Guest Mark Posted March 27, 2009 Posted March 27, 2009 We have a Windows 2003 server that will be placed in DMZ as a standalone server with IIS for webpage. One of the vulnerabilities identified is the permission settings on the IISADMPWD. It's recommended that if the directory cannot be removed, then modify the permissions so that only the Administrators & System have access to this folder. I noticed the Power Users & Users group had access to this folder but were inherited from the \system32\ folder. I removed the Power Users group from \system32\ as their are no local user accounts in that group. However,when I look at the Users group, I see the ASPNet, NT Authority\Authenticated Users, NT Authority\Interactive accounts in their. If I remove the Users group from the NTFS permissions on the \system32\ will that break access for some of these accounts? The only users that will log on locally to this box are administrators. There is no printing or file & print sharing. I know I can just go to the IISADMPWD folder and deny access to the users. But wanted to know if anything would break by removing the group from the \system32\. Thanks in advance for any help given. Quote
Guest Shenan Stanley Posted March 27, 2009 Posted March 27, 2009 Mark wrote:<span style="color:blue"> > We have a Windows 2003 server that will be placed in DMZ as a > standalone server with IIS for webpage. One of the vulnerabilities > identified is the permission settings on the IISADMPWD. It's > recommended that if the directory cannot be removed, then modify > the permissions so that only the Administrators & System have > access to this folder. I noticed the Power Users & Users group had > access to this folder but were inherited from the system32 > folder. I removed the Power Users group from system32 as their > are no local user accounts in that group. However,when I look at > the Users group, I see the ASPNet, NT AuthorityAuthenticated > Users, NT AuthorityInteractive accounts in their. If I remove the > Users group from the NTFS permissions on the system32 will that > break access for some of these accounts? The only users that will > log on locally to this box are administrators. There is no printing > or file & print sharing. > > I know I can just go to the IISADMPWD folder and deny access to the > users. But wanted to know if anything would break by removing the > group from the system32. > > Thanks in advance for any help given.</span> Break inheritance and do only what is needed. -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html Quote
Guest Kerry Brown Posted March 27, 2009 Posted March 27, 2009 "Mark" <Mark@discussions.microsoft.com> wrote in message news:2CDEF17C-F821-4072-A360-CDAF22C2D104@microsoft.com...<span style="color:blue"> > We have a Windows 2003 server that will be placed in DMZ as a standalone > server with IIS for webpage. One of the vulnerabilities identified is the > permission settings on the IISADMPWD. It's recommended that if the > directory > cannot be removed, then modify the permissions so that only the > Administrators & System have access to this folder. I noticed the Power > Users > & Users group had access to this folder but were inherited from the > system32 folder. I removed the Power Users group from system32 as > their > are no local user accounts in that group. However,when I look at the Users > group, I see the ASPNet, NT AuthorityAuthenticated Users, NT > AuthorityInteractive accounts in their. If I remove the Users group from > the > NTFS permissions on the system32 will that break access for some of > these > accounts? The only users that will log on locally to this box are > administrators. There is no printing or file & print sharing. > > I know I can just go to the IISADMPWD folder and deny access to the users. > But wanted to know if anything would break by removing the group from the > system32. > > Thanks in advance for any help given.</span> Deny permissions are almost always a bad idea. Don't modify \system32\ Only modify the folders that need permissions changed. You will have to break inheritance on the folders you change. Inheritance should normally flow to folders below the changes, but not from above. -- Kerry Brown MS-MVP - Windows Desktop Experience: Systems Administration http://www.vistahelp.ca/phpBB2/ Quote
Guest Mark Posted March 27, 2009 Posted March 27, 2009 Re: Question on Local Users Group on Windows 2003 Standalone & Sys All, thanks for your responses. "Kerry Brown" wrote: <span style="color:blue"> > > "Mark" <Mark@discussions.microsoft.com> wrote in message > news:2CDEF17C-F821-4072-A360-CDAF22C2D104@microsoft.com...<span style="color:green"> > > We have a Windows 2003 server that will be placed in DMZ as a standalone > > server with IIS for webpage. One of the vulnerabilities identified is the > > permission settings on the IISADMPWD. It's recommended that if the > > directory > > cannot be removed, then modify the permissions so that only the > > Administrators & System have access to this folder. I noticed the Power > > Users > > & Users group had access to this folder but were inherited from the > > system32 folder. I removed the Power Users group from system32 as > > their > > are no local user accounts in that group. However,when I look at the Users > > group, I see the ASPNet, NT AuthorityAuthenticated Users, NT > > AuthorityInteractive accounts in their. If I remove the Users group from > > the > > NTFS permissions on the system32 will that break access for some of > > these > > accounts? The only users that will log on locally to this box are > > administrators. There is no printing or file & print sharing. > > > > I know I can just go to the IISADMPWD folder and deny access to the users. > > But wanted to know if anything would break by removing the group from the > > system32. > > > > Thanks in advance for any help given.</span> > > Deny permissions are almost always a bad idea. Don't modify system32 Only > modify the folders that need permissions changed. You will have to break > inheritance on the folders you change. Inheritance should normally flow to > folders below the changes, but not from above. > > -- > Kerry Brown > MS-MVP - Windows Desktop Experience: Systems Administration > http://www.vistahelp.ca/phpBB2/ > > > > > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.