Book Excerpt

Local system permissions

The Definitive Guide to Securing Windows in the Enterprise The following excerpt series from Chapter 2 of the free eBook "The Definitive Guide to Securing Windows in the Enterprise" (Realtimepublishers) is written by Don Jones. To obtain all eBook chapters from this guide, go to cc.realtimepublishers.com.

Local system permissions

Local system permissions are the final area covered in this chapter. Consider Cmd.exe, a file that is usually located in C:WindowsSystem32. Figure 2.16 shows the file permissions on Cmd.exe on a Windows XP Professional computer that has been upgraded to SP2.

Figure 2.16: Default permissions on Cmd.exe.

Notice that the SYSTEM account has Full Control. Why would the system itself need to open a new command-line window? I typically remove the SYSTEM account from this and many other files in the file system.

Also notice that the Internet Guest Account has permissions to run Cmd.exe. Anonymous users have the ability to open a command-line window and execute commands. Spend some time investigating the default permissions on the many files and folders lurking around in Windows and to apply more sensible defaults. Some other files you might want to investigate include:

  • Command.com

  • Ftp.exe

  • Tftp.exe

  • Telnet.exe

  • WScript.exe

  • CScript.exe

  • Net.exe

Don't try to delete these files; most are under Windows File Protection and will be replaced eventually (by a service pack, if nothing else). Instead, modify the permissions on these files so that only appropriate users -- real users, not SYSTEM -- can execute them.

Summary

Client computers represent a significant security risk in many organizations simply because they're rarely as controlled or as well-configured as servers. This chapter has introduced you to some of the major client vulnerabilities and given you some tips on how to lock them down appropriately. One way to get a better handle on client security is to think about the entire life cycle data takes in your organization -- from the server, across the network, to the client, to portable devices, and so forth. Thinking about that life cycle will help you better implement appropriate levels of security at each point in the cycle.

The next chapter will focus on a topic that affects both clients and servers -- the software built-in to Windows that presents major vulnerabilities. Often called "middleware," applications such as Internet Explorer (IE), Windows Media Player, and other applications have a reputation for security problems. I'll show you some ways in which those problems can be addressed and mitigated.

To download the complete chapter, Securing Clients, click for the .pdf.


Click for the book excerpt series or visit cc.realtimepublishers.com for the entire eBook, "The Definitive Guide to Securing Windows in the Enterprise."



This was first published in October 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: