《WIN2K Checklist v2111 - Appendix A MSE安全攻防资料.doc》由会员分享,可在线阅读,更多相关《WIN2K Checklist v2111 - Appendix A MSE安全攻防资料.doc(14页珍藏版)》请在金锄头文库上搜索。
1、UNCLASSIFIED Windows 2000 Security Checklist 2.1.11Field Security OperationsAppendix ADefense Information Systems AgencyA OBJECT PERMISSIONSThis appendix details the minimum required privileges assigned to the ACLs of Windows 2000 file and registry objects. Discrepancies may occur if either of the t
2、wo following conditions are true: The objects security posture is more restrictive than specified in this document. The objects security posture is configured in direct support of the systems mission.Note: If an ACL setting prevents a sites applications from performing properly, the site can modify
3、that specific setting. Settings should only be changed to the minimum necessary for the application to function. Each exception to the recommended settings should be documented and kept on file by the ISSO. AOBJECT PERMISSIONSA-1A.1File and Directory PermissionsA-3A.1.1Boot PartitionA-4A.1.2System P
4、artitionA-5A.1.3MQSeries (if installed)A-9A.2Registry Key PermissionsA-10A.2.1Hive “HKEY_LOCAL_MACHINE”A-10A.2.2Hive “HKEY_USERS”A-14A.2.3Hive “HKEY_CLASSES_ROOT”A-14_A-2UNCLASSIFIED This page is intentionally left blank.UNCLASSIFIED Windows 2000 Security Checklist 2.1.11 Field Security OperationsAp
5、pendix ADefense Information Systems AgencyA.1 File and Directory PermissionsThe following notation will be used throughout this chapter:%SystemDrive% - the drive letter on which Windows 2000 is installed, e.g. C:%SystemRoot% - the folder in which Windows 2000 is installed, e.g. C:winnt%SystemDirecto
6、ry% - %SystemRoot%system32, e.g. C:winntsystem32Note: for Domain Controllers all references to the Users group should be changed to the Authenticated Users group.Note: Some applications may require file or directory permissions that differ from the recommended settings. This generally applies to sub
7、directories and files that the application creates. Applications should not have modified permissions to the root directory of the %SystemDrive%, or the %SystemRoot% (and its subdirectories).A.1.1 Boot PartitionObject NameAccount AssignmentDirectoryPermission%SystemDrive%Folder, subfolders, and file
8、sAdministratorsCREATOR OWNER (subfolders & files)SYSTEMUsersallallallRX%SystemDrive%AUTOEXEC.BATAdministratorsUsersSYSTEMallR Xall%SystemDrive%BOOT.INIAdministratorsSYSTEMallall%SystemDrive%CONFIG.SYSAdministratorsUsersSYSTEMallR Xall%SystemDrive%IO.SYSAdministratorsUsersSYSTEMallR Xall%SystemDrive%
9、MSDOS.SYSAdministratorsUsersSYSTEMallR Xall%SystemDrive%NTBOOTDD.SYSAdministratorsSYSTEMallall%SystemDrive%NTDETECT.COMAdministratorsSYSTEMallall%SystemDrive%NTLDRAdministratorsSYSTEMallallA.1.2 System PartitionObject NameAccount AssignmentPermission%SystemDrive%Documents and Settings(Dont reset per
10、missions on subfolders and files)AdministratorsSYSTEMUsersallallR X%SystemDrive%Documents and SettingsAdministrator (or profile of renamed account)AdministratorsSYSTEMallall%SystemDrive%Documents and SettingsAll UsersAdministratorsSYSTEMUsersallallRX%SystemDrive%Documents and SettingsAll UsersDocume
11、ntsDrWatsonAdministratorsCREATOR OWNER (subfolders & files)SYSTEMUsersUsersallallallTraverse Folder, Create files, Create folders(subfolders & files)R X %SystemDrive%Documents and SettingsAll UsersDocumentsDrWatsondrwtsn32.logAdministratorsCREATOR OWNER SYSTEMUsersallallallRWXD%SystemDrive%Documents
12、 and SettingsDefault UserAdministratorsSYSTEMUsersallallRX%SystemDrive%My Download FilesAdministratorsCREATOR OWNER (subfolders & files)SYSTEMUsersallallallRWX%SystemDrive%Program FilesAdministratorsUsersCREATOR OWNER (subfolders & files)SYSTEMallRWXallall%SystemDrive%Program FilesResource Kit (Serv
13、ers and Domain Controllers)%SystemDrive%Program FilesResource Pro Kit (Workstations)AdministratorsSYSTEMallall%SystemDrive%TempAdministratorsCREATOR OWNER (subfolders & files)SYSTEMUsersallallallTraverse folder, Create files, Create folders(folders & subfolders)%SystemRoot% AdministratorsCREATOR OWN
14、ER (subfolders & files)SYSTEMUsersallallallRX%SystemRoot%regedit.exeAdministratorsSYSTEMallall%SystemRoot%$NtServicePackUninstall$AdministratorsSYSTEMallall%SystemRoot%$NtUninstall* (all uninstall folders)AdministratorsSYSTEMallall%SystemRoot%CSCAdministratorsSYSTEMallall%SystemRoot%debugAdministratorsCREATOR OWNER (subfolders & files)SYSTEMUsersalla
