From Tony Bradley, CISSP-ISSAP,
Your Guide to Internet / Network Security.
FREE Newsletter. Sign Up Now!

Similarly, when you create a shared drive or folder, the Everyone group now has only Read permission by default, rather than full control. This is quite a change from earlier versions of Windows, where every new folder gave everyone full control via both NTFS and share permissions.

NOTE: Although the Everyone group has no NTFS permissions to a newly created folder or file, the Users group does have the following permissions: Read & Execute, Read, and List Folder Contents. What’s the difference between Everyone and Users? One big difference is that you can add and delete members of the Users group. By default, any new user you create will belong to the Users group but this can be changed. The Everyone group is a built-in group with set membership (that is, you cannot add and delete members as you can with most other security groups).

By default, the Administrators group, the system and the owner/creator still have full control of new folders via NTFS permissions.

Permissions can be applied not only to NTFS files and folders and shared folders (regardless of file system), but also to Active Directory objects. Another change in Windows Server 2003 is to the default Active Directory permissions to the IP Security Policies container, which are more restrictive than in Windows 2000. Now the only users who have Read permission are Group Policy Creator Owners and members of the Domain Computers group. Domain Admins group members are able to make configuration changes to this container.

Changes to the Membership of the Everyone Group
In past versions of Windows, the built-in Everyone group consisted of literally everyone who accessed the system, including anonymous users. In Server 2003, the Everyone group does not incude anonymous users, so that even if permissions are granted to the Everyone group, those who are logged on anonymously do not have those permissions.

Those who log on anonymously are part of the Anonymous Logon group, another built-in group with set membership.

Note that in a Windows Server 2003 domain environment, you can allow members of the Anonymous Logon group to be members of the Everyone group on a domain controller by editing the domain security policy (Start | Programs | Administrative Tools | Domain Security Policy). In the left pane of the console, expand the following nodes: Default Domain Controller Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, and click Security Options. In the details pane, right click Network Access: Let Everyone permissions apply to anonymous users. Select Properties and check the Define this policy checkbox, then select Enabled to apply the policy.

Changes in Object Ownership
By default, the creator of a file or folder on an NTFS partition is the owner of that object. In previous versions of Windows, it was possible to take ownership but it was not possible for the owner to give ownership to someone else. In Server 2003, however, you can “give away” the ownership of an object if you are the owner.

This is done by right clicking the file or folder, selecting Properties, selecting the Security tab, and clicking the Advanced button. Click the Owner tab; this shows the current owner of the item. Under Change owner to, you can select a user or group account to which you want to assign ownership. This gives you more control and makes it easier to change the ownership of file and folder objects (this also applies to printer objects).

Summary
Default settings in Windows Server 2003 are designed to provide more of a locked down environment than ever before. In Part 2, we’ll look at changes to the default settings for common services, changes in the authentication process, and also at those areas in which some feel Server 2003’s default are still too open.

About Deb Shinder
Debra LittleJohn Shinder(MCSE) is a technology consultant, trainer and writer who has written a number of books on networking, including Computer Networking Essentials, published by Cisco Press and Scene of the Cybercrime, published by Syngress Media. She is co-author, with her husband Dr. Thomas Shinder, of Troubleshooting Windows 2000 TCP/IP and the best-selling Configuring ISA Server 2000, both published by Syngress Media, as well as the new ISA Server and Beyond. Deb tech edited Syngress’s Security + Study Guide and was a major contributor to Que’s TruSecure ICSA Certified Security Associate exam guide. Deb lives and works in the Dallas-Ft Worth area and can be contacted at deb@shinder.net or via the website at www.shinder.net.