Solved

Securing SYSVOL, NETLOGON

Posted on 2011-09-28
5
1,604 Views
Last Modified: 2012-06-21
We are currently attempting to remove "Everyone" access from all shares for security reasons.  I am searching for a document with some kind of best practice information for securing access to SYSVOL, NETLOGON and other default shares.  Primarily - how do we go about removing Everyone from shares (if we can) withough breaking anything.

Thank you for any assistance y'all can provide!
0
Comment
Question by:yccdadmins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 36719215
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 36719232
Changing Everyone to Authenticated Users is a good way to do this without breaking anything. Realistically, though, removing the Everyone group from Share Permissions will do nothing to improve your security, since actual permissions to files are determined by NTFS permissions on the folders the shares point to. In a sharing setup, the least permissive permissions win, so having Shares set to allow write and read access to the Everyone group doesn't mean that everyone will actually have access. It all depends on NTFS permissions.
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36719352
As acbrown2010 said, All depends on NTFS permission, share permissions are only for sharing. If you have any concern about security then you can safely remove "everyone" from NTFS permission on SYSVOL folder, Authenticated Users are sufficient and they have only Read/Execute and List Folder content on SYSVOL and Netlogon - and that's what they need... This is the best practice...

For the default permissions of the sysvol folder, you can refer to the KB article 290647:
http://support.microsoft.com//kb/290647 

Regards,
Abhijit Waikar.

 

0
 

Author Comment

by:yccdadmins
ID: 36814819
Thank you for the information and saving me some search time!

Yes - security on the file structure is key and has already been addressed.  The share is the gateway to the file systems and must also be considered when meeting strict security and auditing guidlines.

I am reviewing the links provided - thank you for the information!
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 36815133
For most accreditation systems (DIACAP, PCI, etc), changing share permissions from everyone to Authenticated Users or Domain Users will meet requirements. For information, the requirements to get rid of the Everyone group is due to the way Windows used to have the Everyone group set up. The Everyone group used to include guest and anonymous users as well as everyone else. This isn't the case anymore, as that vulnerability was patched out of the OS about 5-6 years ago.
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question