Solved

Securing SYSVOL, NETLOGON

Posted on 2011-09-28
5
1,678 Views
Last Modified: 2012-06-21
We are currently attempting to remove "Everyone" access from all shares for security reasons.  I am searching for a document with some kind of best practice information for securing access to SYSVOL, NETLOGON and other default shares.  Primarily - how do we go about removing Everyone from shares (if we can) withough breaking anything.

Thank you for any assistance y'all can provide!
0
Comment
Question by:yccdadmins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 36719215
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 36719232
Changing Everyone to Authenticated Users is a good way to do this without breaking anything. Realistically, though, removing the Everyone group from Share Permissions will do nothing to improve your security, since actual permissions to files are determined by NTFS permissions on the folders the shares point to. In a sharing setup, the least permissive permissions win, so having Shares set to allow write and read access to the Everyone group doesn't mean that everyone will actually have access. It all depends on NTFS permissions.
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36719352
As acbrown2010 said, All depends on NTFS permission, share permissions are only for sharing. If you have any concern about security then you can safely remove "everyone" from NTFS permission on SYSVOL folder, Authenticated Users are sufficient and they have only Read/Execute and List Folder content on SYSVOL and Netlogon - and that's what they need... This is the best practice...

For the default permissions of the sysvol folder, you can refer to the KB article 290647:
http://support.microsoft.com//kb/290647 

Regards,
Abhijit Waikar.

 

0
 

Author Comment

by:yccdadmins
ID: 36814819
Thank you for the information and saving me some search time!

Yes - security on the file structure is key and has already been addressed.  The share is the gateway to the file systems and must also be considered when meeting strict security and auditing guidlines.

I am reviewing the links provided - thank you for the information!
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 36815133
For most accreditation systems (DIACAP, PCI, etc), changing share permissions from everyone to Authenticated Users or Domain Users will meet requirements. For information, the requirements to get rid of the Everyone group is due to the way Windows used to have the Everyone group set up. The Everyone group used to include guest and anonymous users as well as everyone else. This isn't the case anymore, as that vulnerability was patched out of the OS about 5-6 years ago.
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question