Click here to get back home

Default NTFS permissions too liberal on newly created volumes
 HomeNewsGroups | Search | About
Login Password
Register Now! Lost Password?
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Default NTFS permissions too liberal on newly created volumes Mike M 01-22-2006
Get Chitika Premium
Posted by Mike M on January 22, 2006, 9:58 pm
Please log in for more thread options
 Windows 2003 SP1 server here...

I created a folder called "public" under the z:\ drive, shared it as
"public", and verified that all users in my department had read-only
permissions via a certain group. All seemed well until I saw legit data
folders popping up in this shared folder that was allegedly read-only save
for the admins. The user was able to create folders and files in the public
share that was supposed to be read-only!!!

Well...

It seems to me that configuring a secondary volume, named as Drive Z:,
brings liberal permissions to the root of the drive for the USERS group.
Drilling down into the advanced security settings window shows 3 separate
entries for the local-server\USERS group:

--Read & Execute, This folder, subfolders and files
--Create Folders/Append Data, This folder and subfolders
--Create Files / Write Data, Subfolders only

I looked at the other servers that we've built and all have the same
all-too-liberal permission settings for the USERS group. It seems to me
that USERS can do everything but delete files by default.

Why is Microsoft allowing the USERS group such liberal permissions by
default? It was a no-brainer to remove the EVERYONE group to tighten
things up, but this issue seems to make things more difficult to lock-down
security on file servers. Am I missing something???


TIA,
Mike




Posted by Steven L Umbach on January 22, 2006, 10:24 pm
Please log in for more thread options
 I can't answer for Microsoft though maybe such decisions were made at a time
when the scales tipped more toward functionality then security and it was up
to users and admins to configure permissions for their needs from there but
it sounds like your users had excessive share permissions. If they only had
read share permissions they would not have been able to create folders. The
Windows 2003 Server Security Guide and the Threats and Countermeasures Guide
are free for those who want to learn how to lock down their operating
systems from baseline with guidance on legacy, enterprise, and high security
scenarios. They are available at the links below. --- Steve

http://www.microsoft.com/technet/security/default.mspx
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx

> Windows 2003 SP1 server here...
>
> I created a folder called "public" under the z:\ drive, shared it as
> "public", and verified that all users in my department had read-only
> permissions via a certain group. All seemed well until I saw legit data
> folders popping up in this shared folder that was allegedly read-only save
> for the admins. The user was able to create folders and files in the
> public share that was supposed to be read-only!!!
>
> Well...
>
> It seems to me that configuring a secondary volume, named as Drive Z:,
> brings liberal permissions to the root of the drive for the USERS group.
> Drilling down into the advanced security settings window shows 3 separate
> entries for the local-server\USERS group:
>
> --Read & Execute, This folder, subfolders and files
> --Create Folders/Append Data, This folder and subfolders
> --Create Files / Write Data, Subfolders only
>
> I looked at the other servers that we've built and all have the same
> all-too-liberal permission settings for the USERS group. It seems to me
> that USERS can do everything but delete files by default.
>
> Why is Microsoft allowing the USERS group such liberal permissions by
> default? It was a no-brainer to remove the EVERYONE group to tighten
> things up, but this issue seems to make things more difficult to lock-down
> security on file servers. Am I missing something???
>
>
> TIA,
> Mike
>
>
>



Posted by Ondrej Sevecek on January 23, 2006, 5:49 am
Please log in for more thread options
you are right. The disk root is secured exactly you have found. User only
cannot create anything directly in the root. Lower, they can create their
own folders and files and to their own object they have full control.

Restrict the root folder permissions either manually or by GPO.


O.




