NTFS: Deny all permissions for all files, except where explicitly added

Posted by Simon on Server Fault See other posts from Server Fault or by Simon
Published on 2012-09-14T23:05:07Z Indexed on 2012/09/15 3:39 UTC
Read the original article Hit count: 505

Filed under:
|
|
|
|

I'm running a sandboxed application as a local user. I now want to deny almost all file system permissions for this user to secure the system, except for a few working folders and some system DLLs (I'll call this set of files & directories X below).

The sandbox user is not in any group. So it shouldn't have any permissions, right? Wrong, because all "Authenticated Users" are a member of the local "Users" group, and that group has access to almost everything.

  • I thought about recursively adding deny ACL-entries to all files and directories and remove them manually from X. But this seems excessive.

  • I also thought about removing "Authenticated Users" from the "Users" group. But I'm afraid of unintended side-effects. It's likely that other things rely on this. Is this correct?

Are there better ways to do this? How would you limit the filesystem permissions of a (very) non-trustworthy account?

© Server Fault or respective owner

Related posts about security

Related posts about permissions