Solved

NTFS Permissions

Posted on 2004-09-01
5
345 Views
Last Modified: 2013-12-04
Hello,  I have windows xp formatted to ntfs.  I am setting the permissions on the C: drive and came across a few user groups I didn't recognize  "system" and "interactive".  I am looking to eliminate any back door access through my workgroup and through an IIS connection.  Do I need to leave these groups for my system to function properly?  If I do leave them will it provide an account someone can log into through IIS when the username and password box appears?  Also, is there someewhere I can look on my computer to view these groups I've never seen before?  Thanks!
0
Comment
Question by:firemanrob
5 Comments
 
LVL 8

Expert Comment

by:anil_u
Comment Utility
Taken from
http://www.techtutorials.com/tutorials/xp/managing_groups.shtml

Built-In System Groups

Built-in system groups exist on Windows XP Professional systems and while they do have specific memberships that you can modify, you cannot administer the groups directly, they are available for modification when you assign user rights and permissions to resources. Built-in system group membership is based on how the computer is accessed, not on who uses the computer. The list below shows the primary built-in system groups and their default properties and characteristics. - This is not a group, just a name to group groups :) (hope that makes sense)
eg
Everyone, Created Owner, Interactive... this collectively is the systems group


Interactive - Members of the Interactive Built-in System group are "added" as they log on locally to the system. . - I suggest you leave this one alone :)
0
 

Author Comment

by:firemanrob
Comment Utility
so if the "system" group is shown on the drive permissions you are saying it includes the everyone group and the owner group?  So having System group is allowing everyone on the permissions?
0
 
LVL 8

Expert Comment

by:anil_u
Comment Utility
Apologies, I have looked further into this and the above info on the 'system' is incorrect.

the system group is used to manage accounts that provide system services such as the webserver

for your information, you can check what permissions each group has is by
Right clicking on a file eg a .gif -> properties -> 'security' tab -> 'advanced' button -> if 'SYSTEM' is not in the permission entries then click on 'Add' and add it -> then click on 'view/edit'
here you can see all the permission assigned to the 'SYSTEM' group.
0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 500 total points
Comment Utility
Hi
These two are built-in accounts and generally you don't really want to mess with them as changing permissions or access can seriously affect the correct functioning of your operating system and applications,
How the System Account Is Used in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;120929
Windows 2000/XP - Built-in Users and Default Groups
http://www.ss64.com/ntsyntax/security_groups.html

However if you're concerned about security - have a look at the tools/links below. The Baseline analyzer will work with XP and apparently takes a good look at iis setup and config. Ensure that you have a firewall in place to help prevent unauthorised external access.
Microsoft Baseline Security Analyzer V1.2.1
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Some further useful links,

Hardening Windows NT/2000/XP Information Systems
http://www.windowsecurity.com/articles/Hardening_Windows_NT2000XP_Information_Systems.html
Checklist for Securing a Windows XP IIS 5.1 Webserver
http://www.nthelp.com/NT6/Securing%20an%20XP%20web%20server.htm
Secure an IIS Web server with these 10 steps
http://techrepublic.com.com/5100-6264_11-5226103.html

Deb :))
0
 
LVL 3

Expert Comment

by:Gargantubrain
Comment Utility
The SYSTEM group refers to most of the services that are running. Go to Control Panel, Administrative Tools, Services and look at all the accounts that Log On As "Local System". Those are the things that need permission to areas, and the SYSTEM group gives them permission.

The INTERACTIVE group refers to anyone logged in at the console, therefore "Interactively".

I would avoid giving any permissions to the Everyone group. Start with no permissions and give it carefully, rather than starting with Everyone or lots of permissions and trying to lock it down more.


0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now