J
John
I use Windows 2000 Workstation on a standalone basis, using an ADSL
connection to the net.
I think I have figured out how to set permissions in such a way that my
internet connection does not create a security problem. Recognize that
I don't have any "credentials" in this area, so in doing any of this on
your own machine you should be careful. I'm not designing space shuttle
parts on my machine, so I can experiment a bit.
As administrator, I set permissions on drive c as
Administrators - full control
System - full control
Authenticated Users - read, list, execute
I deleted "Everyone - full control"
Then I set each subdirectory in the root directory of drive c so that it
inherits the permissions from the parent object except for c:\winnt
which I changed so that it shows as:
Administrators - full control
System - full control
Authenticated Users - read
I set this same permission on every *file* in the root directory of
drive c. While I was there I made boot.ini "read only".
Then I created a new account called John - restricted User ie the
regular built in "User" group. I logged on with this account and tried
out all my applications. Some usability issues surfaced, because some
applications need to write to disk and cannot proceed.
For those I went into the program files subdirectory changed permissions
by clearing the checkbox that says "inherit permissions from parent" and
setting them as follows:
Administrators - full control
System - full control
John - modify,read & execute,List folder contents, read, write
I set the permissions for John just by clicking on the "modify" box and
all the rest of the permissions filled in automatically, which is what I
wanted.
The net result of all this was to give John an account to use while
connected to the internet, and for general use that doesn't allow him to
damage anything to do with the system.
John cannot write to the root directory of drive c, change permissions.
By trying to run them I have learned that John cannot affect anything in
the Admin tools screen, like modify security settings or stop or start
services.
I also have set the security settings (as administrator) to improve the
basic policies, using material from various sources and I have turned
off many unnecessary (for this machine) services. Result of the latter
is a double win - faster computer from more memory and better security.
There is still some work to do - like limiting permissions to access
system32 tools - I think that's a real dog's breakfast of a subdirectory
and I don't know what too many of these tools are for. This will be a
long job, item by item.
You have to be careful with setting permissions - really be careful with
propagating changes "downwards" - maybe even "never do that". You can
accomplish the same thing by setting each file and subdirectory in a
given location to "inherit from parent". That way if something goes
wrong you know what caused it, because you are changing things on more
of a step by step method. And *do* make sure that "system" and
"administrators" are the first permissions you add, both with "full
control". This procedure makes sure that you don't do any permanent
damage.
I did quite a few other things - like turning off ActiveX etc in IE.
This causes a problem with Automatic Updates which require them. I
seemed to fix that my placing the update sites in a "trusted zone".
I wrote this because I think I have learned a "cautious approach" to
changing file permissions that will benefit other users here:
- start at the top of the subdirectory tree
- make sure to always add administrators and system (both full control)
- never propagate anything downwards on a full blast basis
I think we all need a little help here to recover from the default
scenario of "Everyone - full control" that comes with the default
installation. Microsoft "oughtta be shot" for that along with quite a
few other things.
John
connection to the net.
I think I have figured out how to set permissions in such a way that my
internet connection does not create a security problem. Recognize that
I don't have any "credentials" in this area, so in doing any of this on
your own machine you should be careful. I'm not designing space shuttle
parts on my machine, so I can experiment a bit.
As administrator, I set permissions on drive c as
Administrators - full control
System - full control
Authenticated Users - read, list, execute
I deleted "Everyone - full control"
Then I set each subdirectory in the root directory of drive c so that it
inherits the permissions from the parent object except for c:\winnt
which I changed so that it shows as:
Administrators - full control
System - full control
Authenticated Users - read
I set this same permission on every *file* in the root directory of
drive c. While I was there I made boot.ini "read only".
Then I created a new account called John - restricted User ie the
regular built in "User" group. I logged on with this account and tried
out all my applications. Some usability issues surfaced, because some
applications need to write to disk and cannot proceed.
For those I went into the program files subdirectory changed permissions
by clearing the checkbox that says "inherit permissions from parent" and
setting them as follows:
Administrators - full control
System - full control
John - modify,read & execute,List folder contents, read, write
I set the permissions for John just by clicking on the "modify" box and
all the rest of the permissions filled in automatically, which is what I
wanted.
The net result of all this was to give John an account to use while
connected to the internet, and for general use that doesn't allow him to
damage anything to do with the system.
John cannot write to the root directory of drive c, change permissions.
By trying to run them I have learned that John cannot affect anything in
the Admin tools screen, like modify security settings or stop or start
services.
I also have set the security settings (as administrator) to improve the
basic policies, using material from various sources and I have turned
off many unnecessary (for this machine) services. Result of the latter
is a double win - faster computer from more memory and better security.
There is still some work to do - like limiting permissions to access
system32 tools - I think that's a real dog's breakfast of a subdirectory
and I don't know what too many of these tools are for. This will be a
long job, item by item.
You have to be careful with setting permissions - really be careful with
propagating changes "downwards" - maybe even "never do that". You can
accomplish the same thing by setting each file and subdirectory in a
given location to "inherit from parent". That way if something goes
wrong you know what caused it, because you are changing things on more
of a step by step method. And *do* make sure that "system" and
"administrators" are the first permissions you add, both with "full
control". This procedure makes sure that you don't do any permanent
damage.
I did quite a few other things - like turning off ActiveX etc in IE.
This causes a problem with Automatic Updates which require them. I
seemed to fix that my placing the update sites in a "trusted zone".
I wrote this because I think I have learned a "cautious approach" to
changing file permissions that will benefit other users here:
- start at the top of the subdirectory tree
- make sure to always add administrators and system (both full control)
- never propagate anything downwards on a full blast basis
I think we all need a little help here to recover from the default
scenario of "Everyone - full control" that comes with the default
installation. Microsoft "oughtta be shot" for that along with quite a
few other things.
John