What are the recommended file permissions for %systemroot% in Windows 8.1? I couldn't find hardened file system permissions to apply to better secure a Windows installation.
Asked
Active
Viewed 710 times
1
StackzOfZtuff
- 17,783
- 1
- 50
- 86
Parth Maniar
- 349
- 1
- 10
-
1Leave it as they are ? Honestly, if you don't know what you're doing, you shouldn't touch this and if you know what you're doing, you shouldn't need to ask. In such a case, better trust the OS authors to know what they are doing (and, surprisingly, in this case, they do) – Stephane Jun 10 '15 at 09:44
2 Answers
1
No such thing
I don't think that there is an official, Microsoft-supported way of doing this.
Here's an MS blog post that urges users to only use official hardening methods (namely Security Compliance Manager and Security Configuration Wizard) (And AFAIK even those two don't touch the NTFS ACLs at all.)
- Microsoft TechNet, Premier Field Engineering (PFE) blog, 2014-05-29, Why you should avoid manual ‘server hardening’ (Archived here.)
The security baseline for Windows Server 2012 R2 also mentions nothing about NTFS ACLs. So I guess you shouldn't touch them.
- Microsoft TechNet, Microsoft Security Guidance blog, 2014-08-16, What's New in Recommended Security Baseline Settings for Windows 8.1, Windows Server 2012 R2, and Internet Explorer 11 (Archived here.)
StackzOfZtuff
- 17,783
- 1
- 50
- 86
1
Short answer: don't touch these.
Long answer:
Setting an ACL - ANY ACL in ANY file system, is a security decision that involves trade-off. In order to decide what the "correct" ACL to use is, you need to consider what the use of the protected objects will be. This means you need to consider either a typical usage (for "default" ACLs) or a specific case (in which case the answer will only be valid for that specific case).
Now, modern OSs are almost all hardened by default for they standard use case: the ACL selected by the OS author have been designed and tested to fit the majority of the use case. Unless you KNOW that you don't fit these uses cases and can precisely describe how you differ from the norm, then you cannot design a more efficient ACL strategy properly.
This means that either you know exactly what exactly you need hardened, why and a re ready to test it yourself (in which case you don' need to ask such a general question because it won't apply to anyone but you) or you don't know and you should leave the default as they where because the people who designed them have a better understanding of the requirements than you do
Stephane
- 18,557
- 3
- 61
- 70