Best Practice File System Permissions

[barb]

On the following folders I moved the Everyone and Power
Users group. I added the authenticated users group.
c:\winnt
c:\winnt\system32
c:\winnt\system32\config
c:\winnt\system32\drivers
c:\documents and settings


My questions are:
1. What permissions should I give the authenticated users?
2. Should it be [this folder only], or [this folder,
subfolder, and files]?
3. Do I need to check "allow inheritable permissions from
parent to propagate to this object" on any of these
folders?

 

[Herb Martin]

"Best practice" is very difficult to specify, but here are some thoughts
that go
beyond the naive assumptions most admins make:

At tight as possible (as tight as you can stand and still function)

Different for different types of files in the same directory
(why should even an admin be able to WRITE to an Exe or DLL
most days?)
You can pull this trick by putting the Admins in a group
that "DENIES WRITE/DELETE"
explicitly and removing the Admin when performing
upgrades
Frequently different for file than the directories in which they
live
Directories set the defaults, many files can have TIGHTER
settings
Other files may need LOOSER settings
Different for different people in your org
For a "Secure network", the everyone permissions should
largely be removed, and
replaced by permissions specific to the "groups" to
which the users are assigned
Some programs REQUIRE more permission than actually legitimately
needed
The programmers in this case should just be taken out and
shot <just kidding>

There is a file and a program (SubInAcls.exe) in the resource kit that can
reset the
permissions to the DEFAULTS, but this is not my idea of "best practice" just
a starting
point for beginning to secure the system.