| Author |
Message |
Research Services
Guest
|
 Posted:
Tue Dec 28, 2004 9:09 pm Post subject:
Share Permissions on NETLOGON and SYSVOL |
|
|
Share Permissions on NETLOGON and SYSVOL
We have been tightening down the security on our Windows 2003 and Windows
2000 Domain Controllers, we are a Child Domain within an Active Directory
Forest.
We are looking at the default share permissions on the NETLOGON and SYSVOL
shares on the DCs and noticed that 'Everyone' has Read on both shares, and
Authenticated Users has Full Control on SYSVOL.
According to the Microsoft KB article below, Authenticated Users should only
have Read access to SYSVOL.
Authenticated Users Group Has Too Many Permissions to the SYSVOL Network
Share
http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
However, we are wondering if we can safely remove 'Everyone' from both
shares, and remove 'Authenticated Users' from SYSVOL, and substitute 'Domain
Users' with Read on both shares instead.
If this "safe" as far as NOT breaking AD Replication, user logons, startup
scripts, GPOs, etc.?
Considering that we have set RestrictAnonymous to '2' (Anonymous users have
no access without explicit anonymous permissions) AND
everyoneincludesanonymous to '0' (The local Everyone group does not include
anonymous users) on all of our Windows 2000 and Windows 2003 Domain
Controllers (within our own Child Domain).
Thank you for any input or feedback. |
|
| Back to top |
|
 |
Roger Abell [MVP]
Guest
|
| Posted:
Thu Dec 30, 2004 11:17 pm Post subject:
Re: Share Permissions on NETLOGON and SYSVOL |
|
|
Domain Users does not include machine accounts
while Authenticated Users does. Machines need
access (startup script, computer policies, replication, . . )
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:uHAKS8O7EHA.2600@TK2MSFTNGP09.phx.gbl...
| Quote: | Share Permissions on NETLOGON and SYSVOL
We have been tightening down the security on our Windows 2003 and Windows
2000 Domain Controllers, we are a Child Domain within an Active Directory
Forest.
We are looking at the default share permissions on the NETLOGON and SYSVOL
shares on the DCs and noticed that 'Everyone' has Read on both shares, and
Authenticated Users has Full Control on SYSVOL.
According to the Microsoft KB article below, Authenticated Users should
only have Read access to SYSVOL.
Authenticated Users Group Has Too Many Permissions to the SYSVOL Network
Share
http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
However, we are wondering if we can safely remove 'Everyone' from both
shares, and remove 'Authenticated Users' from SYSVOL, and substitute
'Domain Users' with Read on both shares instead.
If this "safe" as far as NOT breaking AD Replication, user logons, startup
scripts, GPOs, etc.?
Considering that we have set RestrictAnonymous to '2' (Anonymous users
have no access without explicit anonymous permissions) AND
everyoneincludesanonymous to '0' (The local Everyone group does not
include anonymous users) on all of our Windows 2000 and Windows 2003
Domain Controllers (within our own Child Domain).
Thank you for any input or feedback.
|
|
|
| Back to top |
|
|
Research Services
Guest
|
| Posted:
Fri Dec 31, 2004 7:02 am Post subject:
Re: Share Permissions on NETLOGON and SYSVOL |
|
|
So then would it be safe to Remove 'Authenticated Users' and it replace it
with both 'Domain Users' AND 'Domain Computers'?
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:uYkBROp7EHA.2788@TK2MSFTNGP15.phx.gbl...
| Quote: | Domain Users does not include machine accounts
while Authenticated Users does. Machines need
access (startup script, computer policies, replication, . . )
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:uHAKS8O7EHA.2600@TK2MSFTNGP09.phx.gbl...
Share Permissions on NETLOGON and SYSVOL
We have been tightening down the security on our Windows 2003 and Windows
2000 Domain Controllers, we are a Child Domain within an Active Directory
Forest.
We are looking at the default share permissions on the NETLOGON and
SYSVOL shares on the DCs and noticed that 'Everyone' has Read on both
shares, and Authenticated Users has Full Control on SYSVOL.
According to the Microsoft KB article below, Authenticated Users should
only have Read access to SYSVOL.
Authenticated Users Group Has Too Many Permissions to the SYSVOL Network
Share
http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
However, we are wondering if we can safely remove 'Everyone' from both
shares, and remove 'Authenticated Users' from SYSVOL, and substitute
'Domain Users' with Read on both shares instead.
If this "safe" as far as NOT breaking AD Replication, user logons,
startup scripts, GPOs, etc.?
Considering that we have set RestrictAnonymous to '2' (Anonymous users
have no access without explicit anonymous permissions) AND
everyoneincludesanonymous to '0' (The local Everyone group does not
include anonymous users) on all of our Windows 2000 and Windows 2003
Domain Controllers (within our own Child Domain).
