[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference powdml::pc_security

Title:PERSONAL COMPUTER SECURITY
Notice:SWEEP servers Note 5; more info on www-is-security.mso.dec.com
Moderator:BSS::BOREN
Created:Wed Jan 02 1991
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:504
Total number of notes:2905

488.0. "Securing an NT system." by STAR::PITCHER (Steve Pitcher/Pathworks for OpenVMS) Fri Mar 07 1997 11:53

    I have a Windows NT V4.0 (SP2) Workstation.
    
    I was just looking around.  I find that everything on my C: disk has
    "EVERYONE FULL_CONTROL" permission.  This is how NT sets up my system by
    default.
    
    This is a problem... isn't it?  This means that anyone who has any
    access to my system can modify anything.  And in a domain, lots of
    people can access my system.
    
    Do we have any guidelines for securing an NT system?  I'm not about to
    go and change permissions on everything, since I don't know NT enough
    to know what I can change, what I should change, and what I should
    leave alone.
    
    -	stp
T.RTitleUserPersonal
Name		DateLines
488.1TARKIN::LINBill LinFri Mar 07 1997 14:2814
    re: STAR::PITCHER
    
    Steve,
    
    Yes, this can be a problem if you create public file shares that give
    access to your c:\ root directory.  No shares, no problem.  When you
    get more comfortable with permission settings, you can raise the
    protection level.
    
    I think the initial permissions depend on how you did the installation
    of NT.  If there was ever a FAT file system, I "think" you end up with
    what you currently have.
    
    /Bill
488.2STAR::PITCHERSteve Pitcher/Pathworks for OpenVMSFri Mar 07 1997 16:0134
    Bill,
    
    Thanks.  
    
    I believe, by default, I've got C$ and ADMIN$ shares on this disk.  I
    gather these are "special", not public.  Am I safe?
    
    I just read HELP on the 'special shares'.  C$ and ADMIN$ are
    always accessible by members of the Administrators and BackupOperators
    groups, only.  I guess they're safe from public access.
    
    So, from the point of view of remote access, I'm safe as long as I
    create no public shares on C:.  But what about local access?  Anyone in
    my domain can walk into my office and logon to my PC, and now they have
    full access to everything on my C: disk.  Of course, I'll grant the bit
    about, if someone has physical access to a system, then they can do
    anything no matter what you do... but ignoring that, I ought to be able
    to protect my C: disk from non-privileged users of my system.  How do I
    protect it?
    
    As a VMS user/system manager, I can't believe its wise to leave my C:
    protected like this.
    
    -	stp
    
    p.s.  My other reason for pursuing this topic, is that I'm setting up
    an NT domain network for my local school system.  We just recieved an
    NT server system, and I'm starting to configure this.  I don't expect
    students will regularly use the server, but I believe we can and should
    secure it even if they should.
    
    I've got a separate partition for USERS.   I guess I'll start by
    sharing it, and giving it more stringent permissions, and leave the C:
    drive unshared, except for C$ and ADMIN$.
488.3TARKIN::LINBill LinFri Mar 07 1997 16:3319
    re: STAR::PITCHER
    
    >> C$ and ADMIN$ shares on this disk.  I gather these are "special",
    >> not public.  Am I safe?
    
    You're fine for the time being, if you don't let anyone log into your
    system locally (as you later pointed out).  If they have no need to be
    on your system, keep them out by taking away the "log on locally"
    right.
    
    If users need to log on locally, then you'll have to implement more
    stringent permissions.
    
    re: students
    
    I'd take away their rights to log on locally to your primary server,
    and lock it away in a closet/room.  $.02.
    
    /bill