Jim Watts
Guest
|
 Posted:
Mon Oct 17, 2005 4:51 pm Post subject:
MS05-51 Patch, and SystemDrive NTFS permissions |
|
|
Hi,
I need some help with filesystem permissions, related to the MS05-51 patch,
and the problems it has thrown up. Note, we are NOT suffering the problems,
but the information from MS conflicts.
KB909444 (http://support.microsoft.com/kb/909444) states that the MS05-51
patch might fail if permissions have been changed on the
%windir%\registration. It goes on to say:
"Make sure that the Everyone group has one of the following permissions: -
Traverse permissions ("List Folder Contents") on all parent directories,
including %systemdrive%, %windir%, and %windir%\registration"
However, our standard build procedure for Windows 2000 servers is to REMOVE
the Everyone right from the root of the system drive. This is based on the
"Microsoft Security Operations Guide for Windows 2000 Server"
(http://www.microsoft.com/downloads/details.aspx?familyid=F0B7B4EE-201A-4B40-A0D2-CDD9775AEFF8&displaylang=en),
page 63, which says that root permissions should be:
Administrators: Full control
System: Full control
Authenticated Users: Read and Execute, List Folder Contents, and Read
What's going on? Why do the two pieces of info not match, why has the patch
not destroyed my servers, and what exactly should I have set on the root of
drive C: for a secure server? While we're at it, what should I have on a
Windows 2003 server, as the 2003 version of this guide doesn't even mention
file system security in the baseline!
Many thanks, especially to any MS staff that would care to comment
Jim
--
Jim Watts,
Information Systems Services
University of Southampton |
|
Roger Abell [MVP]
Guest
|
| Posted:
Tue Oct 18, 2005 7:48 am Post subject:
Re: MS05-51 Patch, and SystemDrive NTFS permissions |
|
|
The info conflicts as they have different origins. The guidance papers
are, mostly, broadly reviewed and well thought through. KBs are often
the emission of a content specialist.
You are not having an issue as the requirement that accounts that should
be able to access are granted the needed access, view Authenticated Users
instead of Everyone, but given the needed permissions none-the-less.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Jim Watts" <j.watts@news.postalias> wrote in message
news:OjznT5y0FHA.2328@TK2MSFTNGP10.phx.gbl...
| Quote: | Hi,
I need some help with filesystem permissions, related to the MS05-51
patch, and the problems it has thrown up. Note, we are NOT suffering the
problems, but the information from MS conflicts.
KB909444 (http://support.microsoft.com/kb/909444) states that the MS05-51
patch might fail if permissions have been changed on the
%windir%\registration. It goes on to say:
"Make sure that the Everyone group has one of the following permissions: -
Traverse permissions ("List Folder Contents") on all parent directories,
including %systemdrive%, %windir%, and %windir%\registration"
However, our standard build procedure for Windows 2000 servers is to
REMOVE the Everyone right from the root of the system drive. This is based
on the "Microsoft Security Operations Guide for Windows 2000 Server"
(http://www.microsoft.com/downloads/details.aspx?familyid=F0B7B4EE-201A-4B40-A0D2-CDD9775AEFF8&displaylang=en),
page 63, which says that root permissions should be:
Administrators: Full control
System: Full control
Authenticated Users: Read and Execute, List Folder Contents, and Read
What's going on? Why do the two pieces of info not match, why has the
patch not destroyed my servers, and what exactly should I have set on the
root of drive C: for a secure server? While we're at it, what should I
have on a Windows 2003 server, as the 2003 version of this guide doesn't
even mention file system security in the baseline!
Many thanks, especially to any MS staff that would care to comment
Jim
--
Jim Watts,
Information Systems Services
University of Southampton
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in