Default NTFS permissions too liberal on newly created volumes

Discussion in 'Server Security' started by Mike M, Jan 23, 2006.

  1. Mike M

    Mike M Guest

    Windows 2003 SP1 server here...

    I created a folder called "public" under the z:\ drive, shared it as
    "public", and verified that all users in my department had read-only
    permissions via a certain group. All seemed well until I saw legit data
    folders popping up in this shared folder that was allegedly read-only save
    for the admins. The user was able to create folders and files in the public
    share that was supposed to be read-only!!!

    Well...

    It seems to me that configuring a secondary volume, named as Drive Z:,
    brings liberal permissions to the root of the drive for the USERS group.
    Drilling down into the advanced security settings window shows 3 separate
    entries for the local-server\USERS group:

    --Read & Execute, This folder, subfolders and files
    --Create Folders/Append Data, This folder and subfolders
    --Create Files / Write Data, Subfolders only

    I looked at the other servers that we've built and all have the same
    all-too-liberal permission settings for the USERS group. It seems to me
    that USERS can do everything but delete files by default.

    Why is Microsoft allowing the USERS group such liberal permissions by
    default? It was a no-brainer to remove the EVERYONE group to tighten
    things up, but this issue seems to make things more difficult to lock-down
    security on file servers. Am I missing something???


    TIA,
    Mike
     
    Mike M, Jan 23, 2006
    #1
    1. Advertisements

  2. I can't answer for Microsoft though maybe such decisions were made at a time
    when the scales tipped more toward functionality then security and it was up
    to users and admins to configure permissions for their needs from there but
    it sounds like your users had excessive share permissions. If they only had
    read share permissions they would not have been able to create folders. The
    Windows 2003 Server Security Guide and the Threats and Countermeasures Guide
    are free for those who want to learn how to lock down their operating
    systems from baseline with guidance on legacy, enterprise, and high security
    scenarios. They are available at the links below. --- Steve

    http://www.microsoft.com/technet/security/default.mspx
    http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
     
    Steven L Umbach, Jan 23, 2006
    #2
    1. Advertisements

  3. you are right. The disk root is secured exactly you have found. User only
    cannot create anything directly in the root. Lower, they can create their
    own folders and files and to their own object they have full control.

    Restrict the root folder permissions either manually or by GPO.


    O.
     
    Ondrej Sevecek, Jan 23, 2006
    #3
  4. The default were selected for "functionality", and notice that those are
    only used on partitions where the OS is NOT installed which are assumed
    to be data areas for user storage.

    Also, notice that the Creator Owner grant in the default settings will
    let the account that added some file/folder to delete it.

    Do you have a more reasonable "best guess" as a one-size-fits-all set
    of permissions that should be used upon defining a new non-boot
    partition ?? Something had to be choosen, or else what, leave it
    with no permissions and force all people to always have to set NTFS
    permissions when a new partition is formatted ??

    If a single storage area can be accessed over the network by means
    of multiple network shares, then the one that is named/used in making
    a connection is the one whose share level permissions will govern the
    network accesses.
     
    Roger Abell [MVP], Jan 25, 2006
    #4
  5. Mike M

    Mike M Guest

    Good point. Most of my Windows boxes are app servers running the system
    drive. Putting on my file server "hat", makes me look at it from a
    different point of view.

    I'm so used to Linux and Netware's "additive" permissions model for file
    serving, that it still takes a different way of looking at things form the
    MS point of view...even after using NT for more than a decade!! :)

    Thanks,
    Mike
     
    Mike M, Jan 25, 2006
    #5
  6. Yep, I hear you (even now after coming to NT from Unix+IBM back
    at NT 3.50). One thing to keep in mind is that to a fair extent the
    defaults are selected as "workable" for client and server systems
    where there is overlap (like the ACLing of a new partition). With
    the large percentage being "less initiated" client (aka home) users,
    a choice for the defaults that will work for their likely need does then
    seem like a reasonable choice (especially if you recognize that XP
    Home edition does not have the NTFS security dialog unless one
    boots it into safe mode). Another way of looking at it is that many
    srv admin do, as I do, set the NTFS permissions (often to only
    Administrators Full) as a first action after the format completes
    (old NT habits die hard - this is a hang on from when the default
    ACL was a null = Everyone Full).
     
    Roger Abell [MVP], Jan 26, 2006
    #6
  7. A rule of thumb that I use is when making a new folder off the root of the drive, to be used as a share, I remove the inheritance
    flag and set the permissions as I want.
     
    BerkHolz, Steven, Jan 26, 2006
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.