Why does Everyone have Full Control of everthing?

[John Brock]

I have been using my IBM ThinkCentre with Windows XP Professional
for over a year now, using the personal account created at setup.
That account belongs to the Administrators group of course, and
recently I decided to create a Limited account, for security reasons.
I started to poke around by enabling the Guest account, and was
very startled to discover that it was not really very "limited" at
all, and in fact could delete files from places where I did not
think it should be able to, such as my Mozilla program directory.

After studying Windows XP Inside Out for a while it became clear
to me that the reason for this was that the Everyone group had Full
Control of the C: drive, and by inheritance everything else (except
my personal profile). I don't think this is right! But the book
warned against tampering with permissions on the system drive, and
directed me to Knowledge Base article Q244600, which has a long
list of default NTFS permissions for Windows 2000.

I am nervous about trying to reset all the folder permissions by
hand though (especially with settings from Windows 2000), and even
if I did who knows what else is amiss. Beyond that, I would really
like to know what is going on. The book noted that Full Control
by Everyone is what you get when you convert a partition to NTFS,
but this was a new machine with XP SP1 preloaded.

So basically I have two questions:

1) Does anyone have any idea why my machine is this way?

2) Is there anything I can do -- perhaps use some security template
or something -- to restore the normal XP permissions.

 

[Morituri-|-Max]

1) Does anyone have any idea why my machine is this way?

2) Is there anything I can do -- perhaps use some security template
or something -- to restore the normal XP permissions.

I noticed something similarly disturbing.. if I create multiple user accounts on
the computer and log in as one of the others and try to remove things from the
start bar that I don't want them to see, it deletes them from my master account
start bar as well.. I really would like them to be totally seperate from each
other but over the months I have never gotten a good answer for how to keep one
start bar from mirroring changes on another start bar..

Arg

Hope they answers to you give me some clue... I have to say its not a very
secure way to do start bars..

Seeya

 

[Bryce Alan Katz]

Depends on which Start Menu you're editing. The XP start menu is actually
located in two places. C:\Documents and Settings\All Users\Start Menu
contains the shortcuts available to all users. C:\Documents and
Settings\%username%\Start Menu holds the user-specific shortcuts. These two
folder trees are squished together at logon to determine what shortcuts
appear on your start menu.

Essentially you're not editing the Master Account's start menu. You're
editing the All User's start menu. Use the All Users directory tree to set
options you want available to, well, all users. Office apps are a good
choice to put here, for example. Remove any and all shortcuts from All Users
that you wish to restrict. Place these shortcuts only in the user profiles
which require access. This is typically done via group policy in a domain
environment. In a workgroup setup you'll be forced into some administrivia.

 

[George Hester]

1) Does anyone have any idea why my machine is this way? - yes that is the default.

2) Is there anything I can do -- perhaps use some security template or something -- to restore the normal XP permissions. - That is normal.

Every folder in Windows XP does NOT inherit the permissions from the root. There is really no reason to be
afraid of these permissions. If you remove the Everyone group then you need to make sure those that are in
Everyone Group and necessary (like System) are kept or you could disable your system for good. Leave the
permissions alone on the root. It is always safe to increase those with permissions but if you remove permissions
then you stand a good chance of having issues.

 

[John Brock]

yes that is the default.

It can't be the default; otherwise any user -- even Guest -- can trash
the entire system. What kind of security is that?

That is normal.

Every folder in Windows XP does NOT inherit the permissions from the =
root. There is really no reason to be
afraid of these permissions. If you remove the Everyone group then you =
need to make sure those that are in
Everyone Group and necessary (like System) are kept or you could disable =
your system for good. Leave the
permissions alone on the root. It is always safe to increase those with =
permissions but if you remove permissions
then you stand a good chance of having issues.

On *my* XP system every folder -- other than user profiles -- *does*
inherit its permissions from the root, and all these folders belong
to Everyone. That's why I think there is something wrong with my
system, and why I am asking questions here. It's pretty clear from
the Q244600 document that this isn't the way things should be, and
in fact I found a different link:

http://support.microsoft.com/default.aspx?scid=kb;en-us;327522

which lists the default root permissions for Windows XP (look
beneath "WORKAROUND") and refers to them as "thoroughly designed
and tested". I haven't found a complete list of all Windows XP
permissions though, just the Windows 2000. Does anyone know where
I can find a complete list?

