The question arose in my mind during a recent SANS course where the instructor bemoaned the fact that the EVERYONE group was just that-EVERYONE. Now the caveat mentioned that the EVERYONE group is more secure than it USED to be was not mentioned(I don't think think it was and I can't find it in the SANS coursework either). It became highlighted this week as I'm setting up some new software distro points. Which just shows me that things change all the time and no-one can keep up with everything.
Sorry Susan-I got confused here; >>Look at the last batch of patches and while the 2000's can' be nailed from anon connections can' or can't? Didn't know if a 't' got missed off here. Regards Murad Talukdar -----Original Message----- From: Laura A. Robinson [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 11, 2006 2:47 AM To: 'Jeffrey Wei'; focus-ms@securityfocus.com Cc: [EMAIL PROTECTED] Subject: RE: DACLS for software distribution points... Domain Users != Authenticated Users. If you use Domain Users for the DACL, users (and computers) from any other domain in the forest will not be able to access the share. In a single-domain environment or when you only want one domain to be able to access the share, this is fine, but otherwise, using Authenticated Users may be a better approach. Having said that, we've had many, many discussions on this list about the exact differences between the Everyone group and the Authenticated Users group, and the reality is very likely that you're just increasing your maintenance without increasing security, depending on the composition of the domain in question (e.g., Win2K3 versus Win2K versus NTSP4+ versus NTSP4-, etc.). The difference between the two groups may simply be the built in Guest account and nothing else. Laura > -----Original Message----- > From: Jeffrey Wei [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 06, 2006 6:29 PM > To: focus-ms@securityfocus.com > Cc: [EMAIL PROTECTED] > Subject: RE: DACLS for software distribution points... > > What I normally do is remove the "Everyone" and replace it > with "Domain Users".. which in itself means that it will have > to be authenticated users before they can read file folders only. > > Not sure how everyone else does it? > > Jeffrey Wei > > -----Original Message----- > From: Murad Talukdar [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 05, 2006 6:02 PM > To: focus-ms@securityfocus.com > Subject: DACLS for software distribution points... > > Hi all, > MS says in this article that the DACLS for software > distribution points should be EVERYONE: READ and > Administrator: Full Control, Change, Read. > > http://technet2.microsoft.com/WindowsServer/en/Library/45a873d > d-660d-4de > 6-aa > c4-8a03974796121033.mspx?mfr=true > > Why shouldn't the EVERYONE be removed and replaced with > Authenticated Users? > I was thinking of doing this and can't really see any adverse impact. > > Kind Regards > Murad Talukdar > > > > > > > -------------------------------------------------------------- > ---------- > --- > -------------------------------------------------------------- > ---------- > --- > > --- > [This E-mail scanned for Spam and Viruses by > http://www.innovationnetworks.ca] > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
