• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 602
  • Last Modified:

Default permissions level in Windows Server 2008

I was working to enhance the security level of my server and wanted to remove the "Users" group all permissions so that only the system and admins could do anything to the server.

To do that i had to take ownership of the c: drive and remove the "Users" group from the list. I also added a deny rule to the "Users" group that denied the users from taking ownership and changing permissions.Then i used the "Replace on all child objects" option and clicked apply.

What then happened (which i should have foreseen) was that all custom permissions to all folders was completely replaced by this. For instance the iis_iusr user was removed from the root of my webfolder so that my site went down. The server manager application also gave me "access denied" messages when i tried to access it. I think this message was regarding the logs as all the logs there were gone.

I have managed to get everything working again, but i fear that i now have a level of security that is lower than it was before, so i want to make everything as it was before, but i am unable to find out what was the default permissions levels. Can anyone help me?
0
Bionor
Asked:
Bionor
  • 6
  • 3
1 Solution
 
Svet PaperovIT ManagerCommented:
You can always perform a system restore to a point before messing around with Users permissions.
0
 
BionorAuthor Commented:
Are you sure that will have an effect on the file permissions? I'll check and see if there's any restore points saved.
0
 
BionorAuthor Commented:
Actually i do not believe that system restore is installed on this version Windows Server 2008, i cannot find it anywhere. Instead of setting all permissions to the default level, is there any good guides for configuring this for (web)servers?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Svet PaperovIT ManagerCommented:
You can type System Restore in the Search field and it will find it. It should be in Accessories – System Tools program menu.

Another way could be if you have a full backup of the server, you could restore it – but before do that, you need to take another backup of the data and, after restoring the old backup, restore the data from the new backup. Beware that Windows Backup of Windows Server 2008 (before R2) backs up and restore full volumes only.

There are guidelines for securing web server, for example http://technet.microsoft.com/en-us/library/dd450371%28WS.10%29.aspx

Before Windows Server 2008 there was a default security template that could be applied with secedit but starting with Windows Server 2008, this method is not anymore supported and can lead to unstable OS. For more information see http://support.microsoft.com/kb/313222
0
 
BionorAuthor Commented:
Ok, thanks. I did type it in the search field and it did not show up, but i think i'll manage anyway. What i did to make things work again was to give the "Authenticated Users" group modify permissions (read, write, modify, execute etc) on root of C: and subfolders. Do you think that will give the IIS_IUSR user unwanted permissions?
0
 
kevinhsiehCommented:
I don't think that system restore will reset permissions. You should really restore from backup or reformat and rebuild.
0
 
BionorAuthor Commented:
I do not think so either. Problem is that i have not got around to setup backup yet. The server is located at an external location (another country) so i do not control the LAN there. I'll get a backup solution when the funds allow it.

But i do not need to format and rebuild as long as i can set the permissions as they where, if i could only find out what they were. Or better, not necessarily as they were how they can be in order to be secure.

Another way to put it can be: What is the minimum amount of permissions needed to allow things to work.

One should believe that this would suffice:
System: Full control
Creator Owner: Full control
Administrators: Full control

But these settings gave me an error message when accessing the Server Manager.
When i also added Authenticated Users: Modify then the error messages went away.
0
 
Svet PaperovIT ManagerCommented:
Windows Server 2008 permissions are much more complex than those in Windows Server 2003. It uses many service accounts that are not visible in the list of users. You will never be able to restore the permissions as they were before.  

Since you don’t have any backup of the server, I think your only valid option is to reinstall it.

0
 
BionorAuthor Commented:
Yes so do i... I have been at it for many many hours now, and it only seems to get worse.. Tip for anyone reading this: DO NOT MESS WITH THE FILE/FOLDER PERMISSIONS unless you have PERFECT understanding of what you are doing. I have taken backup of all critical files and will do a full format soon.
0
 
BionorAuthor Commented:
An additional tip for anyone reading this:

If you plan on changing the ACL's (file permissions) i would highly recommend to make a backup of the ACL's before doing anything. I was not aware that this is possible before.

 
ICACLS * /save aclbackup.txt /T /C

Open in new window


* means to use all files and folders. /t means to search in subfolders and files. /c Means to continue on error i.e. access denied.

To restore from backup:
 
icacls /restore aclbackup.txt

Open in new window

0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now