> Instead, explicitly permit what groups get access.
That's right. A good security model is designed so that users are GRANTED access. Using the "NO ACCESS" permission regularly is a security nightmare and should only be used where necessary. > Also some features of group policy allow you to add security. Take this as an example: --------------------------- Background: A Windows 2000 server has a c$ share and an admin$ share. The security permissions on those shares are "FULL CONTROL" to the Administrators group. This is the only security permission applied to these shares. The server is physically protected from third party access and is locked away in the server room. Nobody has physical access to this room. Action: I remove the c$ and admin$ shares from my Windows 2000 server. Result: I am no longer able to access the C: root or WINNT folders. Event: Fred finds out the Administrator's password. Action: Fred loads up "Microsoft Management Console", adds the "Shared Folders" Snap-In for the Server, right clicks on Shares and selects "New File Share". Fred then adds a share for the C:\ folder on this server giving himself access to it. --------------------------- The *only* way Fred was able to create this share was by having Administrative access. Because of NTFS and Share permissions, there is no way he could access C$. The only way for him to get access to C:\ is to have Administrative access. There is no need to remove these hidden shares. Adam Smith IT Officer SAGE Automation Ltd [EMAIL PROTECTED] http://www.sageautomation.com Phone: (08) 8276 0703 Fax: (08) 8276 0799 Mobile: 0414 895 273 ԿԬ ************** Email Confidentiality Clause ************** The information contained within this email and its attachments is intended for the named recipients only. It may contain privileged and confidential information. If you are not the intended recipient, you must not copy, distribute or take any action in reliance on it. If you have received this email in error, please return it to the originator advising of the error and delete all copies of it from your system. ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
