Click here to get back home

Allow ONLY "Administrator" and "System" groups full control to C:\
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Allow ONLY "Administrator" and "System" groups full control to C:\ Ed Flecko 02-15-2006
Posted by Ed Flecko on February 15, 2006, 4:51 pm
Please log in for more thread options
 Hi folks,
I'm setting up a new Server 2003-R2 server. I have added the Administrators
and System groups full control of the C:\ drive, and removed everyone else. I
see, by default, the C:\ drive has a few other directories and
subdirectories, i.e., "Windows", "Program Files", etc.

Since I'm setting this server up from scratch, in an effort to be as secure
as possible, is there's anything wrong with selecting the little check box
"Replace permission entries on all child objects with entries shown here that
apply to child objects." I know this will reset all pemissions from the root
of C:\ down through all directories, I'm just wondering if I can expect
headaches or if this might be smart to do? I think it sounds like a smart
idea.

Comments? Suggestions?

Thank you,
Ed

Posted by AllenM on February 15, 2006, 5:06 pm
Please log in for more thread options
 Well you will accomplish what you're trying to do and that is it will be
secured. However no one will be able to use it other than the Administrator.
Not a good idea. Leave the root permissions alone and apply your NTFS
permissions at the folder level.


> Hi folks,
> I'm setting up a new Server 2003-R2 server. I have added the
> Administrators
> and System groups full control of the C:\ drive, and removed everyone
> else. I
> see, by default, the C:\ drive has a few other directories and
> subdirectories, i.e., "Windows", "Program Files", etc.
>
> Since I'm setting this server up from scratch, in an effort to be as
> secure
> as possible, is there's anything wrong with selecting the little check box
> "Replace permission entries on all child objects with entries shown here
> that
> apply to child objects." I know this will reset all pemissions from the
> root
> of C:\ down through all directories, I'm just wondering if I can expect
> headaches or if this might be smart to do? I think it sounds like a smart
> idea.
>
> Comments? Suggestions?
>
> Thank you,
> Ed



Posted by Ed Flecko on February 15, 2006, 5:26 pm
Please log in for more thread options
Hi Allen,
Thanks for your input. :-)

Forgive me; I'm not trying to sound flippant. What's wrong with doing this?
When you say "it's not a godd idea"...why not? Do you think I will encounter
some form of difficulties?

I'm, of course, just "thinking out loud", but I can't see why anyone other
than these two groups would need ANY access (even read permissions) to the
default directories and their subdirectories.

Ed

"AllenM" wrote:

> Well you will accomplish what you're trying to do and that is it will be
> secured. However no one will be able to use it other than the Administrator.
> Not a good idea. Leave the root permissions alone and apply your NTFS
> permissions at the folder level.
>
>
> > Hi folks,
> > I'm setting up a new Server 2003-R2 server. I have added the
> > Administrators
> > and System groups full control of the C:\ drive, and removed everyone
> > else. I
> > see, by default, the C:\ drive has a few other directories and
> > subdirectories, i.e., "Windows", "Program Files", etc.
> >
> > Since I'm setting this server up from scratch, in an effort to be as
> > secure
> > as possible, is there's anything wrong with selecting the little check box
> > "Replace permission entries on all child objects with entries shown here
> > that
> > apply to child objects." I know this will reset all pemissions from the
> > root
> > of C:\ down through all directories, I'm just wondering if I can expect
> > headaches or if this might be smart to do? I think it sounds like a smart
> > idea.
> >
> > Comments? Suggestions?
> >
> > Thank you,
> > Ed
>
>
>

Posted by AllenM on February 15, 2006, 5:47 pm
Please log in for more thread options
Before I can tell you what is wrong with it in detail tell me what you plan
on using this server for?

