[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

NTFS Permissions

Posted on 2004-09-01
5
Medium Priority
?
357 Views
Last Modified: 2013-12-04
Hello,  I have windows xp formatted to ntfs.  I am setting the permissions on the C: drive and came across a few user groups I didn't recognize  "system" and "interactive".  I am looking to eliminate any back door access through my workgroup and through an IIS connection.  Do I need to leave these groups for my system to function properly?  If I do leave them will it provide an account someone can log into through IIS when the username and password box appears?  Also, is there someewhere I can look on my computer to view these groups I've never seen before?  Thanks!
0
Comment
Question by:firemanrob
5 Comments
 
LVL 8

Expert Comment

by:anil_u
ID: 11949889
Taken from
http://www.techtutorials.com/tutorials/xp/managing_groups.shtml

Built-In System Groups

Built-in system groups exist on Windows XP Professional systems and while they do have specific memberships that you can modify, you cannot administer the groups directly, they are available for modification when you assign user rights and permissions to resources. Built-in system group membership is based on how the computer is accessed, not on who uses the computer. The list below shows the primary built-in system groups and their default properties and characteristics. - This is not a group, just a name to group groups :) (hope that makes sense)
eg
Everyone, Created Owner, Interactive... this collectively is the systems group


Interactive - Members of the Interactive Built-in System group are "added" as they log on locally to the system. . - I suggest you leave this one alone :)
0
 

Author Comment

by:firemanrob
ID: 11957217
so if the "system" group is shown on the drive permissions you are saying it includes the everyone group and the owner group?  So having System group is allowing everyone on the permissions?
0
 
LVL 8

Expert Comment

by:anil_u
ID: 11957785
Apologies, I have looked further into this and the above info on the 'system' is incorrect.

the system group is used to manage accounts that provide system services such as the webserver

for your information, you can check what permissions each group has is by
Right clicking on a file eg a .gif -> properties -> 'security' tab -> 'advanced' button -> if 'SYSTEM' is not in the permission entries then click on 'Add' and add it -> then click on 'view/edit'
here you can see all the permission assigned to the 'SYSTEM' group.
0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 2000 total points
ID: 11965730
Hi
These two are built-in accounts and generally you don't really want to mess with them as changing permissions or access can seriously affect the correct functioning of your operating system and applications,
How the System Account Is Used in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;120929
Windows 2000/XP - Built-in Users and Default Groups
http://www.ss64.com/ntsyntax/security_groups.html

However if you're concerned about security - have a look at the tools/links below. The Baseline analyzer will work with XP and apparently takes a good look at iis setup and config. Ensure that you have a firewall in place to help prevent unauthorised external access.
Microsoft Baseline Security Analyzer V1.2.1
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Some further useful links,

Hardening Windows NT/2000/XP Information Systems
http://www.windowsecurity.com/articles/Hardening_Windows_NT2000XP_Information_Systems.html
Checklist for Securing a Windows XP IIS 5.1 Webserver
http://www.nthelp.com/NT6/Securing%20an%20XP%20web%20server.htm
Secure an IIS Web server with these 10 steps
http://techrepublic.com.com/5100-6264_11-5226103.html

Deb :))
0
 
LVL 3

Expert Comment

by:Gargantubrain
ID: 11969139
The SYSTEM group refers to most of the services that are running. Go to Control Panel, Administrative Tools, Services and look at all the accounts that Log On As "Local System". Those are the things that need permission to areas, and the SYSTEM group gives them permission.

The INTERACTIVE group refers to anyone logged in at the console, therefore "Interactively".

I would avoid giving any permissions to the Everyone group. Start with no permissions and give it carefully, rather than starting with Everyone or lots of permissions and trying to lock it down more.


0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
OfficeMate Freezes on login or does not load after login credentials are input.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month19 days, 2 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question