Copping an Attitude
To maintain a secure networking environment, you must be a pessimist. View every user as a potential security leak. The key to this philosophy is to grant only the exact level of access that users or groups need to perform their work tasks and absolutely nothing more. To take this to its logical end, you need to deal with the Everyone group and user rights. This is called the principle of least privilege, and you should exercise it rigorously.
The Everyone group
The Everyone group is a default group created by the system that includes all defined users and all anonymous users. Although it isn't the catchall group it was in Windows NT 4.0, the expansive nature of the Everyone group can still cause security problems because Windows Server 2008 defaults to grant Read access to the Everyone group on new volumes and new shares. This means that you should watch closely where this group appears in your system. You may be granting blanket access where you really don't want any snuggling going on.
The Everyone group might seem hard to track down. It doesn't appear in the list of built-in groups as viewed through Active Directory Users and Computers, for example. However, it does appear in the list of groups when setting security on objects. The Everyone group can't be removed from the system, but it can be effectively managed with a little effort.
The Authenticated Users group is a standard feature of Windows Server 2008. It contains all defined users but doesn't contain anonymous users. Generally, you want to use the Authenticated Users group instead of the Everyone group when you need to grant blanket access. The Everyone group must remain on your system for backward compatibility and system-level requirements (such as allowing your system to boot).
Don't set all permissions for the Everyone group to Deny because you'll prevent anyone from accessing resources. Instead, just remove the Everyone group from the list of users and groups granted access.
Each time you create a new drive or a share, remove the Everyone group and then add only those users or groups that need access to the resource. Just as you don't want everyone gaining access to your computer, you don't want "everyone" to be allowed access to areas where it isn't required.
User rights
User rights are system-level privileges that control what types of activities can be performed. The default setting for user rights is reasonably secure, but you can make a few improvements. The User Rights management interface is accessed using the Group Policy editor. (See the "Passwords and security" section earlier this tutorial.) The User Rights Assignment is located under Security Settings → Local Policies → User Rights Assignments. Through this interface, user rights are granted or revoked. Here are some changes you should consider making:
- Remove the Guests group from the Allow Log on Locally right: This inhibits nonauthenticated users from gaining unauthorized access.
- Remove the Everyone group from the Access This Computer from the Network right: This inhibits nonauthenticated users from gaining access to hosted resources over the network.
- Remove the Everyone group from the Bypass Traverse Checking right: This inhibits nonauthenticated users from jumping into subdirectories when they don't have access to parent directories.
- Remove the Backup Operators group from the Restore Files and Directories right: This inhibits nonadministrators from restoring files from backup tapes. Because files can be restored to file allocation table (FAT) partitions where access control lists (ACLs) are lost, this is an important security modification.
After you make these changes, double-check that regular users still have the capabilities they need to perform their required tasks. You may need to grant a few users or groups added user rights. For example, if you want users to access resources on a server from across the network, you should add a group, such as Users, to the Access This Computer from the Network user right.