Thank you for any input or feedback.
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Fri Dec 31, 2004 8:21 am Post subject:
Re: Share Permissions on NETLOGON and SYSVOL |
|
|
I would suggest leaving it with everyone and authenticated users for read
permissions to the shares as recommended. Computer accounts are also in the
everyone and authenticated users groups. You might be able to remove
everyone, but I would suggest leaving it as I don't see a risk doing such
and it may break something someday at a time when you long forgot about
removing the everyone group. I have read quite a few books/docs on Windows
security and sysvol "share" permissions were never listed as a concern. ---
Steve
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:uHAKS8O7EHA.2600@TK2MSFTNGP09.phx.gbl...
| Quote: | Share Permissions on NETLOGON and SYSVOL
We have been tightening down the security on our Windows 2003 and Windows
2000 Domain Controllers, we are a Child Domain within an Active Directory
Forest.
We are looking at the default share permissions on the NETLOGON and SYSVOL
shares on the DCs and noticed that 'Everyone' has Read on both shares, and
Authenticated Users has Full Control on SYSVOL.
According to the Microsoft KB article below, Authenticated Users should
only have Read access to SYSVOL.
Authenticated Users Group Has Too Many Permissions to the SYSVOL Network
Share
http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
However, we are wondering if we can safely remove 'Everyone' from both
shares, and remove 'Authenticated Users' from SYSVOL, and substitute
'Domain Users' with Read on both shares instead.
If this "safe" as far as NOT breaking AD Replication, user logons, startup
scripts, GPOs, etc.?
Considering that we have set RestrictAnonymous to '2' (Anonymous users
have no access without explicit anonymous permissions) AND
everyoneincludesanonymous to '0' (The local Everyone group does not
include anonymous users) on all of our Windows 2000 and Windows 2003
Domain Controllers (within our own Child Domain).
Thank you for any input or feedback.
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Fri Dec 31, 2004 6:32 pm Post subject:
Re: Share Permissions on NETLOGON and SYSVOL |
|
|
I have not tried that, and thinking quickly I can only see
where that would cause problem if you have GPOs linked
across domains. There may be other problems . . .
Authenticated Users differs from Domain Users and
Domain Computers only in the absence of accounts of
other domains in the forest if anonymous access is not
enabled. In a single domain forest where anonymous
access is not allowed it seems these two together are
precisely Authenticated Users.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:%23XDLpQt7EHA.128@TK2MSFTNGP15.phx.gbl...
| Quote: | So then would it be safe to Remove 'Authenticated Users' and it replace it
with both 'Domain Users' AND 'Domain Computers'?
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:uYkBROp7EHA.2788@TK2MSFTNGP15.phx.gbl...
Domain Users does not include machine accounts
while Authenticated Users does. Machines need
access (startup script, computer policies, replication, . . )
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in
message
news:uHAKS8O7EHA.2600@TK2MSFTNGP09.phx.gbl...
Share Permissions on NETLOGON and SYSVOL
We have been tightening down the security on our Windows 2003 and
Windows
2000 Domain Controllers, we are a Child Domain within an Active
Directory
Forest.
We are looking at the default share permissions on the NETLOGON and
SYSVOL shares on the DCs and noticed that 'Everyone' has Read on both
shares, and Authenticated Users has Full Control on SYSVOL.
According to the Microsoft KB article below, Authenticated Users should
only have Read access to SYSVOL.
Authenticated Users Group Has Too Many Permissions to the SYSVOL
Network
Share
http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
However, we are wondering if we can safely remove 'Everyone' from both
shares, and remove 'Authenticated Users' from SYSVOL, and substitute
'Domain Users' with Read on both shares instead.
If this "safe" as far as NOT breaking AD Replication, user logons,
startup scripts, GPOs, etc.?
Considering that we have set RestrictAnonymous to '2' (Anonymous users
have no access without explicit anonymous permissions) AND
everyoneincludesanonymous to '0' (The local Everyone group does not
include anonymous users) on all of our Windows 2000 and Windows 2003
Domain Controllers (within our own Child Domain).
Thank you for any input or feedback.
|
|
|
| Back to top |
|
|
Research Services
Guest
|
| Posted:
Mon Jan 03, 2005 9:22 pm Post subject:
Re: Share Permissions on NETLOGON and SYSVOL |
|
|
We may try this in our test environment.
We are hoping that we can get away with Removing 'Everyone' and Replacing
'Authenticated Users' with both 'Domain Users' and 'Domain Computers' - but
then we were wondering if other DCs in the forest will need to have access
to the SYSVOL share for replication or something else...
