Logical Drive NTFS permissions

[bigdirk]

What is the best way to secure the logical drives in windows 2000 server in relation to user permissions? In other words I would like to secure the system using a set of tried and tested NTFS permissions including admin and system shares.

Thanks,
BigDirk.

 

[GiaBetiu]

Tried and tested permissions??? what are you talking about??
Securing a network require some planning, and require to know what you want.
First design the strategy. Where the public data will reside? Where the home directories will be, where the appications? After you decided these points, then, you have to see which uers will access some directories and how. Define local groups that will represent users with same requirements to a specified resources).
Assign permissions to those groups.
Share permissions? NTFS permissions? If ou have NTFS drives, then you don't have to struggle to much with share permissions. Let them more permissive like NTFS ones. Control in details via NTFS permissions. Gia Betiu
giabetiu@chello.nl
Computer Eng. CNE 4, CNE 5, MCSE Win2K

 

[Seaspray0]

The operating system iteself will apply a set of default permissions that gives different rights to different user groups. For instance, it grants administrators everything and gives users more restrictive access by default. These were all defined by microsoft as to who can access what and as a whole not that bad, so if you're looking for a baseline to go by, its already there. Its up to you to decide how to go from there since your requirements are unique from everyone elses. I do have some tips, though. First, be generous with share permissions; use NTFS permissions to clamp down on permissions (much more flexible and also recommended by microsoft). Second, consider deleting the everyone group from the share permissions and replacing it with Domain Users group (will stop access unless you are logged into the domain). Three, keep in mind that permissions are inherited from their parent folder in 2000. Give access to top folders to trusted security groups only and add general user access to subfolders and not vica versa. A general user access at the top of a folder tree would allow access to the entire tree. Let inherited permissions work for you, not against you. Fourth, don't assign permissions to individual users. Use group membership to determine permissions. You should already have an idea of what groups of people need access to the same resources. Management by group membership is almost a must. You have built in groups like domain users at your disposal. Use them when you can. Sixth, use each group type for the purpose it was intended and nest them properly. Use Universal groups sparingly and try not to add individual users to them. Add global groups to them. Use global groups generously to segregate your users into functional purpose. Use domain local groups to assign permissions to resources. Add the appropriate universal and global groups to the domain local group.