Solved

NTFS Permissions

Posted on 2004-09-01
5
350 Views
Last Modified: 2013-12-04
Hello,  I have windows xp formatted to ntfs.  I am setting the permissions on the C: drive and came across a few user groups I didn't recognize  "system" and "interactive".  I am looking to eliminate any back door access through my workgroup and through an IIS connection.  Do I need to leave these groups for my system to function properly?  If I do leave them will it provide an account someone can log into through IIS when the username and password box appears?  Also, is there someewhere I can look on my computer to view these groups I've never seen before?  Thanks!
0
Comment
Question by:firemanrob
5 Comments
 
LVL 8

Expert Comment

by:anil_u
ID: 11949889
Taken from
http://www.techtutorials.com/tutorials/xp/managing_groups.shtml

Built-In System Groups

Built-in system groups exist on Windows XP Professional systems and while they do have specific memberships that you can modify, you cannot administer the groups directly, they are available for modification when you assign user rights and permissions to resources. Built-in system group membership is based on how the computer is accessed, not on who uses the computer. The list below shows the primary built-in system groups and their default properties and characteristics. - This is not a group, just a name to group groups :) (hope that makes sense)
eg
Everyone, Created Owner, Interactive... this collectively is the systems group


Interactive - Members of the Interactive Built-in System group are "added" as they log on locally to the system. . - I suggest you leave this one alone :)
0
 

Author Comment

by:firemanrob
ID: 11957217
so if the "system" group is shown on the drive permissions you are saying it includes the everyone group and the owner group?  So having System group is allowing everyone on the permissions?
0
 
LVL 8

Expert Comment

by:anil_u
ID: 11957785
Apologies, I have looked further into this and the above info on the 'system' is incorrect.

the system group is used to manage accounts that provide system services such as the webserver

for your information, you can check what permissions each group has is by
Right clicking on a file eg a .gif -> properties -> 'security' tab -> 'advanced' button -> if 'SYSTEM' is not in the permission entries then click on 'Add' and add it -> then click on 'view/edit'
here you can see all the permission assigned to the 'SYSTEM' group.
0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 500 total points
ID: 11965730
Hi
These two are built-in accounts and generally you don't really want to mess with them as changing permissions or access can seriously affect the correct functioning of your operating system and applications,
How the System Account Is Used in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;120929
Windows 2000/XP - Built-in Users and Default Groups
http://www.ss64.com/ntsyntax/security_groups.html

However if you're concerned about security - have a look at the tools/links below. The Baseline analyzer will work with XP and apparently takes a good look at iis setup and config. Ensure that you have a firewall in place to help prevent unauthorised external access.
Microsoft Baseline Security Analyzer V1.2.1
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Some further useful links,

Hardening Windows NT/2000/XP Information Systems
http://www.windowsecurity.com/articles/Hardening_Windows_NT2000XP_Information_Systems.html
Checklist for Securing a Windows XP IIS 5.1 Webserver
http://www.nthelp.com/NT6/Securing%20an%20XP%20web%20server.htm
Secure an IIS Web server with these 10 steps
http://techrepublic.com.com/5100-6264_11-5226103.html

Deb :))
0
 
LVL 3

Expert Comment

by:Gargantubrain
ID: 11969139
The SYSTEM group refers to most of the services that are running. Go to Control Panel, Administrative Tools, Services and look at all the accounts that Log On As "Local System". Those are the things that need permission to areas, and the SYSTEM group gives them permission.

The INTERACTIVE group refers to anyone logged in at the console, therefore "Interactively".

I would avoid giving any permissions to the Everyone group. Start with no permissions and give it carefully, rather than starting with Everyone or lots of permissions and trying to lock it down more.


0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IE Plugin Issue 4 88
deny local logon 12 115
SCSM reports export 1 51
Department of Defense formating 3 25
This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question