Other Best Practice Recommendations


The following sections describe some other best practice recommendations.

Give Security to Groups, Not Users

It goes without saying that security permissions should be assigned to groups and not individual users. It can be tempting to assign a permission directly to a user when only one person needs the permission, but when you begin the practice of assigning permissions to individual accounts, you end up losing track of who has what permissions. Instead, follow the AGULP method for every permission assignment.

Don't Overuse Everyone Full Control

When setting up new security, avoid giving permissions to the Everyone group. Instead, make the group you give permissions to as selective as possible. At the very least, this means giving permissions to the Authenticated Users (or Users) group instead of the Everyone group unless you mean to allow guests to have access to your resources. Whenever you get ready to give Full Control to a non-admin user, ask yourself if they really need to change permissions and take ownership. If they don't, give Change or Modify instead. That's probably all they need most of the time anyway.

Set Security Using Special Permissions

Whenever possible, view and modify permissions using the more granular permissions. To access the more granular (i.e., special) permissions, choose the Advanced button on the regular Security permissions window (as shown in Figure 3-10) to reveal the special permissions (as shown in Figure 3-11). Although it may seem like more effort than is necessary at first, it is crucial that you follow this advice. First, by revealing the more granular permissions, you can better understand what the effective permissions are. Second, and more important, I've often seen the more granular permissions reveal something the summary permissions did not. For example, when securing an IIS web server, I kept choosing the Read summary permission. To my dismay, when I checked the underlying special permissions, the Read Data and the Traverse Folder/Execute File permissions were enabled, giving more access than was needed. I've seen similar "disagreements" over the past five years and when I call Microsoft they are unable to duplicate the issue, but I see it every few months. By setting permissions using the more granular settings, you can always be sure about what you are getting.



Professional Windows Desktop and Server Hardening
Professional Windows Desktop and Server Hardening (Programmer to Programmer)
ISBN: 0764599909
EAN: 2147483647
Year: 2004
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net