Click here to get back home

Removing System SID from ACLs
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Removing System SID from ACLs aspyrn 08-08-2006
Posted by aspyrn on August 8, 2006, 2:40 pm
Please log in for more thread options
 Hello,

I see the SYSTEM SID on some of my Windows 2003 Server ACLs. As far as
I understand the System SID, it has unlimited access to computers
anyway, so is it safe (from an OS perspective, disregarding whether
some particular 3rd party application would fail because of this) to
remove any System ACEs from my ACLs?

Thank you.


Posted by Joe Richards [MVP] on August 8, 2006, 9:45 pm
Please log in for more thread options
 No. Don't mess with it. While it could take the permissions back when it
wanted, it doesn't assume it has to and just go and do it; the code just
isn't written that way.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


aspyrn@gmail.com wrote:
> Hello,
>
> I see the SYSTEM SID on some of my Windows 2003 Server ACLs. As far as
> I understand the System SID, it has unlimited access to computers
> anyway, so is it safe (from an OS perspective, disregarding whether
> some particular 3rd party application would fail because of this) to
> remove any System ACEs from my ACLs?
>
> Thank you.
>

Posted by Roger Abell [MVP] on August 9, 2006, 2:33 am
Please log in for more thread options
> Hello,
>
> I see the SYSTEM SID on some of my Windows 2003 Server ACLs. As far as
> I understand the System SID, it has unlimited access to computers
> anyway, so is it safe (from an OS perspective, disregarding whether
> some particular 3rd party application would fail because of this) to
> remove any System ACEs from my ACLs?
>
> Thank you.
>

First thought in my mind was "Why?"
It almost sounds as if you fear some remote access due to this.
I mean, why would you be concerned about the system accessing itself?
System when it goes off-box would not be recognized as "System" on
the remote box. Many places where you see System ACEs these are
basicaly only guarantees that the System would have Full access if the
grant to Administrators were reduced or removed. Removing System
ACE and leaving an ACE for Administrators means System still has a
grant as it is so-to-speak a hidden member of Administrators.
Add all those up and I think you may also ask "Why?", as in, is there
any real gain and at what cost?
--
Roger



Similar ThreadsPosted
OpenRowset : DSN : file-system permissions : Local System March 14, 2008, 10:23 am
Compare ACLs April 29, 2008, 5:10 pm
Junction Points and ACLs September 20, 2005, 9:02 am
mandatory filesystem ACLs March 9, 2007, 4:14 pm
Moving ACLs to new server May 24, 2007, 12:08 am
rmtshare.exe utility overwriting ACLs August 15, 2006, 4:48 pm
ACLs - Users with READ can MOVE a whole folder? April 11, 2007, 10:45 am
FileACL Syntax to Replace File ACLs from Parent January 20, 2006, 11:53 pm
Removing CA Objects from AD August 10, 2005, 10:51 am
Removing CA certificates. December 22, 2005, 3:50 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap