mailing list archives
Re: Network Folder Security
From: Bill Cullen <billc () iinet net au>
Date: Wed, 17 May 2006 00:19:27 +0800
Raoul Armfield said the following on 9/05/2006 3:57 AM:
In addition to what everyone else said. Make a policy that no one logs
in using the default administrator account. If you allow this Auditing
will be useless to you because you will not know who did what. Best
practice would be to give the default admin account a strong password
and lock it in a safe and give everyone that needs it an admin level
account that is only used when needed. This account would be in
addition to an everyday account.
You might also want to consider the following if using multiple
Normally, when a user creates a file or folder they will be set as the
owner. However, by default in Windows Server 2003, if an administrator
creates a file or folder the owner is set to the group Administrators
(Windows XP is the opposite).
This can be changed by setting nodefaultadminowner. More on this topic
can be found at
The above article suggests that you set it to 0 (the default value in
Server - i.e. set owner to the group Administrators). However, the
article is really written in the context of using least privilege within
For a server I would change nodefaultadminowner to 1 (assign the user
rather than the group as owner). That way you can tell which admin
created a file or directory.
I think in this case Microsoft may have gotten the default permissions
around the wrong way for both Server and XP.