Bionor
asked on
Default permissions level in Windows Server 2008
I was working to enhance the security level of my server and wanted to remove the "Users" group all permissions so that only the system and admins could do anything to the server.
To do that i had to take ownership of the c: drive and remove the "Users" group from the list. I also added a deny rule to the "Users" group that denied the users from taking ownership and changing permissions.Then i used the "Replace on all child objects" option and clicked apply.
What then happened (which i should have foreseen) was that all custom permissions to all folders was completely replaced by this. For instance the iis_iusr user was removed from the root of my webfolder so that my site went down. The server manager application also gave me "access denied" messages when i tried to access it. I think this message was regarding the logs as all the logs there were gone.
I have managed to get everything working again, but i fear that i now have a level of security that is lower than it was before, so i want to make everything as it was before, but i am unable to find out what was the default permissions levels. Can anyone help me?
To do that i had to take ownership of the c: drive and remove the "Users" group from the list. I also added a deny rule to the "Users" group that denied the users from taking ownership and changing permissions.Then i used the "Replace on all child objects" option and clicked apply.
What then happened (which i should have foreseen) was that all custom permissions to all folders was completely replaced by this. For instance the iis_iusr user was removed from the root of my webfolder so that my site went down. The server manager application also gave me "access denied" messages when i tried to access it. I think this message was regarding the logs as all the logs there were gone.
I have managed to get everything working again, but i fear that i now have a level of security that is lower than it was before, so i want to make everything as it was before, but i am unable to find out what was the default permissions levels. Can anyone help me?
Svet Paperov
You can always perform a system restore to a point before messing around with Users permissions.
ASKER
Are you sure that will have an effect on the file permissions? I'll check and see if there's any restore points saved.
ASKER
Actually i do not believe that system restore is installed on this version Windows Server 2008, i cannot find it anywhere. Instead of setting all permissions to the default level, is there any good guides for configuring this for (web)servers?
You can type System Restore in the Search field and it will find it. It should be in Accessories – System Tools program menu.
Another way could be if you have a full backup of the server, you could restore it – but before do that, you need to take another backup of the data and, after restoring the old backup, restore the data from the new backup. Beware that Windows Backup of Windows Server 2008 (before R2) backs up and restore full volumes only.
There are guidelines for securing web server, for example http://technet.microsoft.com/en-us/library/dd450371%28WS.10%29.aspx
Before Windows Server 2008 there was a default security template that could be applied with secedit but starting with Windows Server 2008, this method is not anymore supported and can lead to unstable OS. For more information see http://support.microsoft.com/kb/313222
Another way could be if you have a full backup of the server, you could restore it – but before do that, you need to take another backup of the data and, after restoring the old backup, restore the data from the new backup. Beware that Windows Backup of Windows Server 2008 (before R2) backs up and restore full volumes only.
There are guidelines for securing web server, for example http://technet.microsoft.com/en-us/library/dd450371%28WS.10%29.aspx
Before Windows Server 2008 there was a default security template that could be applied with secedit but starting with Windows Server 2008, this method is not anymore supported and can lead to unstable OS. For more information see http://support.microsoft.com/kb/313222
ASKER
Ok, thanks. I did type it in the search field and it did not show up, but i think i'll manage anyway. What i did to make things work again was to give the "Authenticated Users" group modify permissions (read, write, modify, execute etc) on root of C: and subfolders. Do you think that will give the IIS_IUSR user unwanted permissions?
I don't think that system restore will reset permissions. You should really restore from backup or reformat and rebuild.
ASKER
I do not think so either. Problem is that i have not got around to setup backup yet. The server is located at an external location (another country) so i do not control the LAN there. I'll get a backup solution when the funds allow it.
But i do not need to format and rebuild as long as i can set the permissions as they where, if i could only find out what they were. Or better, not necessarily as they were how they can be in order to be secure.
Another way to put it can be: What is the minimum amount of permissions needed to allow things to work.
One should believe that this would suffice:
System: Full control
Creator Owner: Full control
Administrators: Full control
But these settings gave me an error message when accessing the Server Manager.
When i also added Authenticated Users: Modify then the error messages went away.
But i do not need to format and rebuild as long as i can set the permissions as they where, if i could only find out what they were. Or better, not necessarily as they were how they can be in order to be secure.
Another way to put it can be: What is the minimum amount of permissions needed to allow things to work.
One should believe that this would suffice:
System: Full control
Creator Owner: Full control
Administrators: Full control
But these settings gave me an error message when accessing the Server Manager.
When i also added Authenticated Users: Modify then the error messages went away.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes so do i... I have been at it for many many hours now, and it only seems to get worse.. Tip for anyone reading this: DO NOT MESS WITH THE FILE/FOLDER PERMISSIONS unless you have PERFECT understanding of what you are doing. I have taken backup of all critical files and will do a full format soon.
ASKER
An additional tip for anyone reading this:
If you plan on changing the ACL's (file permissions) i would highly recommend to make a backup of the ACL's before doing anything. I was not aware that this is possible before.
* means to use all files and folders. /t means to search in subfolders and files. /c Means to continue on error i.e. access denied.
To restore from backup:
If you plan on changing the ACL's (file permissions) i would highly recommend to make a backup of the ACL's before doing anything. I was not aware that this is possible before.
ICACLS * /save aclbackup.txt /T /C* means to use all files and folders. /t means to search in subfolders and files. /c Means to continue on error i.e. access denied.
To restore from backup:
icacls /restore aclbackup.txt