but don't forget that when you remove Everyone from NTFS permissions, you're also removing SYSTEM, and that can make a lot of trouble. I always put in SYSTEM separately before taking out Everyone. Or is this too elementary to even mention?
-----Original Message----- From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Friday, June 22, 2007 5:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT - Everyone vs. Authenticated Users As a rule always remove Everyone from NTFS and Share permissions. (Use Security templates!) Authenticated Users is a little more secure, but alot of people use Authenticated users and then use NTFS permissions to secure the underlying files and folders. I an personally a fan of Silhoing servers based on information contained within and removing the rights to logon over the network to only those groups that will be access shares on that server, which severely limits access to the data, and stop the inadvertent junior admin/helpdesk person from doing harm but putting a wide open share out on the server ( everyone (Share :Full Control, NTFS: Full Control)) and setting that server up for a network-born virus to damange the data, if they cant login over the network, they are effectively stopped, it doesnt matter if they got full-control to the share or NTFS permissions. Its a little more complex of a setup, but if you understand the pieces of it and how it works is doable. Another thing you should look into with your Win2k3 Systems is ABE ( Access based Enumeration) which basically can add another layer of security to your file-server setups, but not even showing a user folders they dont have read access to. Think if you combine this with DFS you could defintely, nice secure and distributed file-server system for your users. Links on ABE: http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx http://www.microsoft.com/downloads/details.aspx?FamilyID=04a563d9-78d9-4 342-a485-b030ac442084&displaylang=en http://technet2.microsoft.com/windowsserver/en/library/f04862a9-3e37-4f8 c-ba87-917f4fb5b42c1033.mspx?mfr=true HTH Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, June 21, 2007 8:35 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT - Everyone vs. Authenticated Users 2k yes, 2k3 no. http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4 D89-B655-521EA6C7B4DB&displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=1B6ACF93-147A-4 481-9346-F93A4081EEA8&displaylang=en Good reading in there. EIS Lists wrote: W2k3. So then there really is no difference, eh? ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, June 21, 2007 5:20 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT - Everyone vs. Authenticated Users 2k or 2k3? As in 2k3 Everyone=Authenticated and guest is not included. EIS Lists wrote: Hi - What is the thinking on using "Authenticated Users" instead of "Everyone" for assigning share and NTFS permissions? Somewhere along the line I got in the habit of using "Authenticated Users" for all share perms. But, I think the only difference is Everyone includes the Guest account, right? (...and if Guest is disabled, it should not matter.) Does it matter? Thanks. -- Noah List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
