Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
NTFS Security on C: (system) partition
Message
 
To
31/07/2003 14:00:10
Fernando Molina
Madrid, Spain
General information
Forum:
Windows
Category:
Administration & Security
Title:
Re: NTFS Security on C: (system) partition
Miscellaneous
Thread ID:
00815532
Message ID:
00815628
Views:
14
On a *server*?? That's about the strangest thing I've heard in a long time.
Do you mind saying why? This could open an enormous security hole. I'd quickly be sacked if I did something like allowing this...in a strict independent test-network environment like we have, it could be done without a security risk...but I don't think you are talking about that, or you wouldn't be asking about this.

So this advice is *not recommended at all*, but here's some basics, they are similar to a normal lockdown situation. First, if you have more than one partition, I'd keep the user entirely out of the main system partition, and install everything they might need on a secondary drive, preferably where there's nothing else at all. If you have only one partition, I'd seriously consider creating another different one for this user.

>But what folders do I have to set rights for this user? I meam If want he use Word, Excel, or other apps. Where can I get a list of folders to assign rights?

I don't think there's an exact list, it varies by environment. But here are some basics:

For openers, the basic drive usually has every permission (certainly read & execute) allowed except Full Control for a normal user environment. But on an active server, I'd probably do it backward and allow the user no access beyond Read/Execute. Then test to see what works, and if there are problems, look into elevating any permissions as needed.

You'll likely need at least one user folder with full control for DOCs, XLS, etc.

The primary NTFS folder (Winnt, Windows, whatever you call it where you are) should normally be Add, Read, Execute. But within this, the System folder(s) should usually be read & execute only. Especially on a server, you may need to change these to have tighter access-control, often servers are more open to permissions since hardly anyone can log on, or even physically get to the server.

Registry writes are usually okay on NTFS, as Office and other SW write to different NTFS profiles for different users, and this is configured automatically mostly.

This whole area is a deeper topic than just the basics I've said, but this may help to get you started.

Please be careful, though, this whole thing sounds like a recipe for trouble. I hope you have a *real* good reason for something like this...
The Anonymous Bureaucrat,
and frankly, quite content not to be
a member of either major US political party.
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform