Local system permissions

This excerpt from The Definitive Guide to Securing Windows in the Enterprise covers local system permissions and how you can reconfigure the default permissions to reduce the likelihood of an attacker gaining access to your network.

The Definitive Guide to Securing Windows in the Enterprise The following excerpt series from Chapter 2 of the free eBook "The Definitive Guide to Securing Windows in the Enterprise" (Realtimepublishers) is written by Don Jones. To obtain all eBook chapters from this guide, go to cc.realtimepublishers.com.

Local system permissions

Local system permissions are the final area covered in this chapter. Consider Cmd.exe, a file that is usually located in C:WindowsSystem32. Figure 2.16 shows the file permissions on Cmd.exe on a Windows XP Professional computer that has been upgraded to SP2.

Figure 2.16: Default permissions on Cmd.exe.

Notice that the SYSTEM account has Full Control. Why would the system itself need to open a new command-line window? I typically remove the SYSTEM account from this and many other files in the file system.

Also notice that the Internet Guest Account has permissions to run Cmd.exe. Anonymous users have the ability to open a command-line window and execute commands. Spend some time investigating the default permissions on the many files and folders lurking around in Windows and to apply more sensible defaults. Some other files you might want to investigate include:

  • Command.com

  • Ftp.exe

  • Tftp.exe

  • Telnet.exe

  • WScript.exe

  • CScript.exe

  • Net.exe

Don't try to delete these files; most are under Windows File Protection and will be replaced eventually (by a service pack, if nothing else). Instead, modify the permissions on these files so that only appropriate users -- real users, not SYSTEM -- can execute them.

Summary

Client computers represent a significant security risk in many organizations simply because they're rarely as controlled or as well-configured as servers. This chapter has introduced you to some of the major client vulnerabilities and given you some tips on how to lock them down appropriately. One way to get a better handle on client security is to think about the entire life cycle data takes in your organization -- from the server, across the network, to the client, to portable devices, and so forth. Thinking about that life cycle will help you better implement appropriate levels of security at each point in the cycle.

The next chapter will focus on a topic that affects both clients and servers -- the software built-in to Windows that presents major vulnerabilities. Often called "middleware," applications such as Internet Explorer (IE), Windows Media Player, and other applications have a reputation for security problems. I'll show you some ways in which those problems can be addressed and mitigated.

To download the complete chapter, Securing Clients, click for the .pdf.


Click for the book excerpt series or visit cc.realtimepublishers.com for the entire eBook, "The Definitive Guide to Securing Windows in the Enterprise."


This was first published in October 2005
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close