| re: STAR::PITCHER
Steve,
Yes, this can be a problem if you create public file shares that give
access to your c:\ root directory. No shares, no problem. When you
get more comfortable with permission settings, you can raise the
protection level.
I think the initial permissions depend on how you did the installation
of NT. If there was ever a FAT file system, I "think" you end up with
what you currently have.
/Bill
|
| Bill,
Thanks.
I believe, by default, I've got C$ and ADMIN$ shares on this disk. I
gather these are "special", not public. Am I safe?
I just read HELP on the 'special shares'. C$ and ADMIN$ are
always accessible by members of the Administrators and BackupOperators
groups, only. I guess they're safe from public access.
So, from the point of view of remote access, I'm safe as long as I
create no public shares on C:. But what about local access? Anyone in
my domain can walk into my office and logon to my PC, and now they have
full access to everything on my C: disk. Of course, I'll grant the bit
about, if someone has physical access to a system, then they can do
anything no matter what you do... but ignoring that, I ought to be able
to protect my C: disk from non-privileged users of my system. How do I
protect it?
As a VMS user/system manager, I can't believe its wise to leave my C:
protected like this.
- stp
p.s. My other reason for pursuing this topic, is that I'm setting up
an NT domain network for my local school system. We just recieved an
NT server system, and I'm starting to configure this. I don't expect
students will regularly use the server, but I believe we can and should
secure it even if they should.
I've got a separate partition for USERS. I guess I'll start by
sharing it, and giving it more stringent permissions, and leave the C:
drive unshared, except for C$ and ADMIN$.
|
| re: STAR::PITCHER
>> C$ and ADMIN$ shares on this disk. I gather these are "special",
>> not public. Am I safe?
You're fine for the time being, if you don't let anyone log into your
system locally (as you later pointed out). If they have no need to be
on your system, keep them out by taking away the "log on locally"
right.
If users need to log on locally, then you'll have to implement more
stringent permissions.
re: students
I'd take away their rights to log on locally to your primary server,
and lock it away in a closet/room. $.02.
/bill
|