Learning NTFS Permissions

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Can anyone here who endorses Everyone: Allow Full Control on share permissions tell me why Windows Server 2003 is, by default, more secure than Server 2000?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

yeah. I forgot that you had already mentioned that earlier.

 

Server 2000 default share permissions: Everyone = Full Control
Server 2003 default share permissions: Everyone = Read

 

look i dont agree im just sharing and learning here... my book says one thing yet people in the real world say another.. thats why i came to the conlusion its a free choice on what they feel is secure.. its what makes a good tech show from a great tech! im not even sure about 2000 server freddy!

 

Well, I wouldn't say this is the entire reason...

The point is MS tightened down default permissions all the way around in 2003 vs 2000. They also made it so that not every service available on a server is started by default.

What I'm trying to show is that MS recognizes that creating shares with full control to everyone is an insecure way to go about things. If they hadn't they would not have reduced the default permissions on shares. So, opening up share permissions to full control is given to the everyone group is a relaxing of default permissions, iow's a step back in overall system and network security. That's not a good things, at least in my eyes.

When I set up shares I never give the Everyone group full share to anything. In fact, I remove the Everyone group from most ACL's. For file permissions and share permissions in Active Directory, Domain User is the largest user group I will allow. That locks out guests, anonymous users, etc.... Depending on the file in question I will remove even Domain User group and go with custom security groups I have created and populated.

 

yeah i saw that too and it makes total sense... infact authentictated users are apparently the best solution! this thread turned out the be quite good! i asked about the differences between permissions and i got a whole chapter on them!

Thanks guys!

 

It's all a personal choice about how security should be setup on one's system. There are many factors involve in the security than just share and NTFS permissions; but knowing the mechanics of how share and NTFS permission work is one important factor in the equation.

 

It is a personal choice as to how security is set up, but, and it's a big but, some configurations are always more secure than others. Redundancy, layers of defense, are the hallmarks of good security design. You want an attacker to have to peel away as many layers as possible. You want to slow him down as much as possible. Giving an attacker two hurdles to jump rather than one is always a good thing....

Also, anything that lessens individual host security makes a network more vulnerable.... There is no way around it. A network is only as secure as its most vulnerable host. Since all networks have vulnerabilities it's a matter of limiting the number of vulnerabilities by placing as many obstacles as possible in the way of an attacker.

 

well you must have a tradeoff between security and accessability/ease of (use/management). it depends of course on just how high your security must be.
but i think it (configuring individual share permissions as well as NTFS) can be a bit redundant, kind of like having two firewalls on the same connection; external one lets in ports 25, 80 and the internal one only port 80.
configuring them properly, you would do fine with just one.