[258] in winnt
Securing the WinNT root.
daemon@ATHENA.MIT.EDU (Don Nelson)
Thu Nov 12 13:12:15 1998
Date: Thu, 12 Nov 1998 13:08:57 -0500
To: ntpartners@MIT.EDU
From: Don Nelson <dnelson@psfc.mit.edu>
I am looking for a tool or a set of rules to use to create or modify
"permissions" on the folders and files under the WinNT root for the purpose
of preventing members of a specified group from accidentally or
deliberately creating or modifying files (and from installing apps).
I would like also to secure application folders against accidental or
deliberate modification by members of a specified group.
------------------------------------
When NT is installed in a FAT partition (as is usually the case with both
upgrades and new PC's delivered with NT pre-installed), and the boot
partition is subsequently converted to NTFS, the permissions on every
folder and file in that partition grant 'full contrrol' to 'everyone'.
When NT is installed in an existing NTFS partition, a complex set of
permissions is defined for every folder and file under the WinNT tree. The
permissions vary from folder to folder and from file to file.
The implication is that it is neither safe nor wise to make a sweeping
declaration of restricted access for a group across all folders and/or
files under the WinNT tree. Preventing the creation or modification of
files under the WinNT tree must cause some apps to fail.
Securing app folders also requires some care. Netscape, for example,
maintains a separate folder structure for each user (or defined profile).
Clearly the users must have full control over their own Netscape folders.
The NT Workstation Resource Guide (4.0) has a table of recommended
permissions for tightening security on the WinNT root. Unfortunately, that
table is really for NT 3.5, and the advice is meaningless for 4.0.
Don
========================================================
Donald R. Nelson
Systems Manager
Plasma Science and Fusion Center
Massachusetts Institute of Technology
175 Albany St., NW17-272
Cambridge, MA 02139
dnelson@psfc.mit.edu
(617) 253-7616
========================================================