 

[George Hester]

You are wrong. It is the default. You are also wrong in thinking Everyone means EVERYONE. It don't. It
means all the people and others in your profiles on the machine. The only user you have to be concerned with is
IUSR_MachineName which you may not even have.

You are also wrong that all folders but those in Documents and Settings inherit the permissions from the root.
Look at C:\Program Files\Common Files also look at C:\Windows\Installer. These are just a few you have many
more.

I don't mean to sound like a bully. I'm just pointing out that Everyone permissions on the root do not inherit
through the entire file system. And Microsoft has done what is sufficient. Security as we know it now do not
put you at risk by permissions issue. Security flaws are not permissions based they are buffer overruns things like
that where no matter what your permissions are you'd still be at risk. Do not mess with your permissions we bail
people out everyday who get Scared remove permissions and instead of having a computer they have a bunch of
metal.

 

[John Brock]

Excuse me George, but are you even bothering to read what I wrote?
On *MY* XP Pro system at home all files and folders *DO* inherit
from root, and the Everyone group *DOES* have Full control of
*EVERYTHING*. That is why I think I have a *PROBLEM*! I just
looked the XP system I use at work, and the permissions are set
very differently, and much more sensibly. For example at work
various permissions on C:\Program Files\Common Files -- your example
-- are granted to Administrators, CREATOR OWNER, Power Users,
SYSTEM, and Users. At home, on the same folder, Full Control is
granted to Everyone, and that's it. So what are the permissions
for that folder on *your* system? My root at work has permissions
similar to the link I gave you below (did you even look at it?).
My root at home has Full Control granted to Everyone. How can this
be a sensible default?

Please, is there anyone here (who knows what they are talking about)
who can give me some idea about what is going on?

My current best guess is that, since most of IBM's customers are
corporations, perhaps they ship their PC with the expectation that
corporate sysadmins will do something drastic to the security setup
anyway, so they don't bother shipping XP with the normal defaults.
In fact I have a *very* vague recollection that when I first turned
on my PC I was asked whether I wanted my drive formated as NTFS,
which of course I did, although I thought the question odd. Perhaps
IBM assumed that someone, for some reason, might want XP on FAT32,
so they shipped it that way, reasoning that you can always convert
FAT32 to NTFS but not the reverse, and that anyone who wanted NTFS
would do the conversion (which *would* leave Everyone with Full
Control of everything, just like on my system), and then the
sysadmins would simply apply one of the security templates (not so
simple for me though, although I suspect I am going to have to
learn) to produce a normally secure system. As I said though, this
is just a wild guess. Anyone have any better ideas?

 

[George Hester]

You say you have Everyone full permissions throughout your File System. OK I'll take your word for it. That is not the default and I don't think your going to find anyone that knows how to put your NTFS permissions everywhere back to the default. Believe me if someone knew they'd be on me faster then you can say, "Bye." You need to reinstall. That's the only sure fire way.

 

[cquirke (MVP Win9x)]

On *MY* XP Pro system at home all files and folders *DO* inherit
from root, and the Everyone group *DOES* have Full control of
*EVERYTHING*. That is why I think I have a *PROBLEM*! I just
looked the XP system I use at work, and the permissions are set
very differently, and much more sensibly.

My guess would be that the PC was set up as FATxx originally, and
later converted to NTFS. Three problems may then arise:

1) Something interrupts the conversion and all is porridge
2) The system is really slow because you now have 512 byte clusters
3) There are no existing permissions, so everyone can do everything

Case (3) applies to your case, perhaps? When XP is installed, it can
set permissions if the file system is NTFS at the time, else not. If
not, then a subsequent conversion to NTFS has nothing to go on.

 

[John Brock]

On 6 Dec 2004 12:10:51 -0500, (e-mail address removed) (John Brock) wrote:

My guess would be that the PC was set up as FATxx originally, and
later converted to NTFS. Three problems may then arise:

1) Something interrupts the conversion and all is porridge
2) The system is really slow because you now have 512 byte clusters
3) There are no existing permissions, so everyone can do everything

Case (3) applies to your case, perhaps? When XP is installed, it can
set permissions if the file system is NTFS at the time, else not. If
not, then a subsequent conversion to NTFS has nothing to go on.

