Guest Lisa Posted August 22, 2007 Posted August 22, 2007 RE: Share permissions question Hi David, I have read every post you and David have posted re permissions i.e. parent and child inherient etc. I am not a newbie to the computer world but definitely not a Tech either:). My question is, my ex boyfriend (who works in the IT World) set up my computer. When I click properties---> security---> I have the usually Admin, My name etc, but there is a list so long, e.g. anonmyous user, remote access user, backup operator, etc. All these have full rights, meaning all the boxes are ticked. Could you please advise me if I have anything to worry about. Kind regards Lisa:) "David Davis" wrote: > Are your sharing permissions set to everyone, full control? > -- > David Davis [MCSE, CCNA, Security +] > > > > "BrianB" wrote: > > > Hello, > > > > With the Advanced Security Settings Permissions (Traverse folder, List > > folder, Read attributes, Read extended attributes, and Read permissions - > > This folder only) why can't users map to a folder? > > All inheritable permissions and Replace permission entries are not checked. > > > > Users need to map to this folder then choose a sub-folder from a list. > > Users have Share permissions to use only some of the sub-folders and should > > not be able to browse or use the sub-folders they do not have other Share > > permissions to use. > > Users can map a drive to the sub-folders they have permissions to but we > > want to map a drive to the main folder so we don't end up mapping multiple > > drives per user. > > > > Thanks > > BrianB
Guest David Davis Posted August 22, 2007 Posted August 22, 2007 RE: Share permissions question RE: Share permissions question Interesting: Just using the users that you listed below I would say: anonmyous user - Never give this account full control unless the folder in question is part of a website that you wish to allow anonmyous access, even then IUSR should be given rights not anonmyous. remote access user - Unless you are remoting in, you should not need this. backup operator - If your machine is a member of a domain and you have someone soley responsible for backups then this account really does not belong either. etc. Depends, definately should not have all. Bottom line if you are the only user on the computer i.e. standaolone machine not part of a domain, then the only permissions you need on your data is the group Administrators, and your user account. Note that I specified DATA, there are application folders that require special permissions such as SYSTEM etc. My general rule of thumb is that no one get full control with the exception of owner and the local / domain admin account. > these have full rights, meaning all the boxes are ticked -- David Davis [MCSE, CCNA, Security +] "Lisa" wrote: > Hi David, I have read every post you and David have posted re permissions > i.e. parent and child inherient etc. I am not a newbie to the computer world > but definitely not a Tech either:). My question is, my ex boyfriend (who > works in the IT World) set up my computer. When I click properties---> > security---> I have the usually Admin, My name etc, but there is a list so > long, e.g. anonmyous user, remote access user, backup operator, etc. All > these have full rights, meaning all the boxes are ticked. Could you please > advise me if I have anything to worry about. > Kind regards > Lisa:) > > "David Davis" wrote: > > > Are your sharing permissions set to everyone, full control? > > -- > > David Davis [MCSE, CCNA, Security +] > > > > > > > > "BrianB" wrote: > > > > > Hello, > > > > > > With the Advanced Security Settings Permissions (Traverse folder, List > > > folder, Read attributes, Read extended attributes, and Read permissions - > > > This folder only) why can't users map to a folder? > > > All inheritable permissions and Replace permission entries are not checked. > > > > > > Users need to map to this folder then choose a sub-folder from a list. > > > Users have Share permissions to use only some of the sub-folders and should > > > not be able to browse or use the sub-folders they do not have other Share > > > permissions to use. > > > Users can map a drive to the sub-folders they have permissions to but we > > > want to map a drive to the main folder so we don't end up mapping multiple > > > drives per user. > > > > > > Thanks > > > BrianB
Guest Lisa Posted August 22, 2007 Posted August 22, 2007 RE: Share permissions question RE: Share permissions question Thanks for your prompt reply and valuable info David. Hmm, now I am a little worried. Ex boyfriend b/c he set up computer obv knows my admin rights number. Im note sure if this is relevant, whether he can login and check my computer at anytime. Pls see below an example maybe this will help: C:\Documents and Settings\All Users\Application Data\Microsoft Properties\Security. Group or user names as follows: Administrators (with my name and admin numbers) Everyone Power Users (my name & admin number) System Users (my name & admin number) All these have every box ticked to 'allow' Go to advanced ---> Effective Permissions---> Select--->Advanced-->Find now---> there is about 20 heading here e.g.the ones I have mentioned above plus remote interactive login, replicator,remote desktop user, network conf operator, some guests are marked (with a cross, obv non existent) two other guest headings (without a cross, meaning they are active?),anonymous logon. All these have the number of my admin rights next to them. I cannot delete any of them, because they are inherient from the parent to the child. Im not very familiar with this parent and child aspect. This is typical of most of the files on my computer. Appreciate your input. Thanks David Cheers Lisa:) "David Davis" wrote: > Interesting: > > Just using the users that you listed below I would say: > > anonmyous user - Never give this account full control unless the folder in > question is part of a website that you wish to allow anonmyous access, even > then IUSR should be given rights not anonmyous. > > remote access user - Unless you are remoting in, you should not need this. > > backup operator - If your machine is a member of a domain and you have > someone soley responsible for backups then this account really does not > belong either. > > etc. Depends, definately should not have all. > > Bottom line if you are the only user on the computer i.e. standaolone > machine not part of a domain, then the only permissions you need on your data > is the group Administrators, and your user account. Note that I specified > DATA, there are application folders that require special permissions such as > SYSTEM etc. > > My general rule of thumb is that no one get full control with the exception > of owner and the local / domain admin account. > > > these have full rights, meaning all the boxes are ticked > -- > David Davis [MCSE, CCNA, Security +] > > > > "Lisa" wrote: > > > Hi David, I have read every post you and David have posted re permissions > > i.e. parent and child inherient etc. I am not a newbie to the computer world > > but definitely not a Tech either:). My question is, my ex boyfriend (who > > works in the IT World) set up my computer. When I click properties---> > > security---> I have the usually Admin, My name etc, but there is a list so > > long, e.g. anonmyous user, remote access user, backup operator, etc. All > > these have full rights, meaning all the boxes are ticked. Could you please > > advise me if I have anything to worry about. > > Kind regards > > Lisa:) > > > > "David Davis" wrote: > > > > > Are your sharing permissions set to everyone, full control? > > > -- > > > David Davis [MCSE, CCNA, Security +] > > > > > > > > > > > > "BrianB" wrote: > > > > > > > Hello, > > > > > > > > With the Advanced Security Settings Permissions (Traverse folder, List > > > > folder, Read attributes, Read extended attributes, and Read permissions - > > > > This folder only) why can't users map to a folder? > > > > All inheritable permissions and Replace permission entries are not checked. > > > > > > > > Users need to map to this folder then choose a sub-folder from a list. > > > > Users have Share permissions to use only some of the sub-folders and should > > > > not be able to browse or use the sub-folders they do not have other Share > > > > permissions to use. > > > > Users can map a drive to the sub-folders they have permissions to but we > > > > want to map a drive to the main folder so we don't end up mapping multiple > > > > drives per user. > > > > > > > > Thanks > > > > BrianB
Guest David Davis Posted August 22, 2007 Posted August 22, 2007 RE: Share permissions question RE: Share permissions question If you are concerned that he may have access and he is a IT professional, then the only way you can be sure that he will not access is either A: stay offline or B: backup your data and perform a complete format and re-install. I would go with option B. Off of the top of my head I do not know what the appropriate security settings should be. However under no circumstances shoulf everyone be given full control. -- David Davis [MCSE, CCNA, Security +] "Lisa" wrote: > Thanks for your prompt reply and valuable info David. Hmm, now I am a little > worried. > Ex boyfriend b/c he set up computer obv knows my admin rights number. Im > note sure if this is relevant, whether he can login and check my computer at > anytime. > > Pls see below an example maybe this will help: > > C:\Documents and Settings\All Users\Application Data\Microsoft > Properties\Security. Group or user names as follows: > Administrators (with my name and admin numbers) > Everyone > Power Users (my name & admin number) > System > Users (my name & admin number) > All these have every box ticked to 'allow' > Go to advanced ---> Effective Permissions---> Select--->Advanced-->Find > now---> there is about 20 heading here e.g.the ones I have mentioned above > plus remote interactive login, replicator,remote desktop user, network conf > operator, some guests are marked (with a cross, obv non existent) two other > guest headings (without a cross, meaning they are active?),anonymous logon. > All these have the number of my admin rights next to them. I cannot delete > any of them, because they are inherient from the parent to the child. Im not > very familiar with this parent and child aspect. > > This is typical of most of the files on my computer. > > Appreciate your input. Thanks David > Cheers Lisa:) > > > "David Davis" wrote: > > > Interesting: > > > > Just using the users that you listed below I would say: > > > > anonmyous user - Never give this account full control unless the folder in > > question is part of a website that you wish to allow anonmyous access, even > > then IUSR should be given rights not anonmyous. > > > > remote access user - Unless you are remoting in, you should not need this. > > > > backup operator - If your machine is a member of a domain and you have > > someone soley responsible for backups then this account really does not > > belong either. > > > > etc. Depends, definately should not have all. > > > > Bottom line if you are the only user on the computer i.e. standaolone > > machine not part of a domain, then the only permissions you need on your data > > is the group Administrators, and your user account. Note that I specified > > DATA, there are application folders that require special permissions such as > > SYSTEM etc. > > > > My general rule of thumb is that no one get full control with the exception > > of owner and the local / domain admin account. > > > > > these have full rights, meaning all the boxes are ticked > > -- > > David Davis [MCSE, CCNA, Security +] > > > > > > > > "Lisa" wrote: > > > > > Hi David, I have read every post you and David have posted re permissions > > > i.e. parent and child inherient etc. I am not a newbie to the computer world > > > but definitely not a Tech either:). My question is, my ex boyfriend (who > > > works in the IT World) set up my computer. When I click properties---> > > > security---> I have the usually Admin, My name etc, but there is a list so > > > long, e.g. anonmyous user, remote access user, backup operator, etc. All > > > these have full rights, meaning all the boxes are ticked. Could you please > > > advise me if I have anything to worry about. > > > Kind regards > > > Lisa:) > > > > > > "David Davis" wrote: > > > > > > > Are your sharing permissions set to everyone, full control? > > > > -- > > > > David Davis [MCSE, CCNA, Security +] > > > > > > > > > > > > > > > > "BrianB" wrote: > > > > > > > > > Hello, > > > > > > > > > > With the Advanced Security Settings Permissions (Traverse folder, List > > > > > folder, Read attributes, Read extended attributes, and Read permissions - > > > > > This folder only) why can't users map to a folder? > > > > > All inheritable permissions and Replace permission entries are not checked. > > > > > > > > > > Users need to map to this folder then choose a sub-folder from a list. > > > > > Users have Share permissions to use only some of the sub-folders and should > > > > > not be able to browse or use the sub-folders they do not have other Share > > > > > permissions to use. > > > > > Users can map a drive to the sub-folders they have permissions to but we > > > > > want to map a drive to the main folder so we don't end up mapping multiple > > > > > drives per user. > > > > > > > > > > Thanks > > > > > BrianB
Guest Lisa Posted August 22, 2007 Posted August 22, 2007 RE: Share permissions question RE: Share permissions question Thankyou again David for your info. I thought my only option would be to reformat. Will do so as soon as I have backed up. Sincerely appreciate your input. Have a great day From a lady downunder:) "David Davis" wrote: > If you are concerned that he may have access and he is a IT professional, > then the only way you can be sure that he will not access is either A: stay > offline or B: backup your data and perform a complete format and re-install. > > I would go with option B. > > Off of the top of my head I do not know what the appropriate security > settings should be. However under no circumstances shoulf everyone be given > full control. > -- > David Davis [MCSE, CCNA, Security +] > > > > "Lisa" wrote: > > > Thanks for your prompt reply and valuable info David. Hmm, now I am a little > > worried. > > Ex boyfriend b/c he set up computer obv knows my admin rights number. Im > > note sure if this is relevant, whether he can login and check my computer at > > anytime. > > > > Pls see below an example maybe this will help: > > > > C:\Documents and Settings\All Users\Application Data\Microsoft > > Properties\Security. Group or user names as follows: > > Administrators (with my name and admin numbers) > > Everyone > > Power Users (my name & admin number) > > System > > Users (my name & admin number) > > All these have every box ticked to 'allow' > > Go to advanced ---> Effective Permissions---> Select--->Advanced-->Find > > now---> there is about 20 heading here e.g.the ones I have mentioned above > > plus remote interactive login, replicator,remote desktop user, network conf > > operator, some guests are marked (with a cross, obv non existent) two other > > guest headings (without a cross, meaning they are active?),anonymous logon. > > All these have the number of my admin rights next to them. I cannot delete > > any of them, because they are inherient from the parent to the child. Im not > > very familiar with this parent and child aspect. > > > > This is typical of most of the files on my computer. > > > > Appreciate your input. Thanks David > > Cheers Lisa:) > > > > > > "David Davis" wrote: > > > > > Interesting: > > > > > > Just using the users that you listed below I would say: > > > > > > anonmyous user - Never give this account full control unless the folder in > > > question is part of a website that you wish to allow anonmyous access, even > > > then IUSR should be given rights not anonmyous. > > > > > > remote access user - Unless you are remoting in, you should not need this. > > > > > > backup operator - If your machine is a member of a domain and you have > > > someone soley responsible for backups then this account really does not > > > belong either. > > > > > > etc. Depends, definately should not have all. > > > > > > Bottom line if you are the only user on the computer i.e. standaolone > > > machine not part of a domain, then the only permissions you need on your data > > > is the group Administrators, and your user account. Note that I specified > > > DATA, there are application folders that require special permissions such as > > > SYSTEM etc. > > > > > > My general rule of thumb is that no one get full control with the exception > > > of owner and the local / domain admin account. > > > > > > > these have full rights, meaning all the boxes are ticked > > > -- > > > David Davis [MCSE, CCNA, Security +] > > > > > > > > > > > > "Lisa" wrote: > > > > > > > Hi David, I have read every post you and David have posted re permissions > > > > i.e. parent and child inherient etc. I am not a newbie to the computer world > > > > but definitely not a Tech either:). My question is, my ex boyfriend (who > > > > works in the IT World) set up my computer. When I click properties---> > > > > security---> I have the usually Admin, My name etc, but there is a list so > > > > long, e.g. anonmyous user, remote access user, backup operator, etc. All > > > > these have full rights, meaning all the boxes are ticked. Could you please > > > > advise me if I have anything to worry about. > > > > Kind regards > > > > Lisa:) > > > > > > > > "David Davis" wrote: > > > > > > > > > Are your sharing permissions set to everyone, full control? > > > > > -- > > > > > David Davis [MCSE, CCNA, Security +] > > > > > > > > > > > > > > > > > > > > "BrianB" wrote: > > > > > > > > > > > Hello, > > > > > > > > > > > > With the Advanced Security Settings Permissions (Traverse folder, List > > > > > > folder, Read attributes, Read extended attributes, and Read permissions - > > > > > > This folder only) why can't users map to a folder? > > > > > > All inheritable permissions and Replace permission entries are not checked. > > > > > > > > > > > > Users need to map to this folder then choose a sub-folder from a list. > > > > > > Users have Share permissions to use only some of the sub-folders and should > > > > > > not be able to browse or use the sub-folders they do not have other Share > > > > > > permissions to use. > > > > > > Users can map a drive to the sub-folders they have permissions to but we > > > > > > want to map a drive to the main folder so we don't end up mapping multiple > > > > > > drives per user. > > > > > > > > > > > > Thanks > > > > > > BrianB
Guest David Davis Posted August 22, 2007 Posted August 22, 2007 RE: Share permissions question RE: Share permissions question No problem. -- David Davis [MCSE, CCNA, Security +] "Lisa" wrote: > Thankyou again David for your info. I thought my only option would be to > reformat. Will do so as soon as I have backed up. Sincerely appreciate your > input. Have a great day > From a lady downunder:) > > "David Davis" wrote: > > > If you are concerned that he may have access and he is a IT professional, > > then the only way you can be sure that he will not access is either A: stay > > offline or B: backup your data and perform a complete format and re-install. > > > > I would go with option B. > > > > Off of the top of my head I do not know what the appropriate security > > settings should be. However under no circumstances shoulf everyone be given > > full control. > > -- > > David Davis [MCSE, CCNA, Security +] > > > > > > > > "Lisa" wrote: > > > > > Thanks for your prompt reply and valuable info David. Hmm, now I am a little > > > worried. > > > Ex boyfriend b/c he set up computer obv knows my admin rights number. Im > > > note sure if this is relevant, whether he can login and check my computer at > > > anytime. > > > > > > Pls see below an example maybe this will help: > > > > > > C:\Documents and Settings\All Users\Application Data\Microsoft > > > Properties\Security. Group or user names as follows: > > > Administrators (with my name and admin numbers) > > > Everyone > > > Power Users (my name & admin number) > > > System > > > Users (my name & admin number) > > > All these have every box ticked to 'allow' > > > Go to advanced ---> Effective Permissions---> Select--->Advanced-->Find > > > now---> there is about 20 heading here e.g.the ones I have mentioned above > > > plus remote interactive login, replicator,remote desktop user, network conf > > > operator, some guests are marked (with a cross, obv non existent) two other > > > guest headings (without a cross, meaning they are active?),anonymous logon. > > > All these have the number of my admin rights next to them. I cannot delete > > > any of them, because they are inherient from the parent to the child. Im not > > > very familiar with this parent and child aspect. > > > > > > This is typical of most of the files on my computer. > > > > > > Appreciate your input. Thanks David > > > Cheers Lisa:) > > > > > > > > > "David Davis" wrote: > > > > > > > Interesting: > > > > > > > > Just using the users that you listed below I would say: > > > > > > > > anonmyous user - Never give this account full control unless the folder in > > > > question is part of a website that you wish to allow anonmyous access, even > > > > then IUSR should be given rights not anonmyous. > > > > > > > > remote access user - Unless you are remoting in, you should not need this. > > > > > > > > backup operator - If your machine is a member of a domain and you have > > > > someone soley responsible for backups then this account really does not > > > > belong either. > > > > > > > > etc. Depends, definately should not have all. > > > > > > > > Bottom line if you are the only user on the computer i.e. standaolone > > > > machine not part of a domain, then the only permissions you need on your data > > > > is the group Administrators, and your user account. Note that I specified > > > > DATA, there are application folders that require special permissions such as > > > > SYSTEM etc. > > > > > > > > My general rule of thumb is that no one get full control with the exception > > > > of owner and the local / domain admin account. > > > > > > > > > these have full rights, meaning all the boxes are ticked > > > > -- > > > > David Davis [MCSE, CCNA, Security +] > > > > > > > > > > > > > > > > "Lisa" wrote: > > > > > > > > > Hi David, I have read every post you and David have posted re permissions > > > > > i.e. parent and child inherient etc. I am not a newbie to the computer world > > > > > but definitely not a Tech either:). My question is, my ex boyfriend (who > > > > > works in the IT World) set up my computer. When I click properties---> > > > > > security---> I have the usually Admin, My name etc, but there is a list so > > > > > long, e.g. anonmyous user, remote access user, backup operator, etc. All > > > > > these have full rights, meaning all the boxes are ticked. Could you please > > > > > advise me if I have anything to worry about. > > > > > Kind regards > > > > > Lisa:) > > > > > > > > > > "David Davis" wrote: > > > > > > > > > > > Are your sharing permissions set to everyone, full control? > > > > > > -- > > > > > > David Davis [MCSE, CCNA, Security +] > > > > > > > > > > > > > > > > > > > > > > > > "BrianB" wrote: > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > With the Advanced Security Settings Permissions (Traverse folder, List > > > > > > > folder, Read attributes, Read extended attributes, and Read permissions - > > > > > > > This folder only) why can't users map to a folder? > > > > > > > All inheritable permissions and Replace permission entries are not checked. > > > > > > > > > > > > > > Users need to map to this folder then choose a sub-folder from a list. > > > > > > > Users have Share permissions to use only some of the sub-folders and should > > > > > > > not be able to browse or use the sub-folders they do not have other Share > > > > > > > permissions to use. > > > > > > > Users can map a drive to the sub-folders they have permissions to but we > > > > > > > want to map a drive to the main folder so we don't end up mapping multiple > > > > > > > drives per user. > > > > > > > > > > > > > > Thanks > > > > > > > BrianB
Recommended Posts