Click here to get back home

Can I delete 'Athenticated Users' group form local 'Users' group
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Can I delete 'Athenticated Users' group form local 'Users' group B-Christensen 01-29-2008
Posted by B-Christensen on January 29, 2008, 11:52 am
Please log in for more thread options
 We just acquired a company who has a file server with 15 TByte / 20 million+
files on it. When they set up the server, they granted Read access on all
files/folders to the server's Users group. This means, that because the
Authenticated Users group is a member of the server's Users group, everyone
who is able to log on has Read access to all the data. But we have a lot of
day-to-day consultants, joint-venture workers and such, and we need be able
to prevent them from reading and copying files

Re-ACL-ing the file server is not an option, they use TSM
incremental-for-ever backup and changing permissions will trigger a complete
new full backup, and we simply do not have the time and equipment for that.

The idea of just deleting the Authenticated Users from the server's local
Users group came up, but is this a save way to go on a file server?

- Bent



Posted by S. Pidgorny on January 30, 2008, 4:29 am
Please log in for more thread options
 Yes. You can always add it back in case serious problem will arise!

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

> We just acquired a company who has a file server with 15 TByte / 20
> million+
> files on it. When they set up the server, they granted Read access on all
> files/folders to the server's Users group. This means, that because the
> Authenticated Users group is a member of the server's Users group,
> everyone
> who is able to log on has Read access to all the data. But we have a lot
> of
> day-to-day consultants, joint-venture workers and such, and we need be
> able
> to prevent them from reading and copying files
>
> Re-ACL-ing the file server is not an option, they use TSM
> incremental-for-ever backup and changing permissions will trigger a
> complete
> new full backup, and we simply do not have the time and equipment for
> that.
>
> The idea of just deleting the Authenticated Users from the server's local
> Users group came up, but is this a save way to go on a file server?
>
> - Bent
>
>



Posted by Roger Abell [MVP] on January 30, 2008, 5:14 am
Please log in for more thread options
As a standard practice in setting up servers I remove Interactive and
Authenticated Users (and usually Domain Users) from Users. If one
does not do so, then one has no starting place from which to define
a "white list" style access control for the server where one must
state who does have access.
The trick in removing these is that you must determine what accounts
are being covered. Examples: IIS accounts, Guest if enabled, etc.
that may need grants that exist for Users group. Non-machine-local
accounts should be pretty clear, add the domain groups to define
who should be allowed; it is the machine local accounts that can
be overlooked. Also, notice that in the default at install settings
these memberships in Users do two things, provide permissions grants
(in the registry, the filesystem, etc.) and provide user rights grants
especially the logon rights. Not all accounts must have both, so
for many servers I also remove Users from the login rights grants
and replace that with custom group(s) in order to effect tighter
control over what accounts can get an authenticated connection.

Roger

> We just acquired a company who has a file server with 15 TByte / 20
> million+
> files on it. When they set up the server, they granted Read access on all
> files/folders to the server's Users group. This means, that because the
> Authenticated Users group is a member of the server's Users group,
> everyone
> who is able to log on has Read access to all the data. But we have a lot
> of
> day-to-day consultants, joint-venture workers and such, and we need be
> able
> to prevent them from reading and copying files
>
> Re-ACL-ing the file server is not an option, they use TSM
> incremental-for-ever backup and changing permissions will trigger a
> complete
> new full backup, and we simply do not have the time and equipment for
> that.
>
> The idea of just deleting the Authenticated Users from the server's local
> Users group came up, but is this a save way to go on a file server?
>
> - Bent
>
>



Similar ThreadsPosted
Adding another domain users to your local domain admin group December 28, 2005, 12:19 pm
Performance Monitor Users Group June 17, 2005, 8:09 am
Default Domain Users group March 24, 2008, 1:59 pm
removing user from domain users group doesn't help June 23, 2006, 4:15 pm
Is NETWORK SERVICE Member of Users Group? March 12, 2007, 4:39 pm
local group / global group permissions problem August 18, 2005, 12:42 pm
Is local system account member of local Administrators group? June 21, 2005, 11:33 am
local admin group change, how? November 2, 2005, 10:53 am
add user to local administrators group May 24, 2006, 4:00 am
Where is Local Group Assignment Stored? March 5, 2007, 6:22 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap