What are the best Practices for default Local Groups in a Windows Server 2008?
Posted on 2011-03-08
We are currently working with Windows Server 2003 and 2008.
We recently had an issue with some shared folders being accidentally being shared with everyone in the comopany, which is a potential security risk.
The issue was that shared folders were being granted access to everyone and the security was being done by NTFS access.
The problem was that by default all folders in a server are granted read access to the local users group and further investigation let us know that by default the "Domain Users" group is assigned to the local users group, thus implicitly all shared folders where being granted read access to all company users.
Now what would you suggest to prevent this from happening?
(A) Shared folders should not be granted access to "Everyone" unless is required to be that way.
(B) Remove the "domain Users" and "authenticated users" from the local users group which is automatically added when a server is added to the domain.
(C) Remove the local Users group from the folder that is being shared.
I feel option (B) is the most secure, but I'm afraid it may affect the servers performance or that some services may stop working correctly
My 2nd option would be option (A) since i feel i have more control over who has access to the shares and prevents access being granted accidentally because of inheritage of folders.
Option (C) seems to me is error prone but is the way we are working right now and in my opinion we should stop doing that.
What do experts advice?