Can I delete 'Athenticated Users' group form local 'Users' group

Discussion in 'Server Security' started by B-Christensen, Jan 29, 2008.

  1. We just acquired a company who has a file server with 15 TByte / 20 million+
    files on it. When they set up the server, they granted Read access on all
    files/folders to the server's Users group. This means, that because the
    Authenticated Users group is a member of the server's Users group, everyone
    who is able to log on has Read access to all the data. But we have a lot of
    day-to-day consultants, joint-venture workers and such, and we need be able
    to prevent them from reading and copying files

    Re-ACL-ing the file server is not an option, they use TSM
    incremental-for-ever backup and changing permissions will trigger a complete
    new full backup, and we simply do not have the time and equipment for that.

    The idea of just deleting the Authenticated Users from the server's local
    Users group came up, but is this a save way to go on a file server?

    - Bent
    B-Christensen, Jan 29, 2008
    1. Advertisements

  2. B-Christensen

    S. Pidgorny Guest

    Yes. You can always add it back in case serious problem will arise!
    S. Pidgorny, Jan 30, 2008
    1. Advertisements

  3. As a standard practice in setting up servers I remove Interactive and
    Authenticated Users (and usually Domain Users) from Users. If one
    does not do so, then one has no starting place from which to define
    a "white list" style access control for the server where one must
    state who does have access.
    The trick in removing these is that you must determine what accounts
    are being covered. Examples: IIS accounts, Guest if enabled, etc.
    that may need grants that exist for Users group. Non-machine-local
    accounts should be pretty clear, add the domain groups to define
    who should be allowed; it is the machine local accounts that can
    be overlooked. Also, notice that in the default at install settings
    these memberships in Users do two things, provide permissions grants
    (in the registry, the filesystem, etc.) and provide user rights grants
    especially the logon rights. Not all accounts must have both, so
    for many servers I also remove Users from the login rights grants
    and replace that with custom group(s) in order to effect tighter
    control over what accounts can get an authenticated connection.

    Roger Abell [MVP], Jan 30, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.