via the browser, using just a couple of simple
asp
| files... This is a big security risk..
|
| With the changed settings, everything is fine !
|
| Any Advice / comments ?
|
| Thanks

Thanks



On Wed, 21 Jan 2004 07:33:17 -0700, "Dave Patrick"
<(E-Mail Removed)> wrote:

>Make sure that the System account (NT Authority) has full control of the
>%systemdrive% and or the drive the pagefile is located on.

Yes, you may be able to get by with removing everyone. I would leave system
access as it is and be careful about modifying the \winnt folder which
already is fairly restricted. Running the IIS lockdown tool will also harden
a lot of folder/file permissions including setiing explicit deny permisions
to many sensitive files in the \winnt folder that could be used by an
attacker to compromise your server. --- Steve

http://support.microsoft.com/default...b;en-us;325864


"Tom" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Windows 2000 / 2003 Server the default permissions on my C & D drives
> include
>
> Administrators
> Domain User
> Everyone
>
> And a few others...
>
> On a test server I have changed this to just Administrators & Domain Users
> and allowed this to go through to all other folders.
>
> Is this safe to do ??
>
> With the default setting, IIS installed and running ASP, I can browse all
> files on my hard disks, via the browser, using just a couple of simple
asp
> files... This is a big security risk..
>
> With the changed settings, everything is fine !
>
> Any Advice / comments ?
>
> Thanks