Thank you all for your feedback.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OeJ599t7EHA.1404@TK2MSFTNGP11.phx.gbl...
| Quote: | I would suggest leaving it with everyone and authenticated users for read
permissions to the shares as recommended. Computer accounts are also in the
everyone and authenticated users groups. You might be able to remove
everyone, but I would suggest leaving it as I don't see a risk doing such
and it may break something someday at a time when you long forgot about
removing the everyone group. I have read quite a few books/docs on Windows
security and sysvol "share" permissions were never listed as a concern. ---
Steve
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:uHAKS8O7EHA.2600@TK2MSFTNGP09.phx.gbl...
Share Permissions on NETLOGON and SYSVOL
We have been tightening down the security on our Windows 2003 and Windows
2000 Domain Controllers, we are a Child Domain within an Active Directory
Forest.
We are looking at the default share permissions on the NETLOGON and
SYSVOL shares on the DCs and noticed that 'Everyone' has Read on both
shares, and Authenticated Users has Full Control on SYSVOL.
According to the Microsoft KB article below, Authenticated Users should
only have Read access to SYSVOL.
Authenticated Users Group Has Too Many Permissions to the SYSVOL Network
Share
http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
However, we are wondering if we can safely remove 'Everyone' from both
shares, and remove 'Authenticated Users' from SYSVOL, and substitute
'Domain Users' with Read on both shares instead.
If this "safe" as far as NOT breaking AD Replication, user logons,
startup scripts, GPOs, etc.?
Considering that we have set RestrictAnonymous to '2' (Anonymous users
have no access without explicit anonymous permissions) AND
everyoneincludesanonymous to '0' (The local Everyone group does not
include anonymous users) on all of our Windows 2000 and Windows 2003
Domain Controllers (within our own Child Domain).
Thank you for any input or feedback.
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Tue Jan 04, 2005 12:52 am Post subject:
Re: Share Permissions on NETLOGON and SYSVOL |
|
|
That would be the best thing to do and I am sure many here would be
interested in the results. My best guess is that it probably would be fine
if all domains are at least at Windows 2000 native level. What concerns me
is when you run gpresult /scope computer on a domain controller, you will
see that it belongs to more than a few groups. --- Steve
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:ege2cfa8EHA.4028@TK2MSFTNGP15.phx.gbl...
| Quote: | We may try this in our test environment.
We are hoping that we can get away with Removing 'Everyone' and Replacing
'Authenticated Users' with both 'Domain Users' and 'Domain Computers' -
but then we were wondering if other DCs in the forest will need to have
access to the SYSVOL share for replication or something else...
Thank you all for your feedback.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OeJ599t7EHA.1404@TK2MSFTNGP11.phx.gbl...
I would suggest leaving it with everyone and authenticated users for read
permissions to the shares as recommended. Computer accounts are also in
the everyone and authenticated users groups. You might be able to remove
everyone, but I would suggest leaving it as I don't see a risk doing such
and it may break something someday at a time when you long forgot about
removing the everyone group. I have read quite a few books/docs on
Windows security and sysvol "share" permissions were never listed as a
concern. --- Steve
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:uHAKS8O7EHA.2600@TK2MSFTNGP09.phx.gbl...
Share Permissions on NETLOGON and SYSVOL
We have been tightening down the security on our Windows 2003 and
Windows 2000 Domain Controllers, we are a Child Domain within an Active
Directory Forest.
We are looking at the default share permissions on the NETLOGON and
SYSVOL shares on the DCs and noticed that 'Everyone' has Read on both
shares, and Authenticated Users has Full Control on SYSVOL.
According to the Microsoft KB article below, Authenticated Users should
only have Read access to SYSVOL.
Authenticated Users Group Has Too Many Permissions to the SYSVOL Network
Share
http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
However, we are wondering if we can safely remove 'Everyone' from both
shares, and remove 'Authenticated Users' from SYSVOL, and substitute
'Domain Users' with Read on both shares instead.
If this "safe" as far as NOT breaking AD Replication, user logons,
startup scripts, GPOs, etc.?
Considering that we have set RestrictAnonymous to '2' (Anonymous users
have no access without explicit anonymous permissions) AND
everyoneincludesanonymous to '0' (The local Everyone group does not
include anonymous users) on all of our Windows 2000 and Windows 2003
Domain Controllers (within our own Child Domain).
Thank you for any input or feedback.
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Tue Jan 04, 2005 7:54 am Post subject:
Re: Share Permissions on NETLOGON and SYSVOL |
|
|
Enterprise Domain Controllers group contains accounts of
all DCs in the forest.
Let us know how you come out, OK?
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:ege2cfa8EHA.4028@TK2MSFTNGP15.phx.gbl...
| Quote: | We may try this in our test environment.
We are hoping that we can get away with Removing 'Everyone' and Replacing
'Authenticated Users' with both 'Domain Users' and 'Domain Computers' -
but
then we were wondering if other DCs in the forest will need to have access
to the SYSVOL share for replication or something else...
Thank you all for your feedback.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OeJ599t7EHA.1404@TK2MSFTNGP11.phx.gbl...
