NTFS permissions and the default C$ share on servers - security issue?

I just have a simple question about NTFS permissions on a web server:

I have the site data on a seperate hard drive, E:, with group Everyone completely removed from the permissions. Should I do the same on the C: drive to lockdown the server further or will the ruin the server and I won't be able to login? Do you have any recommendations? The way it's currently setup, anyone that gains access to the network -- not even the server -- can simply access \\server\c$ to see EVERYTHING on the C: drive. If you ask me, that is a heck of a security threat. Do you have any recommendations for other servers such as DCs or file servers? Is this share necessary (I assume so...)?

That's all! Thanks!
LVL 12
PugglewuggleAsked:
Who is Participating?
 
Fridolin MansmannMaster of Business Engineering ManagementCommented:
The c$ Share is an admin share and normally only accessable with administrative rights. I would NOT recommend to remove the share.
But you can remove the Everyone group from the NTFS permissions. Maybe you should add "Domain users" or another group with READ permissions if necessary to access something.
Be sure that on C: (Root) the "Administrators" group has FULL Control permissions

Detailed information see here:
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx

Also interresting tool:
http://support.microsoft.com/kb/318754

Guides:
http://technet2.microsoft.com/windowsserver/en/library/33572299-55a2-4868-b0bc-8f2875ddee471033.mspx?mfr=true

http://technet2.microsoft.com/windowsserver/en/library/33572299-55a2-4868-b0bc-8f2875ddee471033.mspx?mfr=true

MAYBE a good idea is to have a full backup of the server and a system restore point!
If you have doubts, use a VMWare session or VirtualPC2007 session to setup a new server for testing and playing around with permissions before doing this on a productive machine.
0
 
Pete LongTechnical ConsultantCommented:
I'm assuming because of the TA we are talking about an IIS web site?

OK there is a difference in permissions if we are - web permissions are set in the IIS management console, not at folder level :) your best bet id you are worried is to download the IIS lock down tool which will Analyse and recommends the best practice for your IIS server then run the Microsoft baseline security analyzer and the server to make sure everything else is OK :)

Pete

IIS Lockdown tool http://www.microsoft.com/technet/security/tools/locktool.mspx
M$ Baseline Analyser http://www.microsoft.com/technet/security/tools/mbsahome.mspx
0
 
PugglewuggleAuthor Commented:
Here are a few extra notes to help your decision making/suggestions out a bit --

The server is running IIS 6.0 on WS 2003 Web Edition - fully patched - SP2
IIS 6.0 does not support the IIS lockdown tool
The MBSA has been run and the server is locked down as suggested
These hidden shares are located on the root of ALL drives in systems running at least XP
I DO NOT want to delete these shares, just secure them with NTFS permissions
SMB permissions CANNOT be set on these default shares - they are for administrative purposes

When I go to remove the Everyone group, the OS freaks out and tells me "You are about to change the permission settings on the root directory of the startup disk, which can result in unexpected access problems and reduce security. Do you want to continue?"

The message shouts "don't mess with me"... so I'm a bit worried.... Please advise.

Thanks!
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Vegaskid1973Commented:
These 'drive' shares C$, D$ etc are admin shares as previously stated and can only be accessed by members of the local administrators group, which include domain admins by default. You cant change the permission on them, only disable the share itself. Note that this could cause problems with applications that use them, plus it makes remote administration harder.

If you have a problem with people being able to access them, then a better procedure would be to remove them from unnecessary security groups - think principle of least privilege.
0
 
PugglewuggleAuthor Commented:
For the purpose of the web server, a stand alone machine in a DMZ and not a member of a domain, what do you recommend? Should I remove the Everyone from the NTFS permissions on the C: drive or does it matter?
0
 
Fridolin MansmannMaster of Business Engineering ManagementCommented:
I personally would remove Everyone group
See about the links provided earlier, there are MS security guides and server hardening documentations of about 30 pages.....
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.