WIN2K Checklist v2111 - Appendix A MSE安全攻防资料

UNCLASSIFIED Windows 2000 Security Checklist 2 1 11Field Security Operations Appendix ADefense Information Systems Agency A 1 UNCLASSIFIED AOBJECT PERMISSIONS This appendix details the minimum required privileges assigned to the ACLs of Windows 2000 file and registry objects Discrepancies may occur if either of the two following conditions are true The object s security posture is more restrictive than specified in this document The object s security posture is configured in direct support of the system s mission Note If an ACL setting prevents a site s applications from performing properly the site can modify that specific setting Settings should only be changed to the minimum necessary for the application to function Each exception to the recommended settings should be documented and kept on file by the ISSO AOBJECT PERMISSIONS A 1 A 1File and Directory Permissions A 3 A 1 1Boot Partition A 4 A 1 2System Partition A 5 A 1 3MQSeries if installed A 9 A 2Registry Key Permissions A 10 A 2 1Hive HKEY LOCAL MACHINE A 10 A 2 2Hive HKEY USERS A 14 A 2 3Hive HKEY CLASSES ROOT A 14 UNCLASSIFIED Windows 2000 Security Checklist 2 1 11Field Security Operations Appendix ADefense Information Systems Agency A 2 UNCLASSIFIED This page is intentionally left blank UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Appendix ADefense Information Systems Agency A 3 UNCLASSIFIED A 1File and Directory Permissions The following notation will be used throughout this chapter SystemDrive the drive letter on which Windows 2000 is installed e g C SystemRoot the folder in which Windows 2000 is installed e g C winnt SystemDirectory SystemRoot system32 e g C winnt system32 Note for Domain Controllers all references to the Users group should be changed to the Authenticated Users group Note Some applications may require file or directory permissions that differ from the recommended settings This generally applies to subdirectories and files that the application creates Applications should not have modified permissions to the root directory of the SystemDrive or the SystemRoot and its subdirectories UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Appendix ADefense Information Systems Agency A 4 UNCLASSIFIED A 1 1 Boot Partition Object NameAccount Assignment Directory Permission SystemDrive Folder subfolders and files Administrators CREATOR OWNER subfolders files SYSTEM Users all all all RX SystemDrive AUTOEXEC BATAdministrators Users SYSTEM all R X all SystemDrive BOOT INIAdministrators SYSTEM all all SystemDrive CONFIG SYSAdministrators Users SYSTEM all R X all SystemDrive IO SYSAdministrators Users SYSTEM all R X all SystemDrive MSDOS SYSAdministrators Users SYSTEM all R X all SystemDrive NTBOOTDD SYSAdministrators SYSTEM all all SystemDrive NTDETECT COMAdministrators SYSTEM all all SystemDrive NTLDRAdministrators SYSTEM all all UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Appendix ADefense Information Systems Agency A 5 UNCLASSIFIED A 1 2 System Partition Object NameAccount Assignment Permission SystemDrive Documents and Settings Don t reset permissions on subfolders and files Administrators SYSTEM Users all all R X SystemDrive Documents and Settings Administrator or profile of renamed account Administrators SYSTEM all all SystemDrive Documents and Settings All UsersAdministrators SYSTEM Users all all RX SystemDrive Documents and Settings All Users Documents DrWatsonAdministrators CREATOR OWNER subfolders files SYSTEM Users Users all all all Traverse Folder Create files Create folders subfolders files R X SystemDrive Documents and Settings All Users Documents DrWatson drwtsn32 log Administrators CREATOR OWNER SYSTEM Users all all all RWXD SystemDrive Documents and Settings Default UserAdministrators SYSTEM Users all all RX SystemDrive My Download FilesAdministrators CREATOR OWNER subfolders files SYSTEM Users all all all RWX SystemDrive Program FilesAdministrators Users CREATOR OWNER subfolders files SYSTEM all RWX all all SystemDrive Program Files Resource Kit Servers and Domain Controllers SystemDrive Program Files Resource Pro Kit Workstations Administrators SYSTEM all all UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Appendix