Summary

Whew, you made it! It is hoped that your understanding of Windows security and Windows permissions is significantly better than when you started the chapter. If you want, review the list of common misconceptions at the beginning of this chapter and make sure you understand why those statements are false. If you still don't understand one of them, review the related security or e-mail me (at roger@banneretcs.com). Chapter 3 ends the first portion of this book, The Basics in Depth. Here is a list of recommendations given in this chapter.

• Understand all the different built-in groups and users and when they should be used.

• Disable delegation on highly privileged users (and any computers) not needing delegation.

• On Windows Server 2003 servers required to use delegation, enable constrained delegation.

• Make sure the anonymous null session user is not part of the Everyone group (unless you have legacy support issues).s

• Make sure SIDHistory filtering is enabled in your environment, which it usually is by default.

• Use the AGULP method to assign security permissions.

• Always assign permissions to groups and never to individual users.

• Use the special, more granular permissions when reviewing or setting NTFS permissions.

• Set Share and NTFS permissions as tightly as you can following the least-privilege principle.

• Use Share Change permissions instead of Full Control.

• Use NTFS Modify permissions instead of Full Control unless a user really needs Full Control.

• When assigning new permissions, give permissions to the Authenticated Users group instead of the Everyone group.

None of these security recommendations will protect your network if the hacker can crack your passwords. Chapter 4 will show you how to make your Windows passwords uncrackable.