I would suggest leaving it with everyone and authenticated users for read
permissions to the shares as recommended. Computer accounts are also in
the
everyone and authenticated users groups. You might be able to remove
everyone, but I would suggest leaving it as I don't see a risk doing such
and it may break something someday at a time when you long forgot about
removing the everyone group. I have read quite a few books/docs on
Windows
security and sysvol "share" permissions were never listed as a
concern. ---
Steve
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in
message
news:uHAKS8O7EHA.2600@TK2MSFTNGP09.phx.gbl...
Share Permissions on NETLOGON and SYSVOL
We have been tightening down the security on our Windows 2003 and
Windows
2000 Domain Controllers, we are a Child Domain within an Active
Directory
Forest.
We are looking at the default share permissions on the NETLOGON and
SYSVOL shares on the DCs and noticed that 'Everyone' has Read on both
shares, and Authenticated Users has Full Control on SYSVOL.
According to the Microsoft KB article below, Authenticated Users should
only have Read access to SYSVOL.
Authenticated Users Group Has Too Many Permissions to the SYSVOL
Network
Share
http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
However, we are wondering if we can safely remove 'Everyone' from both
shares, and remove 'Authenticated Users' from SYSVOL, and substitute
'Domain Users' with Read on both shares instead.
If this "safe" as far as NOT breaking AD Replication, user logons,
startup scripts, GPOs, etc.?
Considering that we have set RestrictAnonymous to '2' (Anonymous users
have no access without explicit anonymous permissions) AND
everyoneincludesanonymous to '0' (The local Everyone group does not
include anonymous users) on all of our Windows 2000 and Windows 2003
Domain Controllers (within our own Child Domain).
Thank you for any input or feedback.
|
|
|
| Back to top |
|
|
Research Services
Guest
|
| Posted:
Thu Feb 03, 2005 4:37 am Post subject:
Re: Share Permissions on NETLOGON and SYSVOL |
|
|
As a follow up, we have been running in production with the NETLOGON and
SYSVOL share permissions changed to only the items listed below with no
obvious adverse effects for the last month on all of our Child Domain DCs
(includes 2000 and 2003):
Administrators (DOMAIN\Administrators) - Full Control
Domain Computers (DOMAIN\Domain Computers) - Read
Domain Users (DOMAIN\Domain Users) - Read
ENTERPRISE DOMAIN CONTROLLERS - Read
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eg4Od$f8EHA.3944@TK2MSFTNGP12.phx.gbl...
| Quote: | Enterprise Domain Controllers group contains accounts of
all DCs in the forest.
Let us know how you come out, OK?
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:ege2cfa8EHA.4028@TK2MSFTNGP15.phx.gbl...
We may try this in our test environment.
We are hoping that we can get away with Removing 'Everyone' and Replacing
'Authenticated Users' with both 'Domain Users' and 'Domain Computers' -
but
then we were wondering if other DCs in the forest will need to have
access
to the SYSVOL share for replication or something else...
Thank you all for your feedback.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OeJ599t7EHA.1404@TK2MSFTNGP11.phx.gbl...
I would suggest leaving it with everyone and authenticated users for
read
permissions to the shares as recommended. Computer accounts are also in
the
everyone and authenticated users groups. You might be able to remove
everyone, but I would suggest leaving it as I don't see a risk doing
such
and it may break something someday at a time when you long forgot about
removing the everyone group. I have read quite a few books/docs on
Windows
security and sysvol "share" permissions were never listed as a
concern. ---
Steve
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in
message
news:uHAKS8O7EHA.2600@TK2MSFTNGP09.phx.gbl...
Share Permissions on NETLOGON and SYSVOL
We have been tightening down the security on our Windows 2003 and
Windows
2000 Domain Controllers, we are a Child Domain within an Active
Directory
Forest.
We are looking at the default share permissions on the NETLOGON and
SYSVOL shares on the DCs and noticed that 'Everyone' has Read on both
shares, and Authenticated Users has Full Control on SYSVOL.
According to the Microsoft KB article below, Authenticated Users
should
only have Read access to SYSVOL.
Authenticated Users Group Has Too Many Permissions to the SYSVOL
Network
Share
http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
However, we are wondering if we can safely remove 'Everyone' from both
shares, and remove 'Authenticated Users' from SYSVOL, and substitute
'Domain Users' with Read on both shares instead.
If this "safe" as far as NOT breaking AD Replication, user logons,
startup scripts, GPOs, etc.?
Considering that we have set RestrictAnonymous to '2' (Anonymous users
have no access without explicit anonymous permissions) AND
everyoneincludesanonymous to '0' (The local Everyone group does not
include anonymous users) on all of our Windows 2000 and Windows 2003
Domain Controllers (within our own Child Domain).
Thank you for any input or feedback.
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in