Copping an Attitude

The Everyone group

The Everyone group is a default group created by the system that includes all defined users and all anonymous users. Although it's not the catchall group it was in Windows NT 4.0, the expansive nature of the Everyone group can still cause a security problem because Windows 2003 defaults to grant Read access to the Everyone group on new volumes and new shares. This means that you need to keep an eye on where this group appears in your system. You may be granting blanket access where you really don't want any snuggling going on.

The Everyone group can seem hard to track down. It doesn't appear in the list of built-in groups as viewed through Active Directory Users and Computers, for example. However, it does appear in the list of groups when setting security on objects. The Everyone group can't be removed from the system, but it can be effectively managed with a little effort. See Chapter 15 for more information on the Everyone group.

The Authenticated Users group is a standard feature of Windows 2003. It contains all defined users but does not contain anonymous users. Generally, you want to use the Authenticated Users group instead of the Everyone group when you need to grant blanket access. The Everyone group must remain on your system for backward compatibility and system level requirements (such as allowing your system to boot).

Each time you create a new drive or a share, remove the Everyone group, and then add only those users or groups that need access to the resource. Just as you don't want everyone gaining access to your computer, you don't want "everyone" to be allowed access to areas where it's not required.

User rights

User rights are system-level privileges that control what types of activities can occur or be performed. The default setting of user rights is reasonably secure, but you can make a few improvements. The User Rights management interface is accessed using the Group Policy editor. (See the "Passwords and security" section earlier this chapter.) The User Rights Assignment is located under Security Settings Local Policies User Rights Assignments. Through this interface, user rights are granted or revoked . Here are several changes you should consider making:

• Remove the Guests group from the Allow Log on Locally right: Making this change inhibits nonauthenticated users from gaining unauthorized access.

• Remove the Everyone group from the Access This Computer from the Network right: Making this change inhibits nonauthenticated users from gaining access to hosted resources over the network.

• Remove the Everyone group from the Bypass Traverse Checking righ: Making this change inhibits nonauthenticated users from jumping into subdirectories for which they do not have access to parent directories.

• Remove the Backup Operators group from the Restore Files and Directories right: Making this change inhibits nonadministrators from restoring files from backup tapes. Because files can be restored to file allocation table (FAT) partitions when Access Control Lists (ACLs) are lost, this is an important security modification.

After you make these changes, double-check that regular users still have the capabilities they need to perform their required tasks. You may need to grant a few users or groups these user rights. For example, if you want users to access resources on a server from across the network, you should add a group, such as the Users group, to the Access This Computer from the Network user right.