Home page logo

basics logo Security Basics mailing list archives

Re: Network Folder Security
From: Bill Cullen <billc () iinet net au>
Date: Wed, 17 May 2006 00:19:27 +0800

Raoul Armfield said the following on 9/05/2006 3:57 AM:

In addition to what everyone else said. Make a policy that no one logs in using the default administrator account. If you allow this Auditing will be useless to you because you will not know who did what. Best practice would be to give the default admin account a strong password and lock it in a safe and give everyone that needs it an admin level account that is only used when needed. This account would be in addition to an everyday account.

You might also want to consider the following if using multiple administrator accounts.

Normally, when a user creates a file or folder they will be set as the owner. However, by default in Windows Server 2003, if an administrator creates a file or folder the owner is set to the group Administrators (Windows XP is the opposite).

This can be changed by setting nodefaultadminowner. More on this topic can be found at <http://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx>

The above article suggests that you set it to 0 (the default value in Server - i.e. set owner to the group Administrators). However, the article is really written in the context of using least privilege within Windows XP.

For a server I would change nodefaultadminowner to 1 (assign the user rather than the group as owner). That way you can tell which admin created a file or directory.

I think in this case Microsoft may have gotten the default permissions around the wrong way for both Server and XP.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]