Solved

Securing SYSVOL, NETLOGON

Posted on 2011-09-28
5
1,494 Views
Last Modified: 2012-06-21
We are currently attempting to remove "Everyone" access from all shares for security reasons.  I am searching for a document with some kind of best practice information for securing access to SYSVOL, NETLOGON and other default shares.  Primarily - how do we go about removing Everyone from shares (if we can) withough breaking anything.

Thank you for any assistance y'all can provide!
0
Comment
Question by:yccdadmins
5 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 36719215
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 36719232
Changing Everyone to Authenticated Users is a good way to do this without breaking anything. Realistically, though, removing the Everyone group from Share Permissions will do nothing to improve your security, since actual permissions to files are determined by NTFS permissions on the folders the shares point to. In a sharing setup, the least permissive permissions win, so having Shares set to allow write and read access to the Everyone group doesn't mean that everyone will actually have access. It all depends on NTFS permissions.
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36719352
As acbrown2010 said, All depends on NTFS permission, share permissions are only for sharing. If you have any concern about security then you can safely remove "everyone" from NTFS permission on SYSVOL folder, Authenticated Users are sufficient and they have only Read/Execute and List Folder content on SYSVOL and Netlogon - and that's what they need... This is the best practice...

For the default permissions of the sysvol folder, you can refer to the KB article 290647:
http://support.microsoft.com//kb/290647 

Regards,
Abhijit Waikar.

 

0
 

Author Comment

by:yccdadmins
ID: 36814819
Thank you for the information and saving me some search time!

Yes - security on the file structure is key and has already been addressed.  The share is the gateway to the file systems and must also be considered when meeting strict security and auditing guidlines.

I am reviewing the links provided - thank you for the information!
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 36815133
For most accreditation systems (DIACAP, PCI, etc), changing share permissions from everyone to Authenticated Users or Domain Users will meet requirements. For information, the requirements to get rid of the Everyone group is due to the way Windows used to have the Everyone group set up. The Everyone group used to include guest and anonymous users as well as everyone else. This isn't the case anymore, as that vulnerability was patched out of the OS about 5-6 years ago.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
schema master 5 27
Couldn't join Lync meeting - Security certificate isnt trusted 5 27
Open Encryption Software Advice needed 4 52
GPO Central Store 3 25
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question