Re: Network Folder Security

[Bill Cullen <billc () iinet net au>]

Raoul Armfield said the following on 9/05/2006 3:57 AM:
> Rolando,
>
> In addition to what everyone else said.  Make a policy that no one logs 
> in using the default administrator account.  If you allow this Auditing 
> will be useless to you because you will not know who did what. Best 
> practice would be to give the default admin account a strong password 
> and lock it in a safe and give everyone that needs it an admin level 
> account that is only used when needed.   This account would be in 
> addition to an everyday account.

You might also want to consider the following if using multiple 
administrator accounts.

Normally, when a user creates a file or folder they will be set as the 
owner. However, by default in Windows Server 2003, if an administrator 
creates a file or folder the owner is set to the group Administrators 
(Windows XP is the opposite).

This can be changed by setting nodefaultadminowner. More on this topic 
can be found at 
<http://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx>

The above article suggests that you set it to 0 (the default value in 
Server - i.e. set owner to the group Administrators). However, the 
article is really written in the context of using least privilege within 
Windows XP.

For a server I would change nodefaultadminowner to 1 (assign the user 
rather than the group as owner). That way you can tell which admin 
created a file or directory.

I think in this case Microsoft may have gotten the default permissions 
around the wrong way for both Server and XP.