SYSVOL and NETLOGON shares on domain controllers

we are doing some risk assessment security work of our domain controllers. On each there are shares named SYSVOL and NETLOGON. Both of which are accesible to everyone/authenticated users. Is there a reason why this is set that way, or do these shares contain any sensitive informaiton which should not be shared to global groups like everyone?
LVL 4
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gaurav SinghHead - Managed ServicesCommented:
SYSVOL and netlogon are created by default when domain controller is installed and yes they do have sensitive information. Security permissions are set by default, so do not alter anythings on these folders.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
Any admin should know these shares. They hold the group policies for example and everyone needs read access, yes, no way around and default setting.
it_saigeDeveloperCommented:
One correction to what has been stated here:

Do they contain sensitive information?  It depends on your definition of sensitive information and whether or not what you deem as sensitive information has been added to the shares that are being scrutinized.

As stated by the other Experts, NETLOGON and SYSVOL are created by the Active Directory Domain Controller promotion process, by default.  The primary purpose of these shares are:

SYSVOL - A shared directory that stores the server copy of the domain's public files that must be shared for common access and replication throughout a domain. - Source

NETLOGON - Is used to deliver domain/user login scripts (not group policy login scripts).

These are administrative shares and are usually only use for Active Directory purposes.  These are also replicated shares.  This way all users that are authenticating can have access to the same policies and login scripts.

An uncommon practice is for these shares to be used as data storage facilities (although some system administrators [and even Microsoft] will publish executables from the NETLOGON location).

-saige-
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.