Windows 2003 RE: Share permissions question

  • Thread starter Thread starter Lisa
  • Start date Start date
L

Lisa

Hi David, I have read every post you and David have posted re permissions
i.e. parent and child inherient etc. I am not a newbie to the computer world
but definitely not a Tech either:). My question is, my ex boyfriend (who
works in the IT World) set up my computer. When I click properties--->
security---> I have the usually Admin, My name etc, but there is a list so
long, e.g. anonmyous user, remote access user, backup operator, etc. All
these have full rights, meaning all the boxes are ticked. Could you please
advise me if I have anything to worry about.
Kind regards
Lisa:)

"David Davis" wrote:

> Are your sharing permissions set to everyone, full control?
> --
> David Davis [MCSE, CCNA, Security +]
>
>
>
> "BrianB" wrote:
>
> > Hello,
> >
> > With the Advanced Security Settings Permissions (Traverse folder, List
> > folder, Read attributes, Read extended attributes, and Read permissions -
> > This folder only) why can't users map to a folder?
> > All inheritable permissions and Replace permission entries are not checked.
> >
> > Users need to map to this folder then choose a sub-folder from a list.
> > Users have Share permissions to use only some of the sub-folders and should
> > not be able to browse or use the sub-folders they do not have other Share
> > permissions to use.
> > Users can map a drive to the sub-folders they have permissions to but we
> > want to map a drive to the main folder so we don't end up mapping multiple
> > drives per user.
> >
> > Thanks
> > BrianB
 
Interesting:

Just using the users that you listed below I would say:

anonmyous user - Never give this account full control unless the folder in
question is part of a website that you wish to allow anonmyous access, even
then IUSR should be given rights not anonmyous.

remote access user - Unless you are remoting in, you should not need this.

backup operator - If your machine is a member of a domain and you have
someone soley responsible for backups then this account really does not
belong either.

etc. Depends, definately should not have all.

Bottom line if you are the only user on the computer i.e. standaolone
machine not part of a domain, then the only permissions you need on your data
is the group Administrators, and your user account. Note that I specified
DATA, there are application folders that require special permissions such as
SYSTEM etc.

My general rule of thumb is that no one get full control with the exception
of owner and the local / domain admin account.

> these have full rights, meaning all the boxes are ticked
--
David Davis [MCSE, CCNA, Security +]



"Lisa" wrote:

> Hi David, I have read every post you and David have posted re permissions
> i.e. parent and child inherient etc. I am not a newbie to the computer world
> but definitely not a Tech either:). My question is, my ex boyfriend (who
> works in the IT World) set up my computer. When I click properties--->
> security---> I have the usually Admin, My name etc, but there is a list so
> long, e.g. anonmyous user, remote access user, backup operator, etc. All
> these have full rights, meaning all the boxes are ticked. Could you please
> advise me if I have anything to worry about.
> Kind regards
> Lisa:)
>
> "David Davis" wrote:
>
> > Are your sharing permissions set to everyone, full control?
> > --
> > David Davis [MCSE, CCNA, Security +]
> >
> >
> >
> > "BrianB" wrote:
> >
> > > Hello,
> > >
> > > With the Advanced Security Settings Permissions (Traverse folder, List
> > > folder, Read attributes, Read extended attributes, and Read permissions -
> > > This folder only) why can't users map to a folder?
> > > All inheritable permissions and Replace permission entries are not checked.
> > >
> > > Users need to map to this folder then choose a sub-folder from a list.
> > > Users have Share permissions to use only some of the sub-folders and should
> > > not be able to browse or use the sub-folders they do not have other Share
> > > permissions to use.
> > > Users can map a drive to the sub-folders they have permissions to but we
> > > want to map a drive to the main folder so we don't end up mapping multiple
> > > drives per user.
> > >
> > > Thanks
> > > BrianB
 
Thanks for your prompt reply and valuable info David. Hmm, now I am a little
worried.
Ex boyfriend b/c he set up computer obv knows my admin rights number. Im
note sure if this is relevant, whether he can login and check my computer at
anytime.

Pls see below an example maybe this will help:

C:\Documents and Settings\All Users\Application Data\Microsoft
Properties\Security. Group or user names as follows:
Administrators (with my name and admin numbers)
Everyone
Power Users (my name & admin number)
System
Users (my name & admin number)
All these have every box ticked to 'allow'
Go to advanced ---> Effective Permissions---> Select--->Advanced-->Find
now---> there is about 20 heading here e.g.the ones I have mentioned above
plus remote interactive login, replicator,remote desktop user, network conf
operator, some guests are marked (with a cross, obv non existent) two other
guest headings (without a cross, meaning they are active?),anonymous logon.
All these have the number of my admin rights next to them. I cannot delete
any of them, because they are inherient from the parent to the child. Im not
very familiar with this parent and child aspect.

This is typical of most of the files on my computer.

Appreciate your input. Thanks David
Cheers Lisa:)


"David Davis" wrote:

> Interesting:
>
> Just using the users that you listed below I would say:
>
> anonmyous user - Never give this account full control unless the folder in
> question is part of a website that you wish to allow anonmyous access, even
> then IUSR should be given rights not anonmyous.
>
> remote access user - Unless you are remoting in, you should not need this.
>
> backup operator - If your machine is a member of a domain and you have
> someone soley responsible for backups then this account really does not
> belong either.
>
> etc. Depends, definately should not have all.
>
> Bottom line if you are the only user on the computer i.e. standaolone
> machine not part of a domain, then the only permissions you need on your data
> is the group Administrators, and your user account. Note that I specified
> DATA, there are application folders that require special permissions such as
> SYSTEM etc.
>
> My general rule of thumb is that no one get full control with the exception
> of owner and the local / domain admin account.
>
> > these have full rights, meaning all the boxes are ticked
> --
> David Davis [MCSE, CCNA, Security +]
>
>
>
> "Lisa" wrote:
>
> > Hi David, I have read every post you and David have posted re permissions
> > i.e. parent and child inherient etc. I am not a newbie to the computer world
> > but definitely not a Tech either:). My question is, my ex boyfriend (who
> > works in the IT World) set up my computer. When I click properties--->
> > security---> I have the usually Admin, My name etc, but there is a list so
> > long, e.g. anonmyous user, remote access user, backup operator, etc. All
> > these have full rights, meaning all the boxes are ticked. Could you please
> > advise me if I have anything to worry about.
> > Kind regards
> > Lisa:)
> >
> > "David Davis" wrote:
> >
> > > Are your sharing permissions set to everyone, full control?
> > > --
> > > David Davis [MCSE, CCNA, Security +]
> > >
> > >
> > >
> > > "BrianB" wrote:
> > >
> > > > Hello,
> > > >
> > > > With the Advanced Security Settings Permissions (Traverse folder, List
> > > > folder, Read attributes, Read extended attributes, and Read permissions -
> > > > This folder only) why can't users map to a folder?
> > > > All inheritable permissions and Replace permission entries are not checked.
> > > >
> > > > Users need to map to this folder then choose a sub-folder from a list.
> > > > Users have Share permissions to use only some of the sub-folders and should
> > > > not be able to browse or use the sub-folders they do not have other Share
> > > > permissions to use.
> > > > Users can map a drive to the sub-folders they have permissions to but we
> > > > want to map a drive to the main folder so we don't end up mapping multiple
> > > > drives per user.
> > > >
> > > > Thanks
> > > > BrianB
 
If you are concerned that he may have access and he is a IT professional,
then the only way you can be sure that he will not access is either A: stay
offline or B: backup your data and perform a complete format and re-install.

I would go with option B.

Off of the top of my head I do not know what the appropriate security
settings should be. However under no circumstances shoulf everyone be given
full control.
--
David Davis [MCSE, CCNA, Security +]



"Lisa" wrote:

> Thanks for your prompt reply and valuable info David. Hmm, now I am a little
> worried.
> Ex boyfriend b/c he set up computer obv knows my admin rights number. Im
> note sure if this is relevant, whether he can login and check my computer at
> anytime.
>
> Pls see below an example maybe this will help:
>
> C:\Documents and Settings\All Users\Application Data\Microsoft
> Properties\Security. Group or user names as follows:
> Administrators (with my name and admin numbers)
> Everyone
> Power Users (my name & admin number)
> System
> Users (my name & admin number)
> All these have every box ticked to 'allow'
> Go to advanced ---> Effective Permissions---> Select--->Advanced-->Find
> now---> there is about 20 heading here e.g.the ones I have mentioned above
> plus remote interactive login, replicator,remote desktop user, network conf
> operator, some guests are marked (with a cross, obv non existent) two other
> guest headings (without a cross, meaning they are active?),anonymous logon.
> All these have the number of my admin rights next to them. I cannot delete
> any of them, because they are inherient from the parent to the child. Im not
> very familiar with this parent and child aspect.
>
> This is typical of most of the files on my computer.
>
> Appreciate your input. Thanks David
> Cheers Lisa:)
>
>
> "David Davis" wrote:
>
> > Interesting:
> >
> > Just using the users that you listed below I would say:
> >
> > anonmyous user - Never give this account full control unless the folder in
> > question is part of a website that you wish to allow anonmyous access, even
> > then IUSR should be given rights not anonmyous.
> >
> > remote access user - Unless you are remoting in, you should not need this.
> >
> > backup operator - If your machine is a member of a domain and you have
> > someone soley responsible for backups then this account really does not
> > belong either.
> >
> > etc. Depends, definately should not have all.
> >
> > Bottom line if you are the only user on the computer i.e. standaolone
> > machine not part of a domain, then the only permissions you need on your data
> > is the group Administrators, and your user account. Note that I specified
> > DATA, there are application folders that require special permissions such as
> > SYSTEM etc.
> >
> > My general rule of thumb is that no one get full control with the exception
> > of owner and the local / domain admin account.
> >
> > > these have full rights, meaning all the boxes are ticked
> > --
> > David Davis [MCSE, CCNA, Security +]
> >
> >
> >
> > "Lisa" wrote:
> >
> > > Hi David, I have read every post you and David have posted re permissions
> > > i.e. parent and child inherient etc. I am not a newbie to the computer world
> > > but definitely not a Tech either:). My question is, my ex boyfriend (who
> > > works in the IT World) set up my computer. When I click properties--->
> > > security---> I have the usually Admin, My name etc, but there is a list so
> > > long, e.g. anonmyous user, remote access user, backup operator, etc. All
> > > these have full rights, meaning all the boxes are ticked. Could you please
> > > advise me if I have anything to worry about.
> > > Kind regards
> > > Lisa:)
> > >
> > > "David Davis" wrote:
> > >
> > > > Are your sharing permissions set to everyone, full control?
> > > > --
> > > > David Davis [MCSE, CCNA, Security +]
> > > >
> > > >
> > > >
> > > > "BrianB" wrote:
> > > >
> > > > > Hello,
> > > > >
> > > > > With the Advanced Security Settings Permissions (Traverse folder, List
> > > > > folder, Read attributes, Read extended attributes, and Read permissions -
> > > > > This folder only) why can't users map to a folder?
> > > > > All inheritable permissions and Replace permission entries are not checked.
> > > > >
> > > > > Users need to map to this folder then choose a sub-folder from a list.
> > > > > Users have Share permissions to use only some of the sub-folders and should
> > > > > not be able to browse or use the sub-folders they do not have other Share
> > > > > permissions to use.
> > > > > Users can map a drive to the sub-folders they have permissions to but we
> > > > > want to map a drive to the main folder so we don't end up mapping multiple
> > > > > drives per user.
> > > > >
> > > > > Thanks
> > > > > BrianB
 
Thankyou again David for your info. I thought my only option would be to
reformat. Will do so as soon as I have backed up. Sincerely appreciate your
input. Have a great day
From a lady downunder:)

"David Davis" wrote:

> If you are concerned that he may have access and he is a IT professional,
> then the only way you can be sure that he will not access is either A: stay
> offline or B: backup your data and perform a complete format and re-install.
>
> I would go with option B.
>
> Off of the top of my head I do not know what the appropriate security
> settings should be. However under no circumstances shoulf everyone be given
> full control.
> --
> David Davis [MCSE, CCNA, Security +]
>
>
>
> "Lisa" wrote:
>
> > Thanks for your prompt reply and valuable info David. Hmm, now I am a little
> > worried.
> > Ex boyfriend b/c he set up computer obv knows my admin rights number. Im
> > note sure if this is relevant, whether he can login and check my computer at
> > anytime.
> >
> > Pls see below an example maybe this will help:
> >
> > C:\Documents and Settings\All Users\Application Data\Microsoft
> > Properties\Security. Group or user names as follows:
> > Administrators (with my name and admin numbers)
> > Everyone
> > Power Users (my name & admin number)
> > System
> > Users (my name & admin number)
> > All these have every box ticked to 'allow'
> > Go to advanced ---> Effective Permissions---> Select--->Advanced-->Find
> > now---> there is about 20 heading here e.g.the ones I have mentioned above
> > plus remote interactive login, replicator,remote desktop user, network conf
> > operator, some guests are marked (with a cross, obv non existent) two other
> > guest headings (without a cross, meaning they are active?),anonymous logon.
> > All these have the number of my admin rights next to them. I cannot delete
> > any of them, because they are inherient from the parent to the child. Im not
> > very familiar with this parent and child aspect.
> >
> > This is typical of most of the files on my computer.
> >
> > Appreciate your input. Thanks David
> > Cheers Lisa:)
> >
> >
> > "David Davis" wrote:
> >
> > > Interesting:
> > >
> > > Just using the users that you listed below I would say:
> > >
> > > anonmyous user - Never give this account full control unless the folder in
> > > question is part of a website that you wish to allow anonmyous access, even
> > > then IUSR should be given rights not anonmyous.
> > >
> > > remote access user - Unless you are remoting in, you should not need this.
> > >
> > > backup operator - If your machine is a member of a domain and you have
> > > someone soley responsible for backups then this account really does not
> > > belong either.
> > >
> > > etc. Depends, definately should not have all.
> > >
> > > Bottom line if you are the only user on the computer i.e. standaolone
> > > machine not part of a domain, then the only permissions you need on your data
> > > is the group Administrators, and your user account. Note that I specified
> > > DATA, there are application folders that require special permissions such as
> > > SYSTEM etc.
> > >
> > > My general rule of thumb is that no one get full control with the exception
> > > of owner and the local / domain admin account.
> > >
> > > > these have full rights, meaning all the boxes are ticked
> > > --
> > > David Davis [MCSE, CCNA, Security +]
> > >
> > >
> > >
> > > "Lisa" wrote:
> > >
> > > > Hi David, I have read every post you and David have posted re permissions
> > > > i.e. parent and child inherient etc. I am not a newbie to the computer world
> > > > but definitely not a Tech either:). My question is, my ex boyfriend (who
> > > > works in the IT World) set up my computer. When I click properties--->
> > > > security---> I have the usually Admin, My name etc, but there is a list so
> > > > long, e.g. anonmyous user, remote access user, backup operator, etc. All
> > > > these have full rights, meaning all the boxes are ticked. Could you please
> > > > advise me if I have anything to worry about.
> > > > Kind regards
> > > > Lisa:)
> > > >
> > > > "David Davis" wrote:
> > > >
> > > > > Are your sharing permissions set to everyone, full control?
> > > > > --
> > > > > David Davis [MCSE, CCNA, Security +]
> > > > >
> > > > >
> > > > >
> > > > > "BrianB" wrote:
> > > > >
> > > > > > Hello,
> > > > > >
> > > > > > With the Advanced Security Settings Permissions (Traverse folder, List
> > > > > > folder, Read attributes, Read extended attributes, and Read permissions -
> > > > > > This folder only) why can't users map to a folder?
> > > > > > All inheritable permissions and Replace permission entries are not checked.
> > > > > >
> > > > > > Users need to map to this folder then choose a sub-folder from a list.
> > > > > > Users have Share permissions to use only some of the sub-folders and should
> > > > > > not be able to browse or use the sub-folders they do not have other Share
> > > > > > permissions to use.
> > > > > > Users can map a drive to the sub-folders they have permissions to but we
> > > > > > want to map a drive to the main folder so we don't end up mapping multiple
> > > > > > drives per user.
> > > > > >
> > > > > > Thanks
> > > > > > BrianB
 
No problem.
--
David Davis [MCSE, CCNA, Security +]



"Lisa" wrote:

> Thankyou again David for your info. I thought my only option would be to
> reformat. Will do so as soon as I have backed up. Sincerely appreciate your
> input. Have a great day
> From a lady downunder:)
>
> "David Davis" wrote:
>
> > If you are concerned that he may have access and he is a IT professional,
> > then the only way you can be sure that he will not access is either A: stay
> > offline or B: backup your data and perform a complete format and re-install.
> >
> > I would go with option B.
> >
> > Off of the top of my head I do not know what the appropriate security
> > settings should be. However under no circumstances shoulf everyone be given
> > full control.
> > --
> > David Davis [MCSE, CCNA, Security +]
> >
> >
> >
> > "Lisa" wrote:
> >
> > > Thanks for your prompt reply and valuable info David. Hmm, now I am a little
> > > worried.
> > > Ex boyfriend b/c he set up computer obv knows my admin rights number. Im
> > > note sure if this is relevant, whether he can login and check my computer at
> > > anytime.
> > >
> > > Pls see below an example maybe this will help:
> > >
> > > C:\Documents and Settings\All Users\Application Data\Microsoft
> > > Properties\Security. Group or user names as follows:
> > > Administrators (with my name and admin numbers)
> > > Everyone
> > > Power Users (my name & admin number)
> > > System
> > > Users (my name & admin number)
> > > All these have every box ticked to 'allow'
> > > Go to advanced ---> Effective Permissions---> Select--->Advanced-->Find
> > > now---> there is about 20 heading here e.g.the ones I have mentioned above
> > > plus remote interactive login, replicator,remote desktop user, network conf
> > > operator, some guests are marked (with a cross, obv non existent) two other
> > > guest headings (without a cross, meaning they are active?),anonymous logon.
> > > All these have the number of my admin rights next to them. I cannot delete
> > > any of them, because they are inherient from the parent to the child. Im not
> > > very familiar with this parent and child aspect.
> > >
> > > This is typical of most of the files on my computer.
> > >
> > > Appreciate your input. Thanks David
> > > Cheers Lisa:)
> > >
> > >
> > > "David Davis" wrote:
> > >
> > > > Interesting:
> > > >
> > > > Just using the users that you listed below I would say:
> > > >
> > > > anonmyous user - Never give this account full control unless the folder in
> > > > question is part of a website that you wish to allow anonmyous access, even
> > > > then IUSR should be given rights not anonmyous.
> > > >
> > > > remote access user - Unless you are remoting in, you should not need this.
> > > >
> > > > backup operator - If your machine is a member of a domain and you have
> > > > someone soley responsible for backups then this account really does not
> > > > belong either.
> > > >
> > > > etc. Depends, definately should not have all.
> > > >
> > > > Bottom line if you are the only user on the computer i.e. standaolone
> > > > machine not part of a domain, then the only permissions you need on your data
> > > > is the group Administrators, and your user account. Note that I specified
> > > > DATA, there are application folders that require special permissions such as
> > > > SYSTEM etc.
> > > >
> > > > My general rule of thumb is that no one get full control with the exception
> > > > of owner and the local / domain admin account.
> > > >
> > > > > these have full rights, meaning all the boxes are ticked
> > > > --
> > > > David Davis [MCSE, CCNA, Security +]
> > > >
> > > >
> > > >
> > > > "Lisa" wrote:
> > > >
> > > > > Hi David, I have read every post you and David have posted re permissions
> > > > > i.e. parent and child inherient etc. I am not a newbie to the computer world
> > > > > but definitely not a Tech either:). My question is, my ex boyfriend (who
> > > > > works in the IT World) set up my computer. When I click properties--->
> > > > > security---> I have the usually Admin, My name etc, but there is a list so
> > > > > long, e.g. anonmyous user, remote access user, backup operator, etc. All
> > > > > these have full rights, meaning all the boxes are ticked. Could you please
> > > > > advise me if I have anything to worry about.
> > > > > Kind regards
> > > > > Lisa:)
> > > > >
> > > > > "David Davis" wrote:
> > > > >
> > > > > > Are your sharing permissions set to everyone, full control?
> > > > > > --
> > > > > > David Davis [MCSE, CCNA, Security +]
> > > > > >
> > > > > >
> > > > > >
> > > > > > "BrianB" wrote:
> > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > > With the Advanced Security Settings Permissions (Traverse folder, List
> > > > > > > folder, Read attributes, Read extended attributes, and Read permissions -
> > > > > > > This folder only) why can't users map to a folder?
> > > > > > > All inheritable permissions and Replace permission entries are not checked.
> > > > > > >
> > > > > > > Users need to map to this folder then choose a sub-folder from a list.
> > > > > > > Users have Share permissions to use only some of the sub-folders and should
> > > > > > > not be able to browse or use the sub-folders they do not have other Share
> > > > > > > permissions to use.
> > > > > > > Users can map a drive to the sub-folders they have permissions to but we
> > > > > > > want to map a drive to the main folder so we don't end up mapping multiple
> > > > > > > drives per user.
> > > > > > >
> > > > > > > Thanks
> > > > > > > BrianB
 
Back
Top