Solved

Securing SYSVOL, NETLOGON

Posted on 2011-09-28
5
1,402 Views
Last Modified: 2012-06-21
We are currently attempting to remove "Everyone" access from all shares for security reasons.  I am searching for a document with some kind of best practice information for securing access to SYSVOL, NETLOGON and other default shares.  Primarily - how do we go about removing Everyone from shares (if we can) withough breaking anything.

Thank you for any assistance y'all can provide!
0
Comment
Question by:yccdadmins
5 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
Comment Utility
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
Changing Everyone to Authenticated Users is a good way to do this without breaking anything. Realistically, though, removing the Everyone group from Share Permissions will do nothing to improve your security, since actual permissions to files are determined by NTFS permissions on the folders the shares point to. In a sharing setup, the least permissive permissions win, so having Shares set to allow write and read access to the Everyone group doesn't mean that everyone will actually have access. It all depends on NTFS permissions.
0
 
LVL 10

Expert Comment

by:abhijitwaikar
Comment Utility
As acbrown2010 said, All depends on NTFS permission, share permissions are only for sharing. If you have any concern about security then you can safely remove "everyone" from NTFS permission on SYSVOL folder, Authenticated Users are sufficient and they have only Read/Execute and List Folder content on SYSVOL and Netlogon - and that's what they need... This is the best practice...

For the default permissions of the sysvol folder, you can refer to the KB article 290647:
http://support.microsoft.com//kb/290647

Regards,
Abhijit Waikar.

 

0
 

Author Comment

by:yccdadmins
Comment Utility
Thank you for the information and saving me some search time!

Yes - security on the file structure is key and has already been addressed.  The share is the gateway to the file systems and must also be considered when meeting strict security and auditing guidlines.

I am reviewing the links provided - thank you for the information!
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
For most accreditation systems (DIACAP, PCI, etc), changing share permissions from everyone to Authenticated Users or Domain Users will meet requirements. For information, the requirements to get rid of the Everyone group is due to the way Windows used to have the Everyone group set up. The Everyone group used to include guest and anonymous users as well as everyone else. This isn't the case anymore, as that vulnerability was patched out of the OS about 5-6 years ago.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now