Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

File access for Everyone

0 views
Skip to first unread message

Peter Bernhardt

unread,
Dec 3, 2004, 5:26:13 PM12/3/04
to
I have a security best practice question. I am working with a software
program that is using API calls to programmitically grant access to file
directories on a Windows 2003 server to the Everyone group.

Inasmuch as Microsoft changed the default behavior for creating new folders
to eliminate access to Everyone, I question the wisdom of opening up a
folder to Everyone and think that good software does not relax default
security.

Anyway, I was hoping to get some opinion on this issue and find, if
possible, any MS recommendations in this area.

I've also found that Windows XP (I think as of SP2) also eliminates Everyone
from ACLs. Is this also true in security fixes for other OS's?

TIA


Steven L Umbach

unread,
Dec 3, 2004, 9:19:01 PM12/3/04
to
I don't like the idea of opening up access to the everyone group to more
than what the operating specified by default which is not much for XP/W2003.
I believe everyone has read/execute access to the root and documents and
settings folder [not subfolders] by default. W2003/XP has further increased
security by removing "anonymous" from the everyone group. As long as the
guest account remains disabled the everyone group access should not be a
security risk, though it still makes sense to not give everyone permissions
if it is not needed. Windows 2000 is not as locked down to everyone group
access as W2003/XP and still will give everyone full access to a newly
created share and does include "anonymous" in the everyone group. A modern
software program should not be assigning permissions to the everyone group
in my opinion and makes me wonder about how much concern for security was in
the application development. Microsoft makes specific recommendation for
securing the operating system in their free downloads for the Windows 2003
Server Security Guide, the Windows XP Security Guide, and the Threats and
Countermeasures Guide. --- Steve

http://www.microsoft.com/technet/security/topics/hardsys/tcg/tcgch00.mspx
-- all three guides are available here.

"Peter Bernhardt" <pe...@spammenot.com> wrote in message
news:%23S6KhcY...@TK2MSFTNGP12.phx.gbl...

Roger Abell

unread,
Dec 4, 2004, 6:04:59 AM12/4/04
to
There is a principle of least privilege that has been
a guiding rule since before MS was a company.
It is this you are exploring here, and this that caused
us to want to replace Everyone with such as Users
back in NT4 systems (and, IIRC was why SubInAcls
was first written).

So, the question really is, "Is the Everyone grant needed
where this is being done" and if not, what is sufficient.
Say you determine that only the machine local Users
group is sufficient. Then the next thing to ask is, if the
grant is to Everyone, can any account other than a Users
member actually do anything because of the overly loose
grant? For example, if the file area is not shared, then
the access would have to be by a local login, and if an
account is not in Users it is not going to successfully
log in locally to XP/W2k3. So for those OS versions a
grant to Everyone in a non-shared area is an excessive
grant, but it is not an excessive exposure because other
factors limit the effectiveness of the grant. Now, the
excessive grant is still IMO not good, as consider what
happens when some later does share the area.

The idea is to know what is needed, and then to craft
access control so that all of what is needed, and nothing
else, can be done. The stickiness is in how one judges
the "can", as exampled earlier where ability to log in
was actually the determining factor.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA


"Peter Bernhardt" <pe...@spammenot.com> wrote in message
news:%23S6KhcY...@TK2MSFTNGP12.phx.gbl...

Robert Moir

unread,
Dec 5, 2004, 8:02:27 AM12/5/04
to
Peter Bernhardt wrote:
> I have a security best practice question. I am working with a software
> program that is using API calls to programmitically grant access to
> file directories on a Windows 2003 server to the Everyone group.
>
> Inasmuch as Microsoft changed the default behavior for creating new
> folders to eliminate access to Everyone, I question the wisdom of
> opening up a folder to Everyone and think that good software does not
> relax default security.

I personally tend to return such faulty software to its supplier but I
realise that not everyone has the management support I'm lucky to have, and
also what do you do if you have no alternatives (e.g. proprietry software
for electronic banking with your company's bank, for example).

As a work around, if you know what directories this annoying software is
going to fiddle with and you know which people you want to keep out of those
directories, can you create a group for the people you want kept out and set
a Deny ACL on the problem folders? Yes I know it isn't pretty but it might
have to do.


--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.


Peter Bernhardt

unread,
Dec 7, 2004, 11:52:27 AM12/7/04
to
Steven, Roger and Robert:

Thank you for your replies. I'm much obliged.

--
Peter Bernhardt
SharpSense Software LLC
pe...@SharpBASSense.netURA


"Peter Bernhardt" <pe...@spammenot.com> wrote in message
news:%23S6KhcY...@TK2MSFTNGP12.phx.gbl...

0 new messages