NTFS: Deny all permissions for all files, except where explicitly added
Posted
by
Simon
on Server Fault
See other posts from Server Fault
or by Simon
Published on 2012-09-14T23:05:07Z
Indexed on
2012/09/15
3:39 UTC
Read the original article
Hit count: 505
I'm running a sandboxed application as a local user. I now want to deny almost all file system permissions for this user to secure the system, except for a few working folders and some system DLLs (I'll call this set of files & directories X
below).
The sandbox user is not in any group. So it shouldn't have any permissions, right? Wrong, because all "Authenticated Users" are a member of the local "Users" group, and that group has access to almost everything.
I thought about recursively adding deny ACL-entries to all files and directories and remove them manually from
X
. But this seems excessive.I also thought about removing "Authenticated Users" from the "Users" group. But I'm afraid of unintended side-effects. It's likely that other things rely on this. Is this correct?
Are there better ways to do this? How would you limit the filesystem permissions of a (very) non-trustworthy account?
© Server Fault or respective owner