> Windows 2003 SP1 server here...
>
> I created a folder called "public" under the z:\ drive, shared it as
> "public", and verified that all users in my department had read-only
> permissions via a certain group. All seemed well until I saw legit data
> folders popping up in this shared folder that was allegedly read-only save
> for the admins. The user was able to create folders and files in the
> public share that was supposed to be read-only!!!
>
> Well...
>
> It seems to me that configuring a secondary volume, named as Drive Z:,
> brings liberal permissions to the root of the drive for the USERS group.
> Drilling down into the advanced security settings window shows 3 separate
> entries for the local-server\USERS group:
>
> --Read & Execute, This folder, subfolders and files
> --Create Folders/Append Data, This folder and subfolders
> --Create Files / Write Data, Subfolders only
>
> I looked at the other servers that we've built and all have the same
> all-too-liberal permission settings for the USERS group. It seems to me
> that USERS can do everything but delete files by default.
>
> Why is Microsoft allowing the USERS group such liberal permissions by
> default? It was a no-brainer to remove the EVERYONE group to tighten
> things up, but this issue seems to make things more difficult to lock-down
> security on file servers. Am I missing something???
>
>
> TIA,
> Mike
>
>
>



Posted by Roger Abell [MVP] on January 24, 2006, 8:07 pm
Please log in for more thread options
The default were selected for "functionality", and notice that those are
only used on partitions where the OS is NOT installed which are assumed
to be data areas for user storage.

Also, notice that the Creator Owner grant in the default settings will
let the account that added some file/folder to delete it.

Do you have a more reasonable "best guess" as a one-size-fits-all set
of permissions that should be used upon defining a new non-boot
partition ?? Something had to be choosen, or else what, leave it
with no permissions and force all people to always have to set NTFS
permissions when a new partition is formatted ??

If a single storage area can be accessed over the network by means
of multiple network shares, then the one that is named/used in making
a connection is the one whose share level permissions will govern the
network accesses.

--
Roger

> Windows 2003 SP1 server here...
>
> I created a folder called "public" under the z:\ drive, shared it as
> "public", and verified that all users in my department had read-only
> permissions via a certain group. All seemed well until I saw legit data
> folders popping up in this shared folder that was allegedly read-only save
> for the admins. The user was able to create folders and files in the
> public share that was supposed to be read-only!!!
>
> Well...
>
> It seems to me that configuring a secondary volume, named as Drive Z:,
> brings liberal permissions to the root of the drive for the USERS group.
> Drilling down into the advanced security settings window shows 3 separate
> entries for the local-server\USERS group:
>
> --Read & Execute, This folder, subfolders and files
> --Create Folders/Append Data, This folder and subfolders
> --Create Files / Write Data, Subfolders only
>
> I looked at the other servers that we've built and all have the same
> all-too-liberal permission settings for the USERS group. It seems to me
> that USERS can do everything but delete files by default.
>
> Why is Microsoft allowing the USERS group such liberal permissions by
> default? It was a no-brainer to remove the EVERYONE group to tighten
> things up, but this issue seems to make things more difficult to lock-down
> security on file servers. Am I missing something???
>
>
> TIA,
> Mike
>
>
>



Posted by Mike M on January 25, 2006, 11:21 am
Please log in for more thread options

> Do you have a more reasonable "best guess" as a one-size-fits-all set
> of permissions that should be used upon defining a new non-boot
> partition ?? Something had to be choosen, or else what, leave it
> with no permissions and force all people to always have to set NTFS
> permissions when a new partition is formatted ??

Good point. Most of my Windows boxes are app servers running the system
drive. Putting on my file server "hat", makes me look at it from a
different point of view.

I'm so used to Linux and Netware's "additive" permissions model for file
serving, that it still takes a different way of looking at things form the
MS point of view...even after using NT for more than a decade!! :)

Thanks,
Mike








Similar ThreadsPosted
default NTFS permissions - 2003 - vista PE? November 20, 2008, 1:36 pm
ntfs permissions, ownership, adding permissions January 13, 2006, 2:03 pm
Share permissions conflicting with NTFS permissions May 18, 2006, 1:16 pm
Default Regitry Permissions October 17, 2006, 10:58 am
Newly installed PKI - 2 errors June 14, 2005, 7:22 am
NTFS Permissions February 20, 2006, 7:11 pm
NTFS Permissions August 16, 2006, 4:44 am
NTFS Permissions and subfolders December 14, 2005, 2:06 pm
NTFS , folder permissions ! Need Help January 4, 2006, 11:51 am
NTFS permissions quandary April 18, 2007, 4:25 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap