Files, Folders, Permissions and Shares
This discussion assumes that you are only using NTFS volumes on your servers. Do not use FAT volumes in secure installations.
To check permissions on folders and other resources, you must go to each resource individually to review which users and groups have permissions. This can be a bewildering task, so for large systems obtain a copy of the Somarsoft DumpACL utility.
To open the Permissions dialog box for a folder or file, right-click it and choose Properties, then click either the Sharing or the Security tab. The Sharing options show who has access to the folder over the network. The Security tab has the Permission and Auditing buttons so you can check local permissions or set auditing options.
Start your evaluation with the most sensitive and critical folders if you are doing this procedure manually or performing a periodic checkup. Take care to do the following:
Check each folder and/or file to determine which local users and groups have access and whether that access is appropriate.
Check all shared folders and the share permissions on those folders to determine which network users and groups have access and whether that access is appropriate.
Program files and data files should be kept in separate folders to make management and permission setting easier. Also, if users can copy files into a data folder, remove the Execute permission on the folder to prevent someone from copying and executing a virus or Trojan Horse program.
Separate public files from private files so you can apply different permission sets.
If users or groups have access to a folder, should they have the same access to every file in the folder? To every subdirectory? Check the sensitivity of files and attached subdirectories to evaluate whether inherited permissions are appropriate.
Keep in mind that the Everyone group gets Full access by default for all new folders you create. To prevent this, change the Everyone group's permission for a folder, then any new subdirectories you create will get the new permission settings.
If the server is connected to an untrusted network such as the Internet, do not store any files on the server that are sensitive and for in-house access only.
Never share the root directory of a drive or one of the drive icons that appears in the graphical display. An exception would be sharing a Read Only CD-ROM drive for public access.
For sensitive, password protected directories, enable Auditing. Right-click a folder, click Security, then click Auditing and enable Failure to track users that are attempting unauthorized access a folder or file. Note that File and Object access must be enabled from the Audit Policies menu in the User Manager, as described later.
Use encryption wherever possible to hide and protect files. Mergent (www.mergent.com) and RSA Data Systems (www.rsa.com) provide encryption software for this purpose.
You can remove Everyone's access to an entire folder tree by going to the root of the drive, changing the permissions, and propagating those permissions to subdirectories. Do not do this for the systemroot folder (usually C:\WINNT). You must manually update Everyone's right there.
Internet FAQ top