NTFS directory permissions for Exchange
Tim Carmichael
private and public stores ? The default appears to allow the everyone group
change rights, this seems overly generous...
tim
Rich Matheisen [MVP]
It is. But the complete set of permissions necessary for the whole
server (Exchange doesn't operate all by itself!) is much more than I'm
willing to type!
I think you be able to get by with just Special Access (Traverse)
(X)() for the Guest group and local Users group on the MDBDATA
directory and the exchsrvr directory. The bin, res, webdata should be
able to get by with READ (RX)(RX) access. This does, however, leave
out the entire WINNT and TEMP directory structure, and the root of the
volume itself.
------------------
Rich Matheisen
MCSE, Exchange MVP
Tim Carmichael
agreed, Exchange isn't an Island. We have the rest of the OS pretty much
locked down. Its just that SQL Server and Exchange don't have documented
security requirements, and the last thing I want to do is discover either a
loophole or an crippling lockdown. For instance we certainly don't allow
guest access, and would not allow the Everyone group to be used.
tim
Rich Matheisen [MVP] <r.mat...@worldnet.att.net.NOSPAM.COM> wrote in
message news:374b7db5...@msnews.microsoft.com...
Rich Matheisen [MVP]
"Tim Carmichael" <t...@datent.com> wrote:
>agreed, Exchange isn't an Island. We have the rest of the OS pretty much
>locked down. Its just that SQL Server and Exchange don't have documented
>security requirements, and the last thing I want to do is discover either a
>loophole or an crippling lockdown. For instance we certainly don't allow
>guest access, and would not allow the Everyone group to be used.
I missed the "s" at the end of "Guest". It should have read "Guests".
I got the group part right, though.
The Guests group doesn't contain the Guest user. It's a built-in
group, but its membership is entirely up to you. It's a group that
you'd place accounts into that you want to have access to some, but
not all, resources on this server. It usually contains the Domain
Guests global group, but that's not a given.
The "Everyone" group is always a bone of contention. But if you allow
anonymous access to the server (thru IIS, for example) you can't
easily use the "Authenticated Users" group because they won't have an
account with which to authenticate! Rather than denying access to
"Everyone" (which would NOT have the desired effect!), giving them
Traverse access is pretty safe. It allows them (or the app they're
running) to navigate the directory structure but doesn't allow them to
even see what's in the directory.
Tim Carmichael
exchange server apart form the service admin. This should lock it down ok,
We don't expect users to access who aren't members of the Authenticated
users group, so everyone is not required.
tim
Rich Matheisen [MVP] <r.mat...@worldnet.att.net.NOSPAM.COM> wrote in
message news:375bffd5...@msnews.microsoft.com...
Rich Matheisen
>What I have done, and it seems to work, is to remove all rights to the
>exchange server apart form the service admin. This should lock it down ok,
>We don't expect users to access who aren't members of the Authenticated
>users group, so everyone is not required.
True enough. The permissions I recommended are the maximum required to
operate. Your situation may require less -- and using the "least
privilege" principle, that's all that's needed until proven otherwise!
------------------
Rich Matheisen
MCSE, Exchange MVP