> Hi Allen,
> Thanks for your input. :-)
>
> Forgive me; I'm not trying to sound flippant. What's wrong with doing
> this?
> When you say "it's not a godd idea"...why not? Do you think I will
> encounter
> some form of difficulties?
>
> I'm, of course, just "thinking out loud", but I can't see why anyone other
> than these two groups would need ANY access (even read permissions) to the
> default directories and their subdirectories.
>
> Ed
>
> "AllenM" wrote:
>
>> Well you will accomplish what you're trying to do and that is it will be
>> secured. However no one will be able to use it other than the
>> Administrator.
>> Not a good idea. Leave the root permissions alone and apply your NTFS
>> permissions at the folder level.
>>
>>
>> > Hi folks,
>> > I'm setting up a new Server 2003-R2 server. I have added the
>> > Administrators
>> > and System groups full control of the C:\ drive, and removed everyone
>> > else. I
>> > see, by default, the C:\ drive has a few other directories and
>> > subdirectories, i.e., "Windows", "Program Files", etc.
>> >
>> > Since I'm setting this server up from scratch, in an effort to be as
>> > secure
>> > as possible, is there's anything wrong with selecting the little check
>> > box
>> > "Replace permission entries on all child objects with entries shown
>> > here
>> > that
>> > apply to child objects." I know this will reset all pemissions from the
>> > root
>> > of C:\ down through all directories, I'm just wondering if I can expect
>> > headaches or if this might be smart to do? I think it sounds like a
>> > smart
>> > idea.
>> >
>> > Comments? Suggestions?
>> >
>> > Thank you,
>> > Ed
>>
>>
>>



Posted by Ed Flecko on February 15, 2006, 6:06 pm
Please log in for more thread options
Hi Allen,
O.K. We're a small company with about 50 end users. I run a single domain
model with 3 sites and all 3 sites will are connected via T-1 lines. All
sites have their own server(s). All 3 servers will be "primarily" DNS servers
for their sites and will all be DFS relication partners. THIS particular
server will also host and maintain our corporate anti-virus console, and be a
file server for a few odds and ends applications.

I hope that helps.

Ed

"AllenM" wrote:

> Before I can tell you what is wrong with it in detail tell me what you plan
> on using this server for?
>
> > Hi Allen,
> > Thanks for your input. :-)
> >
> > Forgive me; I'm not trying to sound flippant. What's wrong with doing
> > this?
> > When you say "it's not a godd idea"...why not? Do you think I will
> > encounter
> > some form of difficulties?
> >
> > I'm, of course, just "thinking out loud", but I can't see why anyone other
> > than these two groups would need ANY access (even read permissions) to the
> > default directories and their subdirectories.
> >
> > Ed
> >
> > "AllenM" wrote:
> >
> >> Well you will accomplish what you're trying to do and that is it will be
> >> secured. However no one will be able to use it other than the
> >> Administrator.
> >> Not a good idea. Leave the root permissions alone and apply your NTFS
> >> permissions at the folder level.
> >>
> >>
> >> > Hi folks,
> >> > I'm setting up a new Server 2003-R2 server. I have added the
> >> > Administrators
> >> > and System groups full control of the C:\ drive, and removed everyone
> >> > else. I
> >> > see, by default, the C:\ drive has a few other directories and
> >> > subdirectories, i.e., "Windows", "Program Files", etc.
> >> >
> >> > Since I'm setting this server up from scratch, in an effort to be as
> >> > secure
> >> > as possible, is there's anything wrong with selecting the little check
> >> > box
> >> > "Replace permission entries on all child objects with entries shown
> >> > here
> >> > that
> >> > apply to child objects." I know this will reset all pemissions from the
> >> > root
> >> > of C:\ down through all directories, I'm just wondering if I can expect
> >> > headaches or if this might be smart to do? I think it sounds like a
> >> > smart
> >> > idea.
> >> >
> >> > Comments? Suggestions?
> >> >
> >> > Thank you,
> >> > Ed
> >>
> >>
> >>
>
>
>

Similar ThreadsPosted
Main Administrator account doesn't have Administrator groups right March 1, 2006, 2:35 pm
remove users from Administrator groups ? What should I know ? September 3, 2008, 10:48 am
RDP : restrict administrator to access system without my permission through rdp June 15, 2006, 6:49 am
The system administrator has set policies to prevent this installa July 23, 2006, 3:55 pm
Nesting domain groups under local groups March 18, 2007, 3:56 am
OpenRowset : DSN : file-system permissions : Local System March 14, 2008, 10:23 am
disk full June 11, 2007, 5:22 am
Security Log file full often December 22, 2005, 12:01 pm
Create a domain account with full access to all files and folders? October 24, 2006, 11:03 am
Trusted NT domain users have full access to 2K3 server shares January 23, 2007, 6:51 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap