Setting up Security on Files and Folder

[john]

Archived from groups: microsoft.public.win2000.security (More info?)

I am trying to setup Security on Files and Folders on WINNT folder and beneath that, and also on the system root files like Autoexsec.bat, boot.ini, ntldr,config.sys etc...

Scenario:

I want to change the permissions on BOOT.INI file from the existing EVERYONE group which has FULL PERMISSIONS to READ permissions. (Even though this is an NT server but after installing MMC, the permission settings looks like for Windows 2000, so that is the reason I am posting it in this group).

I want to change this to have SPECIAL PERMISSION as READ and not RX. So, when I do change it to READ it does not show as SPECIAL PERMISSION under PERMISSIONS tab in ADVANCED option under Security Tab.

When I click on VIEW/EDIT option, I see the following options under Permissions Enabled.

List folder/Read data - Enabled
Read Attributes - Enabled
Read Extended Attributes - Enabled
Read permissions - Enabled
Synchronize - Enabled

My question is, is this setting correct, where I have taken of all the permissions under the main permissions window to have only READ Special access.(Again it is not RX).

 

[john]

Archived from groups: microsoft.public.win2000.security (More info?)

"John" wrote:

> I am trying to setup Security on Files and Folders on WINNT folder and beneath that, and also on the system root files like Autoexsec.bat, boot.ini, ntldr,config.sys etc...
>
> Scenario:
>
> I want to change the permissions on BOOT.INI file from the existing EVERYONE group which has FULL PERMISSIONS to READ permissions. (Even though this is an NT server but after installing MMC, the permission settings looks like for Windows 2000, so that is the reason I am posting it in this group).
>
> I want to change this to have SPECIAL PERMISSION as READ and not RX. So, when I do change it to READ it does not show as SPECIAL PERMISSION under PERMISSIONS tab in ADVANCED option under Security Tab.
>
> When I click on VIEW/EDIT option, I see the following options under Permissions Enabled.
>
> List folder/Read data - Enabled
> Read Attributes - Enabled
> Read Extended Attributes - Enabled
> Read permissions - Enabled
> Synchronize - Enabled
>
> My question is, is this setting correct, where I have taken of all the permissions under the main permissions window to have only READ Special access.(Again it is not RX).

Adding more info to this - I forgot to add one more thing to this which was my main reason for posting it here. If EVERYONE/USER group has READ permission on this boot.ini file, and if the server is rebooted will the server come up? Cause am afraid that if it has only READ permission whether it will come up. To be cautious, what I am trying to do is to add Domain admin account onto this. Also, this is a BDC.

I want to make sure I am doing the right thing, should I add SYSTEM account also to this boot.ini, config.sys, ntldr, ntdetect.com files. I am kind of reluctant as the security policy determined for these files are to remove EVERYONE/USER group full permissions and give the only RX or Special Access READ and List on some of the folders and files.
>