[3394] in bugtraq
Re: NT 4.0 default permissions
daemon@ATHENA.MIT.EDU (Jim Laverty)
Wed Sep 25 17:41:35 1996
Date: Wed, 25 Sep 1996 15:32:44 -0400
Reply-To: laverty@matrixNet.com
From: Jim Laverty <laverty@matrixNet.com>
X-To: Dan Shearer <itudps@lux.levels.unisa.edu.au>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
This only applies if the drive is shared. If you go into the properties
dialog for your NT drive. Select the "Security" tab and select
"Permissions". Check off the "Replace permissions on subdirectories" option
and change the "Everyone" permissions to whatever you feel like dealing
with. Also do not overuse the Auditing capabilities on "Everyone". It can
dramatically slow down your NT sessions.
At 09:21 PM 9/25/96 +0930, Dan Shearer wrote:
>I do not think this is a bug in the normal sense of the word, ie I think
>that this message describes NT the way it was designed to be. Nevertheless
>I suspect that people on this list would be glad of the information.
>
>If you install an NT 4.0 workstation or server, the default permissions
>on the system partition as reported by Explorer are:
>
> Everyone Full Control (All) (All)
>
>This means that building a secure, restricted-use workstation is
>difficult, and that if a server becomes compromised at the share level (eg
>through SMB bugs) there is no underlying file permission protection. Note
>that the group Everyone includes the unpassworded Guest account (which
>should always be regarded with great suspicion in any case.)
>
>There have been several recipes developed for tightening up the security
>of NT 3.51 file permissions which list what files can and cannot be
>restricted. It seems that similar recipes need to be developed for NT
>4.0, starting from scratch.
>
>--
> Dan Shearer email: Dan.Shearer@UniSA.edu.au
> Information Technology Unit Phone: +61 8 302 3479
> University of South Australia Fax : +61 8 302 3385
>
>
