NTFS Permissions

Hello,  I have windows xp formatted to ntfs.  I am setting the permissions on the C: drive and came across a few user groups I didn't recognize  "system" and "interactive".  I am looking to eliminate any back door access through my workgroup and through an IIS connection.  Do I need to leave these groups for my system to function properly?  If I do leave them will it provide an account someone can log into through IIS when the username and password box appears?  Also, is there someewhere I can look on my computer to view these groups I've never seen before?  Thanks!
firemanrobAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Debsyl99Connect With a Mentor Commented:
Hi
These two are built-in accounts and generally you don't really want to mess with them as changing permissions or access can seriously affect the correct functioning of your operating system and applications,
How the System Account Is Used in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;120929
Windows 2000/XP - Built-in Users and Default Groups
http://www.ss64.com/ntsyntax/security_groups.html

However if you're concerned about security - have a look at the tools/links below. The Baseline analyzer will work with XP and apparently takes a good look at iis setup and config. Ensure that you have a firewall in place to help prevent unauthorised external access.
Microsoft Baseline Security Analyzer V1.2.1
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Some further useful links,

Hardening Windows NT/2000/XP Information Systems
http://www.windowsecurity.com/articles/Hardening_Windows_NT2000XP_Information_Systems.html
Checklist for Securing a Windows XP IIS 5.1 Webserver
http://www.nthelp.com/NT6/Securing%20an%20XP%20web%20server.htm
Secure an IIS Web server with these 10 steps
http://techrepublic.com.com/5100-6264_11-5226103.html

Deb :))
0
 
anil_uCommented:
Taken from
http://www.techtutorials.com/tutorials/xp/managing_groups.shtml

Built-In System Groups

Built-in system groups exist on Windows XP Professional systems and while they do have specific memberships that you can modify, you cannot administer the groups directly, they are available for modification when you assign user rights and permissions to resources. Built-in system group membership is based on how the computer is accessed, not on who uses the computer. The list below shows the primary built-in system groups and their default properties and characteristics. - This is not a group, just a name to group groups :) (hope that makes sense)
eg
Everyone, Created Owner, Interactive... this collectively is the systems group


Interactive - Members of the Interactive Built-in System group are "added" as they log on locally to the system. . - I suggest you leave this one alone :)
0
 
firemanrobAuthor Commented:
so if the "system" group is shown on the drive permissions you are saying it includes the everyone group and the owner group?  So having System group is allowing everyone on the permissions?
0
 
anil_uCommented:
Apologies, I have looked further into this and the above info on the 'system' is incorrect.

the system group is used to manage accounts that provide system services such as the webserver

for your information, you can check what permissions each group has is by
Right clicking on a file eg a .gif -> properties -> 'security' tab -> 'advanced' button -> if 'SYSTEM' is not in the permission entries then click on 'Add' and add it -> then click on 'view/edit'
here you can see all the permission assigned to the 'SYSTEM' group.
0
 
GargantubrainCommented:
The SYSTEM group refers to most of the services that are running. Go to Control Panel, Administrative Tools, Services and look at all the accounts that Log On As "Local System". Those are the things that need permission to areas, and the SYSTEM group gives them permission.

The INTERACTIVE group refers to anyone logged in at the console, therefore "Interactively".

I would avoid giving any permissions to the Everyone group. Start with no permissions and give it carefully, rather than starting with Everyone or lots of permissions and trying to lock it down more.


0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.