Shared permissions vs. security

[Guest]

I have been trying to make our network more secure by setting each
workstation hardrive shared between Domain Admins with Full Control rights.

What is the difference between setting this permission and selecting the
Security tab to have the same permissions except adding the SYSTEM and user
at that workstation?

We have W2K SP4 workstations on a SBS 2003 server.

 

[Steven L Umbach]

System basically means operating system and you generally want to give
system full control as it would have by default. Not having the system with
full control possibly can break some things with backups being an example of
a possibility.

If you add "user" or a user account then that user will have full control
over that folder/file which means that the user can read, list, execute,
write, delete, and change permissions. Generally this is considered
excessive permissions for a user other than something like their home folder
or user profile folder. A basic security principle is that of least
privilege which means a user will only have the necessary rights and
permissions to do their job. Then they will be much less likely to
accidentally delete folders/files or install software that they should not -
maybe even a Trojan. The link below explains more on folder permissions.

http://support.microsoft.com/default.aspx?kbid=300691
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419 --- mostly
applies to Windows 2000 also

Your subject mentions "shared". If you mean network shares then keep in mind
that share permissions work together with folder/ntfs permissions. Share
permissions only apply when a use accesses a share via the network.
Folder/ntfs permissions apply to a local logon or network access. If share
permissions conflict with folder/ntfs permissions for a network user the
most restrictive permission will apply to the user. In other words if a user
has only read access to a share but full control to the folder/ntfs
permissions. That user will only have to read/list/execute access over the
network for the share contents. --- Steve

 

[Guest]

Can you recommend a security setting that I can enter to keep viruses like
Backdoor.Trojan from propogating through (allowing people to work on the
network and yet not allow THINGS or hackers permission to run amock).

 

[Steven L Umbach]

I can't recommend settings but use the principle of least privilege. If a
user does not need to write to a share then give them only read.list/execute
permissions.

As far as hackers and worms make sure that users are forced to use strong
passwords via security policy, that the users are not local administrators
if they do not need be, that you keep all your computers current with
critical security updates from Windows updates, that all computers have
antivirus installed that can keep itself current with updates automatically
and that the antivirus runs in autoprotect mode and scans ALL email
attachments, and you have a firewall that protects your network. Microsoft
makes a free tool called Microsoft Baseline Security Analyzer that can scan
all your computers looking for basic vulnerabilities as shown at the link
below.

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Microsoft also offers a free guide call Antivirus in Depth that is excellent
in education users on what malware is, how it propagates, how to detect it,
how to eliminate it, and how to prevent it. See the link below if
interested. The last link is a online guide from Microsoft for securing
small businesses. --- Steve

http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
--- Anti Virus in Depth.
http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx