[THIN] Re: System Folder Permissions

Hi Andrew,
 
As you've already found out, in relaxed security mode all users gain the 
"terminal server user" security descriptor and inherit any enhanced access 
rights held by the terminal server user. I believe the server will need a 
reboot to implement the changed security mode.
 
Server 2003 is a lot more selective with regard to the terminal server user 
than Windows 2000, but the terminal server user still has write access to 
%program files% and some registry keys such as HKLM\Sofware\ODBC etc, though 
unlike 2000, the terminal server user no longer has setvalue and create subkey 
rights to all of HKCR.
 
That meant some things on 2003 will break that previously ran on 2000 but 
that's life.
 
reglistacl (from the old non-payware version of the NTSEC package) will give 
you a list of the registry ACLs so you can find out exactly where relaxed 
security will open things up.
 
regards,
 
Rick
 
Ulrich Mack
Volante Systems
 
 
 

________________________________

From: thin-bounce@xxxxxxxxxxxxx on behalf of Dogers
Sent: Sun 2/01/2005 10:44 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: System Folder Permissions



On Sat, 1 Jan 2005 09:51:51 +1000, Rick Mack <Rick.Mack@xxxxxxxxxxxxxx> wrote:

> 2003 is actually quite secure provided you didn't select the NT 4 
> compatibility mode (relaxed security). This adds users to the terminal server 
> users group, which has full access, as you've found, to critical file and 
> registry areas.
>
> Of course if you select full security you'll have a bit of work either 
> deprotecting some file/registry areas selectively for particular 
> applications, or on the registry side, using per-user file asociations. But 
> it's worth it for a secure system.

Ahh yes, forgot about that setting :o
Seems the guys that set up the machine have put it on relaxed.. From
what I've read, its perfectly safe to change it on the fly (although
I'd guess that no users could be a benefit :) )..? And then I presume
its just a case of checking the apps and modding permissions, as
necessary.

Do you know what/where it actually modifies? MS site just says "files
and directories on the file system" and "keys in the registry" !!

Andrew
********************************************************
This Weeks Sponsor SeamlessPlanet.com Domain Names
Register your .com domain name for as low as $7.85
One of the lowest prices on the web! Part of The Kenzig Group.
http://www.seamlessplanet.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Awesome SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm



#####################################################################################
This e-mail, including all attachments, may be confidential or privileged.  
Confidentiality or privilege is not waived or lost because this e-mail has been 
sent to you in error.  If you are not the intended recipient any use, 
disclosure or copying of this e-mail is prohibited.  If you have received it in 
error please notify the sender immediately by reply e-mail and destroy all 
copies of this e-mail and any attachments.  All liability for direct and 
indirect loss arising from this e-mail and any attachments is hereby disclaimed 
to the extent permitted by law.
#####################################################################################

Other related posts: