Object Permissions
advertisement
UNCLASSIFIED Windows Server 2003 Checklist 5.0.0 Appendix A Field Security Operations Defense Information Systems Agency A OBJECT PERMISSIONS For Windows Server 2003, NSA has determined that the default file ACL settings are adequate when the Security Option “Network access: Let everyone permissions apply to anonymous users” is set to “Disabled” and Power User Group Membership for client systems is restricted through Group Policy to no members. Any Registry ACL settings listed in this appendix always apply. In a Mixed Windows environment (containing systems with Windows NT 4 or WIN9x/ ME) the file ACLs in this appendix will be configured. This appendix details the minimum required privileges assigned to the ACLs of Windows file and registry objects. Discrepancies may occur if either of the two following conditions are true: The object’s security posture is more restrictive than specified in this document. The object’s security posture is configured in direct support of the system’s mission. Note: If an ACL setting prevents a site’s applications from performing properly, the site can modify that specific setting. Settings should only be changed to the minimum necessary for the application to function. Each exception to the recommended settings should be documented and kept on file by the IAO. A OBJECT PERMISSIONS ................................................................................................................. A-1 A.1 File and Folder Permissions .................................................................................................... A-3 A.2 Registry Permissions ............................................................................................................... A-5 A.3 Default Server 2003 File and Folder Permissions ................................................................... A-6 ______________________________________________________________________________________ A-1 UNCLASSIFIED UNCLASSIFIED Windows Server 2003 Checklist 5.0.0 Appendix A Field Security Operations Defense Information Systems Agency This page is intentionally left blank. A-2 UNCLASSIFIED UNCLASSIFIED Windows Server 2003 Checklist 5.0.0 Appendix A A.1 File and Folder Permissions Administrators: Full System: Full Creator Owner: Full Users: Read, Execute. (This should only apply to the directory and not propagate.) %SystemDrive% %SystemRoot% \regedit.exe %SystemRoot% \System32\arp.exe %SystemRoot% \System32\at.exe %SystemRoot% \System32\attrib.exe %SystemRoot% \System32\cacls.exe %SystemRoot% \System32\debug.exe %SystemRoot% \System32\edlin.exe Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: %SystemRoot% \System32\eventcreate.exe %SystemRoot% \System32\eventtriggers.exe %SystemRoot% \system32\ftp.exe %SystemRoot% \System32\nbtstat.exe %SystemRoot% \system32\net.exe %SystemRoot% \system32\net1.exe %SystemRoot% \system32\netsh.exe %SystemRoot% \System32\netstat.exe %SystemRoot% \System32\nslookup.exe %SystemRoot% \System32\ntbackup.exe %SystemRoot% \system32\rcp.exe A-3 UNCLASSIFIED Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full UNCLASSIFIED Windows Server 2003 Checklist 5.0.0 Appendix A Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: Administrators: System: %SystemRoot% \system32\reg.exe %SystemRoot% \system32\regedt32.exe %SystemRoot% \System32\regini.exe %SystemRoot% \system32\regsvr32.exe %SystemRoot% \system32\rexec.exe %SystemRoot% \system32\route.exe %SystemRoot% \system32\rsh.exe %SystemRoot% \system32\sc.exe %SystemRoot% \System32\secedit.exe %SystemRoot% \system32\subst.exe %SystemRoot% \System32\systeminfo.exe %SystemRoot% \system32\telnet.exe %SystemRoot% \system32\tftp.exe %SystemRoot% \system32\tlntsvr.exe A-4 UNCLASSIFIED Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full Full UNCLASSIFIED Windows Server 2003 Checklist 5.0.0 Appendix A A.2 Registry Permissions Object Name \SYSTEM\CurrentControlSet\Control \SecurePipeServers\winreg Account Assignment Permission Administrators Backup Operators all read(QENR) LOCAL SERVICE (Exchange Enterprise Servers group on Domain Controllers and Exchange server Note: If permissions are subdelegated with the Exchange Administration feature, then additional accounts and groups may appear on the Winreg key. If this has been done then these should be documented with the site IAO and made available for any reviewer.) read(QENR) all A-5 UNCLASSIFIED UNCLASSIFIED Windows Server 2003 Checklist 5.0.0 Appendix A A.3 Default Server 2003 File and Folder Permissions The following table contains the default out-of-the-box File ACL settings for Server 2003. When the Security Option “Network access: Let everyone permissions apply to anonymous users” is set to “Disabled” and Power User Group Membership for client systems is restricted through Group Policy to no members, reviewers can use these settings to spot check that the default permissions have not been made less restrictive. Administrators: Full System: Full Creator Owner: Full (Subfolders & Files) Everyone: Read, Execute (folder only) Users: Read, Execute Users: Create Folders/Append Data (Folders & Subfolders) Users: Create Folders/Write Data (Subfolders) %SystemDrive% %SystemRoot% \regedit.exe %SystemRoot% \System32\arp.exe %SystemRoot% \System32\at.exe %SystemRoot% \System32\attrib.exe %SystemRoot% \System32\cacls.exe %SystemRoot% \System32\debug.exe (Inherited) Administrators: Full Authenticated Users: Read, Execute Server Operators: Modify System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full A-6 UNCLASSIFIED UNCLASSIFIED Windows Server 2003 Checklist 5.0.0 Appendix A %SystemRoot% \System32\edlin.exe %SystemRoot% \System32\eventcreate.exe %SystemRoot% \System32\eventtriggers.exe %SystemRoot% \system32\ftp.exe %SystemRoot% \System32\nbtstat.exe %SystemRoot% \system32\net.exe %SystemRoot% \system32\net1.exe %SystemRoot% \system32\netsh.exe %SystemRoot% \System32\netstat.exe %SystemRoot% \System32\nslookup.exe %SystemRoot% \System32\ntbackup.exe Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full A-7 UNCLASSIFIED UNCLASSIFIED Windows Server 2003 Checklist 5.0.0 Appendix A %SystemRoot% \system32\rcp.exe %SystemRoot% \system32\reg.exe %SystemRoot% \system32\regedt32.exe %SystemRoot% \System32\regini.exe %SystemRoot% \system32\regsvr32.exe %SystemRoot% \system32\rexec.exe %SystemRoot% \system32\route.exe %SystemRoot% \system32\rsh.exe %SystemRoot% \system32\sc.exe %SystemRoot% \System32\secedit.exe %SystemRoot% \system32\subst.exe Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full (Inherited) Administrators: Full Authenticated Users: Read, Execute Server Operators: Modify System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full A-8 UNCLASSIFIED UNCLASSIFIED Windows Server 2003 Checklist 5.0.0 Appendix A %SystemRoot% \System32\systeminfo.exe %SystemRoot% \system32\telnet.exe %SystemRoot% \system32\tftp.exe %SystemRoot% \system32\tlntsvr.exe Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full Administrators: Full BATCH: Read, Execute Interactive: Read, Execute SERVICE: Read, Execute System: Full (Inherited) Administrators: Full Authenticated Users: Read, Execute Server Operators: Modify System: Full A-9 UNCLASSIFIED