Case (3) was my guess as well, and if you've heard of such a thing
happening then maybe my guess wasn't so wild after all, and that
is helpful to know. So is this sort of setup common with new PCs?
When I have the time I am going to go to the IBM PC forum and ask
about this issue. (Although if the sale goes through maybe I'll
need to ask in Chinese. I have to say I am kind of pissed
off at the idea that IBM would make my life difficult like this!

So do you know if there is a simple way to reset permissions to
the proper default? I suspect that there may be a security template
which does this, but I haven't done the research yet. Also, can
I assume if case (3) is the case then I shouldn't have any
non-filesystem security issues? I've already checked, and my Guest
account can *not* do things like toggle SFS on and off, which is
as it should be. Can I assume that permissions for things like
writing to the Registry are still assigned to their proper groups?

And what about case (2)? I have no idea if my machine is as fast
as it should be -- all I know is it's faster than my old one. So
how do I tell if I have 512 byte clusters, and how big should my
clusters be?

 

[David Candy]

a.. Volumes converted from FAT to NTFS lack some performance benefits compared to volumes initially formatted with NTFS. On converted volumes, the MFT might become fragmented. In addition, on converted boot volumes, NTFS permissions are not applied after the volume is converted.

 

[David Candy]

a.. Default security (Setup security.inf)
Setup security.inf is a computer-specific template that represents the default security settings that are applied during installation of the operating system, including the file permissions for the root of the system drive. You can use this template, or portions of it can be used for disaster recovery purposes. Setup security.inf should never be applied using Group Policy.

 

[cquirke (MVP Win9x)]

Case (3) was my guess as well, and if you've heard of such a thing
happening then maybe my guess wasn't so wild after all, and that
is helpful to know. So is this sort of setup common with new PCs?

Probably - my advice would be to insist on a custom-installable OS CD
at current SP level, and then I'd re-do the setup from scratch if it
wasn't to my liking. I'm usually in the consumer situation where I'd
rather get my stuff back, than destroy it to prevent others from
accessing it, so I choose FATxx maintainability over NTFS security.

IBM, Compaq, Dell etc. are in the cookie-cutter business. They use an
OS that's not only locked into thier hardware, but also the way they
choose to set up the PC. Often your only "maintenance" option is to
wipe everything and rebuild the same installation.

Typically, they set up one reference HD, and image that onto what they
ship. Smaller OEMs and in-house sysadmins may run a canned process to
create the reference installation on each PC; small shops may run the
normal install process, though perhaps using a response file.

The "canned process" I refer to is SysPrep, and in older versions of
NT, that had to start with FAT and then convert to NTFS if desired.
You can still do that, or you can reserve space if needed, and start
off as NTFS. The interactive installation process will force NTFS if
blank HD > 32G, but if you start by defining your partitions and
formatting your volumes, it will respect that.

You can convert from FATxx to NTFS, but not from NTFS back to FATxx,
and for that reason alone I'd rather see FATxx than NTFS. But if NTFS
is what you want, and particularly if security is why, you'd do better
to redo a blank FATxx system as NTFS rather than convert.


On (2): BING will align partitions and volumes so that later
conversion to NTFS will not spawn 512-byte clusters. When creating
FATxx volumes, say Yes when it asks "are you intending to convert to
NTFS?" even if you aren't; then the alignment is NTFS-friendly.

So do you know if there is a simple way to reset permissions to
the proper default?

Fine-grain control is fine-grain control... it could be like
hand-painting the Windows wallpaper, one pixel at a time

I assume if case (3) is the case then I shouldn't have any
non-filesystem security issues? I've already checked, and my Guest
account can *not* do things like toggle SFS on and off, which is
as it should be. Can I assume that permissions for things like
writing to the Registry are still assigned to their proper groups?

<bart> Maybe </bart>

I don't do much security as such, in the sense of "is Fred really
Fred" or "if Julie spends time on IM, will I be able to catch her out
by watching the logs?". I'm more interested in safety, e.g. "if
there's not a single entity on the planet that I'd want fiddling with
my PC over any sort of network, why would I want my PC to wave hidden
admin shares and RPC services at them to play with?"

So I'm more of a chainsaw guy, rather than a toenail painter ;-)

And what about case (2)? I have no idea if my machine is as fast
as it should be -- all I know is it's faster than my old one. So
how do I tell if I have 512 byte clusters, and how big should my
clusters be?

You'd want (and generally get) 4k clusters for C:, and chances are you
are stuck wiht one big C: - to see the cluster size, you can see what
Admin Tools, Storage says, or rt-click on C:, and Properties may tell
you, or you can create a new 1-byte file and see what free space
shrinks by... not in front of XP, so can't test what works.

--------------- ----- ---- --- -- - - -

The memes will inherit the Earth

 

[John Brock]

a.. Default security (Setup security.inf)=20
Setup security.inf is a computer-specific template that represents the =
default security settings that are applied during installation of the =
operating system, including the file permissions for the root of the =
system drive. You can use this template, or portions of it can be used =
for disaster recovery purposes. Setup security.inf should never be =
applied using Group Policy.

Yes, Chapter 37 of Windows XP Inside Out mentions Setup Security.inf,
which is why I mentioned security templates several times in my
queries; I was hoping someone else would mention it and tell me
this is the standard solution to my problem. It does look like my
best hope, although now that I look at the book again I see it also
mentions a Defltwk.inf template, which may be even better. Knowledge
base article Q266118 talks about how to use this template with
Windows 2000. (Once again, as with article Q244600, there seems
to be no corresponding XP article. What's up with that? XP has
been out for, like, how many years now?). I'm going to have to
spend a little more time studying before I have the nerve to start
playing with security templates, but this looks like my next move.
Thanks!

BTW, do you have any idea *why* you shouldn't use Group Policy to
apply Setup Security.inf? The Microsoft doc page you quoted doesn't
say, but I'm sure it would be obvious if I had a better idea of
what Group Policy is supposed to do.

Hmmm..., now that I have some idea what the problem is my web
searches are becoming more productive. KB article Q237399, "The
Default NTFS Permissions Are Not Applied to a Converted Boot
Partition", seems to cover my situation (although it makes applying
Setup Security.inf look kind of dangerous). And even Q244600,
which I thought I had already read thoroughly, spells it out at
the bottom of the page:

NOTE: These permissions do not apply to a drive that is
converted to NTFS using the Convert utility. A converted
NTFS drive consists of all files and folders with Everyone--Full
Control as the default permission.

Anyway, it looks like I have enough to work with. But I'm still
miffed at IBM for complicating my life like this.

 

[David Candy]

All I posted came from Help.

 

[Jim Carlock]

David,

I thought installing onto a new system ALWAYS installed into
a FAT32 folder. And during the installation, if you selected to
convert it to NTFS it would be converted at the end of the
installation.

Maybe what I'm referring to only happens on Win2K and NT4.

And where did you get the idea that an NTFS converted file
system is lacking when installed as FAT32 first? NTFS is NTFS
regardless, right? Can you provide a link to some reference
which documents this?

Also, to everyone out there, there is a virus called the Nimda
virus which sets permissions for the Everyone group to have
full control to the hard drive. John Brock might want to
consider running an antivirus software to analyze the full hard
disk drive.

Symantec offers a tool to specifically analyze for Nimda.
There are at least two versions of nimda, maybe more.

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Hope that helps.

If anyone knows of a link at Microsoft which might define
which permissions are to be set up where, and a simple way
to set everything, perhaps you can provide a link.

--
Jim Carlock
Post replies to newsgroup.

"David Candy" <.> wrote:
a.. Volumes converted from FAT to NTFS lack some performance benefits
compared to volumes initially formatted with NTFS. On converted volumes, the
MFT might become fragmented. In addition, on converted boot volumes, NTFS
permissions are not applied after the volume is converted.

 

[David Candy]

Everything there comes from XP's help file.

OEM can format Fat32 then convert. This converts it cleanly formatted because they formatted with oformat.exe which reverses space for the MFT and makes sure to format correctly re alignment. But they don't have to format fat32 then convert, they can if they want (many OEM tools only worked on Fat drives).

Anything else the drive is formatted first, whichever, then the files install.

You have to buy 5 copies of XP OEM to get oformat.
--
----------------------------------------------------------
http://www.uscricket.com

David,

I thought installing onto a new system ALWAYS installed into
a FAT32 folder. And during the installation, if you selected to
convert it to NTFS it would be converted at the end of the
installation.

Maybe what I'm referring to only happens on Win2K and NT4.

And where did you get the idea that an NTFS converted file
system is lacking when installed as FAT32 first? NTFS is NTFS
regardless, right? Can you provide a link to some reference
which documents this?

Also, to everyone out there, there is a virus called the Nimda
virus which sets permissions for the Everyone group to have
full control to the hard drive. John Brock might want to
consider running an antivirus software to analyze the full hard
disk drive.

Symantec offers a tool to specifically analyze for Nimda.
There are at least two versions of nimda, maybe more.

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Hope that helps.

If anyone knows of a link at Microsoft which might define
which permissions are to be set up where, and a simple way
to set everything, perhaps you can provide a link.

--
Jim Carlock
Post replies to newsgroup.

"David Candy" <.> wrote:
a.. Volumes converted from FAT to NTFS lack some performance benefits
compared to volumes initially formatted with NTFS. On converted volumes, the
MFT might become fragmented. In addition, on converted boot volumes, NTFS
permissions are not applied after the volume is converted.

 

[Ken Blake]

In

And where did you get the idea that an NTFS converted file
system is lacking when installed as FAT32 first? NTFS is NTFS
regardless, right?

No. Converting to NTFS usually results in 512-byte clusters
instead of the default 4K ones. Those smaller clusters hurt
performance.

Can you provide a link to some reference
which documents this?

http://aumha.org/win5/a/ntfscvt.htm

 

[cquirke (MVP Win9x)]

On Wed, 8 Dec 2004 22:34:22 -0500, "Jim Carlock"

I thought installing onto a new system ALWAYS installed into
a FAT32 folder. And during the installation, if you selected to
convert it to NTFS it would be converted at the end of the
installation.

Maybe what I'm referring to only happens on Win2K and NT4.

That was the norm, and I know it's fixed in XP; dunno if all SP levels
of Win2000 are not OK there.

And where did you get the idea that an NTFS converted file
system is lacking when installed as FAT32 first? NTFS is NTFS
regardless, right? Can you provide a link to some reference
which documents this?

As posted earlier, there are two issues:

1) Cluster size may become 512 bytes

This is well known and documented; Alex Nichol wrote it up somwhere,
probably www.aumha.org and BING has a feature that is specific to this
problem (the "do you plan on cnverting to NTFS?" dialog that pops up
whenever you create a FATxx volume in BING).

It goes about the way the FATxx volume (or perhaps the cluster space
within this) is aligned. If the alignment is unfavorable, the NTFS
conversion process can't get the usual multi-sector clusters properly
aligned, and falls back to 1-sector clusters to ensure addressability.

2) File permissions

Yes, NTFS is NTFS, including the ability to manage access permissions
on a per-file basis. But the initial permissions that are applied
when the OS installs cannot be retained by FATxx, and by the time the
installation is converted to NTFS, it may be incorrect to assume the
same permissions should be in effect.

In any case, the NTFS conversion process makes no attempt to impose
OS-installation-time permissions, and leaves them all open. There's
no problem in applying these permissions - the converted NTFS will
retain them - but figuring which should be what (as well as simply
dealing with the number of files involved) is heavy going.

Once again, this is documented, tho I dunno the URLs.

Also, to everyone out there, there is a virus called the Nimda
virus which sets permissions for the Everyone group to have
full control to the hard drive. John Brock might want to
consider running an antivirus software to analyze the full hard
disk drive.

It's always a good idea to formally scan the PC, and the last
opportunity to do so may have been before the conversion to NTFS. If
Nimda were already resident, it could well nuke any attempts to apply
permissions, whether by NTFS conversion or other subsequent methods.

------------ ----- ---- --- -- - - - -

The most accurate diagnostic instrument
in medicine is the Retrospectoscope

 

[Alex Nichol]

OEM can format Fat32 then convert. This converts it cleanly formatted because they formatted with oformat.exe which reverses space for the MFT and makes sure to format correctly re alignment. But they don't have to format fat32 then convert, they can if they want (many OEM tools only worked on Fat drives).

And you have to watch it. I bought a Toshiba Tablet a year ago. It was
FAT 32 with a batch file to do the conversion. After running that I was
astonished to find 512 byte clusters. On swearing and running their
restore to start over (and do it myself with a BING alignment) I was
double astonished to find that they start off by running Win98 FDISK and
Format!