on Win2K Server, C:\ drive defaults to "Full Control" for "Everyone"?

[Bennett Haselton]

I installed Windows 2000 Server and I'm 99% sure I haven't changed the
default permissions on the NTFS C:\ root directory since then -- but
when I view its Security properties, it lists "Full Control" for
"Everyone".

Is this the default? How can this be secure? Even though those
permissions (of course) do not propagate down to all the
subdirectories on the C:\ drive, that still leaves any user free to
put anything they want in the C:\ drive, and to modify the config.sys
and autoexec.bat files, which inherit their permissions from their
parent by default. (I'm sure those files aren't used much in Windows
2000 Server programs, but there must be something dangerous that an
unprivileged user could do, using them to set environment variables or
something, which would be in effect next time an administrator logged
in? For example, as the unprivileged user "bennett", I could add a
line to autoexec.bat adding the c:\bennett\ directory to the beginning
of %PATH%. Then when an admin logged in, opened a command prompt, and
typed some common command, the version that I put in my directory
could execute, instead of the real one.)

I can only find one page on Google mentioning this as a possibly
security risk, and recommending that administrators change it:

http://www.inetsecurity.info/modules.php?op=modload&name=News&file=article&sid=15

Surely it's a bigger security hole than that? Or am I missing
something?

-Bennett

 

[Steven L Umbach]

Yes it is a good idead to change default ntfs permissions on the root
folder. If you have access to a Windows 2003 Server [free evaluation
download available] or Windows XP Pro, you will see that this has been
changed and default root share ntfs permissions are much more secure. You
could even import the roosec.inf template from one of those computers into
your W2K machine. I have a copy of the new Microsoft Press Windows Security
Resource Kit, which has specific recommendations for ntfs settings for a
default installation and includes the rootsec.inf template on the cdrom. In
general it is a good start to change the permisions to read/list/execute for
the everyone group on the root folder. If you have no legacy applications
that require the "everyone" group to function, then you can remove the
everyone group and replace it with authenticated users for read/list/execute
permisions on the root folder. If you want to give regular users the
ablility to create files/folders in a place other that their profile, it is
recommended to give them create files in subfolders only, and create folders
in this folder and subfolders only in the special permissions of the root
folder. I would also highly recommend that you run the Microsoft Baseline
Security Analyzer on your computer and download a copy of the Windows 2000
Security Hardening Guide. --- Steve

http://security.ziffdavis.com/article2/0,3973,1043101,00.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;q320454