01 Access control lists (Windows NT Security)
Description
This article is from the Windows NT Security FAQ, by Christopher Klaus cklaus@iss.net with numerous contributions by others.
01 Access control lists (Windows NT Security)
To really lock NT down hard, set the root directory to full access for
administrators and system, list access to users (not Everyone). Let that
work all the way down the tree. Loosen things up as need be, but what has
been done is ensure that any new directory that gets created will have those
permissions.
Make sure the print spool directory has full access to creator\owner (see
the NT Resource Kit, 3.51 Update 1 (also known as vol 5)).
Go through (using cacls, or use the search facility of either file manager
or explorer) and set the permissions on all of the executables and DLLs to
full access to admins (or if people normally work on that machine under
admin status, remove write permission for admins), and list only
(read-execute) permissions to users.
Note that it is now difficult for users to install any software. This could
be good or bad, depending on what you want to do. Make a list of common DLLs
that are updated often and give users delete permission.
Now apply the "smoke test" - log in as a user, and see what is broken. Some
programs insist on being able to write to an .ini file in the system tree -
if users can't write to (or create) these files, these programs will fail.
Change the permissions as need be.
Be careful, it is possible where non-admins either can't successfully log
in, or get a desktop that is completely blank.
If users are allowed to store files locally, make sure that they have full
rights to their own directories. Note that under NT 4.0, a user's desktop
profile, and numerous other things are stored under the system tree - look
in %systemroot%\profiles, and make sure each user has full rights to their
subdirectory - it should be admin, system, and user have full access.
It is a good idea to loosen up the temp directory - a good thing is to give
users list access, but creator\owner full access. There may be other
directories that need work, depending on what apps are installed, and
whether they have any notion of multiple users - one example would be the
cache directory for a web browser.
Since people have a lot of different needs, there is no single answer - it
depends on the environment.
As to user rights, go through and make sure Guest is not only disabled, but
that it has no rights to anything.
Continue to:
My Books
