E
eOx
I'm setting up an untattended installation for a secure Windows XP
desktop environment and will be rolling out to 10000+ clients.
As part of the "hardening" it seems it may be a good idea to remove the
SID "CREATOR OWNER" from the default ACLs in NTFS.
By default "CREATOR OWNER" has "full control" (apply to subfolder and
files only). This opens the door to misc security headaches such as
granting users "change" on a folder, user creates new folder, user
changes ACL on new folder barring everyone (including AV-tools) except
himself, etc.
Provided that "Administrators" and SYSTEM always have "full control"
(with inherit enabled) on any folder, and "users" have "read" or
"change" as applicable, I can't see any reason to keep "CREATOR OWNER"
in the ACLs.
My tests so far show all systems running smoothly with "CREATOR OWNER"
removed from all NTFS ACLs on the local disk.
Are there any reasons NOT to follow the above strategy?
desktop environment and will be rolling out to 10000+ clients.
As part of the "hardening" it seems it may be a good idea to remove the
SID "CREATOR OWNER" from the default ACLs in NTFS.
By default "CREATOR OWNER" has "full control" (apply to subfolder and
files only). This opens the door to misc security headaches such as
granting users "change" on a folder, user creates new folder, user
changes ACL on new folder barring everyone (including AV-tools) except
himself, etc.
Provided that "Administrators" and SYSTEM always have "full control"
(with inherit enabled) on any folder, and "users" have "read" or
"change" as applicable, I can't see any reason to keep "CREATOR OWNER"
in the ACLs.
My tests so far show all systems running smoothly with "CREATOR OWNER"
removed from all NTFS ACLs on the local disk.
Are there any reasons NOT to follow the above strategy?