Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Everyone Permissions

Status
Not open for further replies.
jrjr2u

jrjr2u

Technical User
May 2, 2003
16
US
Hello all!
I got my site back up again after getting hacked and learning about security aspects. (I still have a lot to learn though!) After using the IIS lockdown tool, I was able to get all of my asp working again with slight changes to permissions on that folder.

I noticed that that the lockdown tool left my C: drive with full permissions for the everyone group. This sure does not sound right to me!
What are the minimum permissions for the everyone group so that I do not lock myself out of my server altogether?

If I reduce everyone on C: to read only, my asp sites on another drive cease. I need read/write on C: in order for them to work.... I have not tried rebooting with these permissions yet. One other time I deleted the everyone group... that was a mistake!! If I make everyone read only on my Web drive, it works ok. For some reason Everyone needs write for C:

Any suggestions?

I do have Server Admin/machine name/full and System/ full on C:

Also, regarding the anonymous account... I have read where setting this to a value of 2 in the registry is the best. I tried this with the snap in and after rebooting, logging in as admin, the only thing I could do as far as shutting down was to log off. All the rest of the options were gone. I read a lot and found nothing to speak of. Next, I reset the Anonymous back to 0, logged off and reset the machine with clenched teeth. Luckily, it returned to normal, or almost. Now when I try to view secutity in event viewer, I get this:

Unable to complete the operation "Security".
A required privledge is not held by the client.

I get this even though I am logged in under an admin acct. I created another admin acct with full privledges, logged in as that, and the same thing occured.

Any ideas??? Sure would appreciate some input here!
 
Sort by date Sort by votes
By default the Local disk is set so that everyone has full permissions. The reason is if another account is created then they will have the necessary permissions to create a profile on the local disk. Also, log files and some applications require data to be stored, updated or removed from the drive. The only exception is the individual profiles under Documents and settings. The only concern you should have is if you share the drive to everyone. If you remove the built-in Everyone group you may experience significant problems in the future.

I am not sure about the anonymous profile and your attempt to configure it. What specifically are you trying to accomplish.?

Paul
 
Upvote 0 Downvote
So you feel it is safe enough to leave everyone set to full on the C: drive? ok....

In regards to the anonymous acct, I ran the MS baseline security analyzer and it's output told me that setting this to a value of 2 in the registry is the most secure setting in regards to anonymous permissions. It is set to 0 by default and there have been numerous places that I have read about changing it from 0 to at least 1.

I just do not want to get hacked again!
 
Upvote 0 Downvote
I opted for another clean install. This time I will leave the anonymous/0 and the everyone/full for C: set at default.

It just keeps getting better!!
 
Upvote 0 Downvote
Here is some reading for you. This is where I have gotten some of my ideas. Running a web server, all that the anon really needs is access to the web drive. I have read that in order to perform some upload functions that they need write to the WINNT/TEMP dir but that has not been proven to me yet. Keeping anon off or to a bare minimum on the OS drive seems like a good thing. If a hacker (or virus) was able to navigate to the C: drive then having everyone/full would be an open door to them. This is why I was trying to minimize the risks by reducing the permissions. I can't be the only one doing this!


 
Upvote 0 Downvote
An idea would be to partition your drive and create a virtual directory for your website. That way web users have access only to the website files and nothing more.
 
Upvote 0 Downvote
Don't mess with the default everyone on the C drive. There is a reason for that. Standard practice is to create a folder and share the folder (never share the drive). Use liberal share permissions and clamp down with NTFS permissions on the folder. If your folder is to be accessed only by domain users, then change the everyone in the share permissions to domain users (prevents unauthorized access, the user has to be logged into the domain). The guest account is part of the everyone group, so if you have that account activated, it can have share permissions on any share that has everyone. A guest doesn't even have to be logged into the domain to do this. You shouldn't have everyone in the folder NTFS permissions (unless you plan on giving guest access). If its for web access, use the IUSR_*** group (where *** is your computer name). Anytime you create a share, go into the NTFS permissions and clamp down on that share.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

kurio71
  • Locked
  • Question
Clean Install of 2016 - NTFS permissions
Replies
1
Views
236
hairlessupportmonkey
hairlessupportmonkey
gbaughma
  • Locked
  • Question
Shared folder permissions
Replies
0
Views
146
gbaughma
gbaughma
kurio71
  • Locked
  • Question
Restrict Permissions on Parent Directory
Replies
2
Views
214
kurio71
kurio71
arell12
  • Locked
  • Question
NTFS permissions
Replies
1
Views
215
markdmac
markdmac
mkrausnick
  • Locked
  • Question
Can't write to folder even though Active Directory effective permissions shows full control
Replies
1
Views
253
mkrausnick
mkrausnick

Part and Inventory Search

Sponsor

Back
Top