NTFS: Deny all permissions for all files, except where explicitly added
- by Simon
I'm running a sandboxed application as a local user. I now want to deny almost all file system permissions for this user to secure the system, except for a few working folders and some system DLLs (I'll call this set of files & directories X below).
The sandbox user is not in any group. So it shouldn't have any permissions, right? Wrong, because all "Authenticated Users" are a member of the local "Users" group, and that group has access to almost everything.
I thought about recursively adding deny ACL-entries to all files and directories and remove them manually from X. But this seems excessive.
I also thought about removing "Authenticated Users" from the "Users" group. But I'm afraid of unintended side-effects. It's likely that other things rely on this. Is this correct?
Are there better ways to do this? How would you limit the filesystem permissions of a (very) non-trustworthy account?