2
I want to prevent Standard Users and Guests from creating additional folders and files on the C: partition in Windows 7. Therefore, is it safe to remove permissions for Authenticated Users group from the C: partition in Windows 7? Such permissions are enabled by default. I guess, that mentioned permissions are there not without reason, so what feature or service depends on permissions I want to remove?
2
No.
You can do this, but you need to edit all subfolders on the root first, edit their permissions, go to advanced, and uncheck inherit rights from parent. In the next dialog select Copy, to copy the rights.
If you don't do the above, you not only change the rights on the root folder, but all subsequent folders too. Folders created by windows will already have set these rights, but folders created since install by the user or an installer will not.
Please note that some programs rely on writing to the root and may stop working. So extensive testing is required before making this a permanent solution.
LPChip
Posted 2014-08-09T12:03:40.370
Reputation: 42 190
0
Coming from a Windows 8.1-10 SOE at my previous job, having skipped Windows 7 and long since been on 8.1 or newer, I was horrified to see the default permissions allowed normal users to create folders in C willy nilly.
This is possible, as per the forum post by Darin S here.
First remove all ACL's from the root of C: for Authenticated Users-
icacls.exe c:\ /remove:g "Authenticated Users"
Then restore the downlevel inheritance permissions for folders below the root of C-
cacls.exe c:\ /grant:r "Authenticated Users":(IO)(CI)(OI)(M)
Worked fine for my on my own test machine. Obviously test it thoroughly before deploying it at any scale.
Daniel.S
Posted 2014-08-09T12:03:40.370
Reputation: 111
I think it'd be easier to restrict access for each individual user. You could deny the Write, Modify and Full Control to the users you wish to restrict. Bu default, the Guest account doesn't have Write access to C: – Vinayak – 2014-08-09T12:17:14.877
You may check the effective access of each user by using the Effective Access tab of Advanced Security Settings (available when you click the 'Advanced' button in the Security tab of a folder's properties window) – Vinayak – 2014-08-09T12:19:09.693
@Vinayak you should never use a Deny right over an access right unless you really have to. Given that some folders inherit permissions deeper, you are basically suggesting to limit most of the system. – LPChip – 2014-08-09T12:23:10.920
@LPChip Thanks! I just remembered that I tried something like this a while ago and it did cause a few problems. I also remembered that the best way I could restrict access to stuff was by using Faronics WinSelect. However, the software isn't free though.
– Vinayak – 2014-08-09T12:28:07.917