Technet Magazine – Security Principals and Subjects, January 2009

Well written article. Of particular interest to me…

“… Logon Groups are groups that represent some dynamic aspect of a security principal, such as how a user or other security principal has logged on…
… You can use these groups to grant permissions to all users logging on a certain way, but you cannot control who becomes a member of those groups…
… There are other groups of this nature, as well. Of particular note are the Everyone group and the Authenticated Users group. The Everyone group includes, as the name implies, every user accessing this computer—with the exception that, starting with Windows XP, completely anonymous, unauthenticated users are not included. In other words, the infamous NULL user is not included in Everyone on any supported Windows-based operating system. Guests are included, though.

The Authenticated Users group, while also populated dynamically, includes only those users that are actually authenticated. Thus, guests are not included in Authenticated Users. That is the only difference between these two groups. But since the only guest account that exists on the operating system is disabled, there is no functional difference between Authenticated Users and Everyone unless you have taken manual steps to enable the Guest account, in which case, presumably, you want Guests to be able to access resources, and therefore need the Everyone group intact.
In spite of this, many administrators have lost many hours of sleep over the fact that “everyone in the world has permissions on my server” and have taken very drastic steps to modify permissions to rectify this situation. Typically these modifications have completely disastrous results. You have no reason whatsoever to try to replace permissions for Everyone with Authenticated Users. Either you want guests to have permissions to your computer and you enable the guest account, or you do not and you leave the guest account disabled. If you do want guests to have permissions, you need the permissions for Everyone. If you do not, the Everyone group will not be any different from Authenticated Users.
Some people argue that making these changes are “defense-in-depth” changes. That would be true if you define “defense-in-depth” as “changes you cannot justify any other way.” The fact is that such modifications provide little or no security improvement while carrying a very large risk. Leave the defaults alone.
If that argument was not persuasive enough, I direct you to Microsoft Knowledge Base article 885409 (“Security configuration guidance support”). It states, in a nutshell, that wholesale permissions replacement can void your support contract. When you do that, you basically build your own operating system and Microsoft can no longer guarantee that it works.
It is also worth pointing out the difference between Users, which is a built-in group, and Authenticated Users. The difference is the rather obvious fact that Authenticated Users includes every user that has authenticated to the computer, including users in different domains, users that are members of local groups other than Users, and users that are not members of any groups at all (yes, such a thing is possible). This means the Users group is far, far more restrictive than Authenticated Users.
In spite of this fact, I have seen organizations destroy their networks attempting to replace permissions for Users with permissions for Authenticated Users in an attempt to “harden their systems.” I have argued endlessly with clueless PCI/DSS Auditors who claim that the payment card industry requires you to replace all permissions for Users with Authenticated Users. This simply is not true.
I have also defended organizations around the world from consultants who seem to view wholesale access control list (ACL) replacement as a great way to rack up billable hours. Needless to say, you can expect any attempts to do wholesale replacement of Users or Everyone with Authenticated Users to be largely unsuccessful with respect to both security and stability.”
Very interesting. While I never attempted to make “wholesale” changes, I did routinely replace Everyone with Authenticated Users when setting up shares. Won’t waste my time, now.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s