NTFS Permissions – Need Verification?
Long story short, I discovered the NTFS permissions on all our Native Windows 2000 servers, at the root of each partition, had been reset to "Everyone." Of course I had my shares set to not propagate permissions, so that wasn't an issue. For some reason this did not affect the one box that we had that used to be NT4.0 and was upgrade to 2000. I have checked with several local companies, and when they checked, theirs too had been reset. What the heck? Anyone else out there notice this? And yes, I am aware these are the default permissions for w2k server, but I KNOW these were changed. I am trying to find out if maybe a "patch" did this.
Software/Hardware used:
Software/Hardware used:
ASKED:
March 24, 2006 5:58 PM
UPDATED:
March 27, 2006 9:33 AM
Answer Wiki:
1st - do you mean 'sharing' or security?
Sharing (for NT3.51&nt4 compatibility) REQUIRES 'everyone' then you limit access using the security tab. This confusion has existed for a long time now. When you right click a folder ther are two factors in allowing access "sharing' and 'security'. If you did not remove default administrative shares (x$) then 'everyone' is the default for sharing. In fact without 'everyone' other sharings won't work. IF you use the server as a login processor then it it is mandatory that 'everyone' be set because 'WinLogOn.exe' resides in the 'system32' folder in 'winnt' on the boot drive in 2000 and 'windows' on the boot drive in 2003. No 'everyone' no logins.
Now security is a different kettle of fish. 2003 has very granular permissions and with ABE (Access by Enumeration) you can restrict the ability to even see folders and files.
I hope this helps. If shared access is necessary the 'everyone' is necessary. BUT then tighten security permissions as needed.
To see all answers submitted to the Answer Wiki: View Answer History.
Howard,
I never have everyone with security permissions to any of my servers and they work fine. I think this is what Brian means. Obviously, everyone has to be able to read the Netlogon and syslog share points because you have to access them in order to log on.
I have only seen one posting about a security patch resetting NTFS permissions on the root of C, however, it doesn’t seem far fetched. Check out any of your patches built in house. I would imaagine they are the most likely to reset them.
Don
It could be patch related. Last year when Microsoft sent out the urgent patch for the ZOTOB worm, some of us ran the patch immediately and rebooted. The result was that the Everyone group was removed from the root of C: which caused many problems and was very difficult to correct.
Even the rollback didn’t really help. I now wait 24 hours after an urgent patch message from Microsoft just to be sure that it will have positive not negative effects.