hazards of "improving" c:\ , ie root dir ACLs; plan wanted

[Tom Rodman]

<pardon me if this is a dup post>

After a fresh install of w2k workstation

the C: drive root directory ACL is:

EVERYONE "full control" ; "this folder, subfolder, files"

Goal:

improve the ACLs on

o the C: drive root directory ACL

o the top level directories below the root diretory of C:\

make the box more "multi-user" friendly, prevent
non administrators from causing problems; prevent
non administrators from writing in directories that are inappropriate -
like c:\ for example

First Stab:

changed the C: drive root directory ACL to:

Administrators "full control" ; "this folder, subfolder, files"
EVERYONE "read execute" ; "this folder, subfolder, files"

consequences noted:

My test "non adminstrator" acct could still run Mozilla, Acrobat reader,
and Gimp, but QuarkExpress silently failed to "come up" when
invoked. The ACL change was done *after* all these apps
were installed.

Any help or "best practices" pointers would be appreciated.

 

[Dmitry Korolyov]

download ntfinemon from www.systinternals.com and see what quarkexpress and
other apps are trying to do

 

[Oli Restorick [MVP]]

Take a look at security templates and secedit. These are predefined
security templates for locking down security a little more.

If you really want to go the whole hog, there's an excellent documented
called the "Windows 2000 Security Hardening Guide".

http://www.microsoft.com/downloads/...familyid=15E83186-A2C8-4C8F-A9D0-A0201F639A56

Regards

Oli

 

[Giuseppe Cibrario]

Any help or "best practices" pointers would be appreciated.
--

Hi,

see this http://www.nsa.gov/snac/index.html

Bye, Giuseppe

 

[Carrie Garth \(MVP\)]

Hi Tom,

The following Microsoft Knowledge Base Article has the default permissions for the
root directory on the system drive for Windows XP. This set of permissions has been
thoroughly designed and tested and can be used as a guide for resetting the
permissions for the root directory on the system drive for Windows 2000:

KB327522 - MS02-064: Windows 2000 Default Permissions May Permit Trojan Horse Attack
http://support.microsoft.com/?scid=327522

--
Carrie Garth, Microsoft MVP for Windows 2000
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- c x g

: "Tom Rodman" <Use-Author-Supplied-Address-Header@[127.1]>
: Wrote in message : Sent: Saturday, September 13, 2003 9:19 AM
: <pardon me if this is a dup post>
:
: After a fresh install of w2k workstation
:
: the C: drive root directory ACL is:
:
: EVERYONE "full control" ; "this folder, subfolder, files"
:
: Goal:
:
: improve the ACLs on
:
: o the C: drive root directory ACL
:
: o the top level directories below the root diretory of C:\
:
: make the box more "multi-user" friendly, prevent
: non administrators from causing problems; prevent
: non administrators from writing in directories that are inappropriate -
: like c:\ for example
:
: First Stab:
:
: changed the C: drive root directory ACL to:
:
: Administrators "full control" ; "this folder, subfolder, files"
: EVERYONE "read execute" ; "this folder, subfolder, files"
:
: consequences noted:
:
: My test "non adminstrator" acct could still run Mozilla, Acrobat reader,
: and Gimp, but QuarkExpress silently failed to "come up" when
: invoked. The ACL change was done *after* all these apps
: were installed.
:
: Any help or "best practices" pointers would be appreciated.
: --
: regards,
: Tom Rodman
: pls run for my address:
: perl -e 'print unpack("u", "1\:6UP\,\$\!T\<F\]D\;6\%N\+F\-O\;0H\`");'
: