Solved

Securing SYSVOL, NETLOGON

Posted on 2011-09-28
5
1,443 Views
Last Modified: 2012-06-21
We are currently attempting to remove "Everyone" access from all shares for security reasons.  I am searching for a document with some kind of best practice information for securing access to SYSVOL, NETLOGON and other default shares.  Primarily - how do we go about removing Everyone from shares (if we can) withough breaking anything.

Thank you for any assistance y'all can provide!
0
Comment
Question by:yccdadmins
5 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 36719215
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 36719232
Changing Everyone to Authenticated Users is a good way to do this without breaking anything. Realistically, though, removing the Everyone group from Share Permissions will do nothing to improve your security, since actual permissions to files are determined by NTFS permissions on the folders the shares point to. In a sharing setup, the least permissive permissions win, so having Shares set to allow write and read access to the Everyone group doesn't mean that everyone will actually have access. It all depends on NTFS permissions.
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36719352
As acbrown2010 said, All depends on NTFS permission, share permissions are only for sharing. If you have any concern about security then you can safely remove "everyone" from NTFS permission on SYSVOL folder, Authenticated Users are sufficient and they have only Read/Execute and List Folder content on SYSVOL and Netlogon - and that's what they need... This is the best practice...

For the default permissions of the sysvol folder, you can refer to the KB article 290647:
http://support.microsoft.com//kb/290647 

Regards,
Abhijit Waikar.

 

0
 

Author Comment

by:yccdadmins
ID: 36814819
Thank you for the information and saving me some search time!

Yes - security on the file structure is key and has already been addressed.  The share is the gateway to the file systems and must also be considered when meeting strict security and auditing guidlines.

I am reviewing the links provided - thank you for the information!
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 36815133
For most accreditation systems (DIACAP, PCI, etc), changing share permissions from everyone to Authenticated Users or Domain Users will meet requirements. For information, the requirements to get rid of the Everyone group is due to the way Windows used to have the Everyone group set up. The Everyone group used to include guest and anonymous users as well as everyone else. This isn't the case anymore, as that vulnerability was patched out of the OS about 5-6 years ago.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now