Click here to get back home

MS05-51 Patch, and SystemDrive NTFS permissions
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
MS05-51 Patch, and SystemDrive NTFS permissions Jim Watts 10-17-2005
Posted by Jim Watts on October 17, 2005, 4:20 pm
Please log in for more thread options
 Hi,
I need some help with filesystem permissions, related to the MS05-51 patch,
and the problems it has thrown up. Note, we are NOT suffering the problems,
but the information from MS conflicts.

KB909444 (http://support.microsoft.com/kb/909444) states that the MS05-51
patch might fail if permissions have been changed on the
%windir%\registration. It goes on to say:

"Make sure that the Everyone group has one of the following permissions: -
Traverse permissions ("List Folder Contents") on all parent directories,
including %systemdrive%, %windir%, and %windir%\registration"

However, our standard build procedure for Windows 2000 servers is to REMOVE
the Everyone right from the root of the system drive. This is based on the
"Microsoft Security Operations Guide for Windows 2000 Server"
(http://www.microsoft.com/downloads/details.aspx?familyid=F0B7B4EE-201A-4B40-A0D2-CDD9775AEFF8&displaylang=en),
page 63, which says that root permissions should be:

Administrators: Full control
System: Full control
Authenticated Users: Read and Execute, List Folder Contents, and Read


What's going on? Why do the two pieces of info not match, why has the patch
not destroyed my servers, and what exactly should I have set on the root of
drive C: for a secure server? While we're at it, what should I have on a
Windows 2003 server, as the 2003 version of this guide doesn't even mention
file system security in the baseline!

Many thanks, especially to any MS staff that would care to comment

Jim
--
Jim Watts,
Information Systems Services
University of Southampton





Posted by Roger Abell [MVP] on October 17, 2005, 7:48 pm
Please log in for more thread options
 The info conflicts as they have different origins. The guidance papers
are, mostly, broadly reviewed and well thought through. KBs are often
the emission of a content specialist.
You are not having an issue as the requirement that accounts that should
be able to access are granted the needed access, view Authenticated Users
instead of Everyone, but given the needed permissions none-the-less.

--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
> Hi,
> I need some help with filesystem permissions, related to the MS05-51
> patch, and the problems it has thrown up. Note, we are NOT suffering the
> problems, but the information from MS conflicts.
>
> KB909444 (http://support.microsoft.com/kb/909444) states that the MS05-51
> patch might fail if permissions have been changed on the
> %windir%\registration. It goes on to say:
>
> "Make sure that the Everyone group has one of the following permissions: -
> Traverse permissions ("List Folder Contents") on all parent directories,
> including %systemdrive%, %windir%, and %windir%\registration"
>
> However, our standard build procedure for Windows 2000 servers is to
> REMOVE the Everyone right from the root of the system drive. This is based
> on the "Microsoft Security Operations Guide for Windows 2000 Server"
>
(http://www.microsoft.com/downloads/details.aspx?familyid=F0B7B4EE-201A-4B40-A0D2-CDD9775AEFF8&displaylang=en),
> page 63, which says that root permissions should be:
>
> Administrators: Full control
> System: Full control
> Authenticated Users: Read and Execute, List Folder Contents, and Read
>
>
> What's going on? Why do the two pieces of info not match, why has the
> patch not destroyed my servers, and what exactly should I have set on the
> root of drive C: for a secure server? While we're at it, what should I
> have on a Windows 2003 server, as the 2003 version of this guide doesn't
> even mention file system security in the baseline!
>
> Many thanks, especially to any MS staff that would care to comment
>
> Jim
> --
> Jim Watts,
> Information Systems Services
> University of Southampton
>
>
>




Similar ThreadsPosted
Minimum NTFS Permissions on the SystemDrive May 11, 2006, 12:10 pm
ntfs permissions, ownership, adding permissions January 13, 2006, 2:03 pm
Share permissions conflicting with NTFS permissions May 18, 2006, 1:16 pm
NTFS Permissions February 20, 2006, 7:11 pm
NTFS Permissions August 16, 2006, 4:44 am
NTFS Permissions and subfolders December 14, 2005, 2:06 pm
NTFS , folder permissions ! Need Help January 4, 2006, 11:51 am
NTFS permissions quandary April 18, 2007, 4:25 pm
NTFS permissions/deny override bug? November 1, 2005, 7:56 pm
NTFS permissions not applying consistently June 21, 2006, 12:16 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap