Re: Permissions

[Nexus <nexus06 () drxlabs com>]

If what you have is working good(i assume you have some kind of 'image' 
or something,

Then i would just use the sysinternal tools to understand more of whats 
going on, and test a image with the newer perimission set.
and with your current permission set,users have full contrl over way to 
many directorys (i have a Like issue having to run old apps based on NT 
and such)
other then users being able to make changes and such, you have security 
issues with virus's and  webpage exploits have access to /winnt and 
/system and /system32

folders and being able to totaly get into a system. but ultimetly it you 
who has to deside on a security model and a standard image.

but:


having security groups is hard to setup, but makes admin way easyer 
because you can easyly remove acccess from an app by just removing said 
person from the
security group.  if your on a win2k AD you can even setup GPO's for 
software uses and  access  & times and such.

its all about , your needs and how much time you can spend setting it 
all up. But once up its much better.




Nexus






Chris Berry wrote:

> > From: Nexus <nexus06 () drxlabs com>
> > goto sysinternals.com there are lots of good tools there that when 
> > run before you run an app will tell you what it is accessing, 
> > including reg keys dll , etc...
>
>
> Hmm, I might try that.  I wonder if its worth it though, I'm pretty 
> paranoid when it comes to security, but this just sounds like an 
> administrative nightmare.  What is it that you think a user could do 
> with the permissions I mentioned that they couldn't with the ones 
> you're suggesting?  I mean you're going to have to give them some 
> write permissions in order for some of your apps to work, and then all 
> they have to do to install software is direct it to one of those 
> directories.
>
> > another group you can utizile is authencated users, this group  will 
> > make sure a user is 'authencated'
> > this group is in leiu of the 'everyone' group.
>
>
> I pretty much never use the everyone group except where it is already 
> installed.  I tried setting up one machine where I removed the 
> everyone group and gave explicit permissions instead, but win2k choked 
> on that big time, revealing the fact that many M$ process depend on 
> the base permissions in order to function.  (bad coding practice if 
> you ask me)
>
> Chris Berry
> compjma () hotmail com
> Systems Administrator
> JM Associates
>
> "Live dangerously, overclock your servers."
>
> _________________________________________________________________
> MSN 8 with e-mail virus protection service: 2 months FREE* 
> http://join.msn.com/?page=features/virus