To be frank, I think your instructor may need to brush up a bit, since the
Everyone group hasn't included "everyone" (and more specifically, the
Anonymous Logon account) since Windows 2003 was released. In 2003...
;-)
Laura
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m@subway.com]
Sent: Monday, July 10, 2006 10:47 PM
To: larobins@bellatlantic.net; 'Jeffrey Wei';
focus-ms@securityfocus.com
Subject: RE: DACLS for software distribution points...
The question arose in my mind during a recent SANS course
where the instructor bemoaned the fact that the EVERYONE
group was just that-EVERYONE.
Now the caveat mentioned that the EVERYONE group is more
secure than it USED to be was not mentioned(I don't think
think it was and I can't find it in the SANS coursework
either). It became highlighted this week as I'm setting up
some new software distro points. Which just shows me that
things change all the time and no-one can keep up with everything.
Sorry Susan-I got confused here;
Look at the last batch of patches and while the 2000's can'
be nailed
from anon connections
can' or can't? Didn't know if a 't' got missed off here.
Regards
Murad Talukdar
-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
Sent: Tuesday, July 11, 2006 2:47 AM
To: 'Jeffrey Wei'; focus-ms@securityfocus.com
Cc: talukdar_m@subway.com
Subject: RE: DACLS for software distribution points...
Domain Users != Authenticated Users. If you use Domain Users
for the DACL,
users (and computers) from any other domain in the forest
will not be able
to access the share. In a single-domain environment or when
you only want
one domain to be able to access the share, this is fine, but
otherwise,
using Authenticated Users may be a better approach.
Having said that, we've had many, many discussions on this
list about the
exact differences between the Everyone group and the
Authenticated Users
group, and the reality is very likely that you're just increasing your
maintenance without increasing security, depending on the
composition of the
domain in question (e.g., Win2K3 versus Win2K versus NTSP4+
versus NTSP4-,
etc.). The difference between the two groups may simply be
the built in
Guest account and nothing else.
Laura
-----Original Message-----
From: Jeffrey Wei [mailto:jeffrey.wei@cubic.com]
Sent: Thursday, July 06, 2006 6:29 PM
To: focus-ms@securityfocus.com
Cc: talukdar_m@subway.com
Subject: RE: DACLS for software distribution points...
What I normally do is remove the "Everyone" and replace it
with "Domain Users".. which in itself means that it will have
to be authenticated users before they can read file folders only.
Not sure how everyone else does it?
Jeffrey Wei
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m@subway.com]
Sent: Wednesday, July 05, 2006 6:02 PM
To: focus-ms@securityfocus.com
Subject: DACLS for software distribution points...
Hi all,
MS says in this article that the DACLS for software
distribution points should be EVERYONE: READ and
Administrator: Full Control, Change, Read.
http://technet2.microsoft.com/WindowsServer/en/Library/45a873d
d-660d-4de
6-aa
c4-8a03974796121033.mspx?mfr=true
Why shouldn't the EVERYONE be removed and replaced with
Authenticated Users?
I was thinking of doing this and can't really see any
adverse impact.
Kind Regards
Murad Talukdar
--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---
---
[This E-mail scanned for Spam and Viruses by
http://www.innovationnetworks.ca]
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
