RE: XP security permissions

["Steve McLaughlin" <steve () Lan com au>]

Firstly, it is good practice to keep things as simple as possible,

You should add all of the restricted users to their own group, and then
remove them from all other groups except the group you created and the
inbuilt users group. This should keep things restricted enough. And they
will not be able to install programs or tweak your system very much. The
inbuilt USERS group is used for very restrictive use as you require.

This will also protect your OS from harmful deletion of important system
files.

As for all the permissions you mentioned, it is ok to leave them all as
default, unless you want to explicitly deny permission to a specific folder.
In which case you would use the group you created to set the permissions.
And not the inbuilt groups.

Also, It sounds like you may have tweaked the privileges on the folders a
bit more than you should have, in which case, it may be easiest to reformat
and start again.


steve mclaughlin | enlite technology
(MCSA, A+, Network+, Server+)
 

-----Original Message-----
From: J. Yoon [mailto:supercool9000 () hotmail com] 
Sent: Tuesday, 20 January 2004 10:07 PM
To: security-basics () securityfocus com
Subject: XP security permissions 


Please advise on a proper way to set folder permissions on XP
without having my programs crash and other friends/users complaining too 
much.

I want to give full permission to myself and administrators. The other 2 
accounts "friends/family" in my box, i don't want them to mess with any 
system settings but still want to give them the option of installing some 
softwares at a designated folder, run MS office/webbrowse/messenger/games...

As for everyone else, is it possible to default deny all access? Seems like 
when I put Deny Everyone, it denies access to even myself.

1) In the Program Files folder and WINDOWS folder,
which folders should I be giving read/write/modify permissions to
so that programs don't fail when limited/guest users run the programs?

2) Which folders need SYSTEM  and USER?
I noticed that WINDOWS folder had some of these id's present in the security

tab.

3) how should the hidden system folders, page file, recycle, system volume 
information folders
be set to and to whom shoudl perms be given?

4) how about Program Files/MSN Messenger, Program Files/Microsoft Office
Sound /video card driver directories,
anti virus, firewall dirs

i noticed that some programs need write privilages to run properly
should normal users have modify privilages as well for some programs?
if so which?

_________________________________________________________________
Let the new MSN Premium Internet Software make the most of your high-speed 
experience. http://join.msn.com/?pgmarket=en-us&page=byoa/prem&ST=1


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------