|
Granted in the 2k era “everyone”
group included “anon” but in the 2k3 era where “everyone”
group is equivalent to “authenticated users” how does merely removing
“everyone” and not adjusting other ACLs increase security? http://support.microsoft.com/kb/278259 http://www.windowsecurity.com/articles/Windows_NET_Server_locks_down_Everyone.html (obviously in SBSland no hands on
experience whatsoever on trusting domains so it’s a moot point down here) From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford If you want to check and see if the
everyone group is still there then you can script it. I wanted to make sure
that "everyone" did not have rights to print on any print queue. I
wrote a script which: enumerated all the servers for each server enumerated all the
printers for each printer ran: subinacl.exe /noverbose
/outputlog=c:\temp\print.log /errorlog=c:\temp\error.log /printer \\"
& sComputer & "\" & sPrinter and then checked the contents of the log
file to see if "everyone" was there, logging any machine where it was
found. Steve From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sounds fair enough. I was worried
about the default Everyone group memberships and its appearance as default on
shares etc. We have a policy to remove it, but with over 600 servers
chances are that it is still on a few of them. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Well the basic idea would be don't trust
any domain that you well.... don't trust. The issue isn't usually with the fact that
trusted domain users are then considered authenticated users, it is that so
many people set up crappy ACLs that use secprins like everyone or auth users to
allow access. By default trusted domains aren't in any of the "real"
domain groups which should be used for assigning access rights to locked down
resources such as shares. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Hey All, I am sure this has been covered and I
apologise in advance. We have a Windows 2k single forest/domain that is
slowly being migrated to W2K3/SP1. In general I am against our domain
(10k plus users) trusting any domain with non company staff authenticating
against it, but need some hard reasons (most likely security based) as to
why. Is there an issue where users from trusted domains are
automatically members of the everyone user group which has
permissions by default etc? There is something along those
lines...... TIA for your help, Brad This email and any attached files are confidential and copyright
protected. If you are not the addressee, any dissemination of this communication
is strictly prohibited. Unless otherwise expressly agreed in writing, nothing
stated in this communication shall be legally binding. This message has been scanned for
viruses by MailControl |
Title: Message