ADefense Information Systems Agency A 6 UNCLASSIFIED Object NameAccount Assignment Permission SystemDrive TempAdministrators CREATOR OWNER subfolders files SYSTEM Users all all all Traverse folder Create files Create folders folders subfolders SystemRoot Administrators CREATOR OWNER subfolders files SYSTEM Users all all all RX SystemRoot regedit exeAdministrators SYSTEM all all SystemRoot NtServicePackUninstall Administrators SYSTEM all all SystemRoot NtUninstall all uninstall folders Administrators SYSTEM all all SystemRoot CSCAdministrators SYSTEM all all SystemRoot debugAdministrators CREATOR OWNER subfolders files SYSTEM Users all all all RX SystemRoot debug UserMode Administrators SYSTEM Users Users all all Traverse folder List Folder Create files folder only Create files Create folders files only SystemRoot NTDS domain Controllers only Active Directory database folder the SystemRoot portion of the path name may need to be changed depending on where the default Active Directory folder is located Administrators SYSTEM all all UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Appendix ADefense Information Systems Agency A 7 UNCLASSIFIED Object NameAccount Assignment Permission SystemRoot RegistrationAdministrators SYSTEM Users all all RWX SystemRoot RepairAdministrators SYSTEM all all SystemRoot SecurityAdministrators CREATOR OWNER subfolders files SYSTEM all all all SystemRoot SYSVOL Domain Controllers only Administrators Authenticated Users CREATOR OWNER subfolders files SYSTEM all RX all all SystemRoot SYSVOL domain Policies Domain Controllers only The SystemRoot portion of the path name may need to be changed depending on where the default Active Directory folder is located Administrators Authenticated Users CREATOR OWNER subfolders files Group Policy Creator Owners SYSTEM all RX all RWXD all SystemRoot TempAdministrators CREATOR OWNER subfolders files SYSTEM Users all all all Traverse folder Create files Create folders folders subfolders SystemRoot System32 Folder subfolders and files Administrators Users CREATOR OWNER subfolders and files SYSTEM all R X all all SystemRoot System32 at exeAdministrators SYSTEM all all SystemRoot System32 Ntbackup exeAdministrators SYSTEM all all SystemRoot System32 Rcp exeAdministrators SYSTEM all all UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Appendix ADefense Information Systems Agency A 8 UNCLASSIFIED Object NameAccount Assignment Permission SystemRoot SYSTEM32 Regedt32 exeAdministrators SYSTEM all all SystemRoot System32 Rexec exeAdministrators SYSTEM all all SystemRoot System32 Rsh exeAdministrators SYSTEM all all SystemRoot System32 Secedit exeAdministrators SYSTEM all all SystemRoot System32 appmgmtAdministrators SYSTEM Users all all R X SystemRoot System32 CONFIGAdministrators SYSTEM all all SystemRoot System32 CONFIG AppEvent evt SystemRoot System32 CONFIG SecEvent evt SystemRoot System32 CONFIG SysEvent evt Administrators Auditor s group SYSTEM R X all all SystemRoot System32 dllcacheAdministrator CREATOR OWNER SYSTEM all all all SystemRoot System32 DTCLogAdministrator CREATOR OWNER subfolders files SYSTEM Users all all all R X SystemRoot System32 GroupPolicyAdministrator Authenticated Users SYSTEM all R X all SystemRoot System32 iasAdministrator CREATOR OWNER SYSTEM all all all SystemRoot System32 NTMSDataAdministrator SYSTEM all all SystemRoot System32 replAdministrator SYSTEM Users all all R X SystemRoot System32 repl exportAdministrator CREATOR OWNER Replicator SYSTEM Users all all R X all R X SystemRoot System32 repl importAdministrator Replicator SYSTEM Users all RWXD all R X UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Appendix ADefense Information Systems Agency A 9 UNCLASSIFIED Object NameAccount Assignment Permission SystemRoot System32 SetupAdministrator SYSTEM Users all all R X SystemRoot System32 spool PrintersAdministrator CREATOR OWNER subfolders files SYSTEM Users all all all Traverse folder Read attributes Read extended attributes Create files Create folders folder subfolders A 1 3 MQSeries if installed Object NameAccount Assignment Permission Program Files MQSeries Folder Files Subfolders Administrators Authenticated Users MQM SYSTEM all RX all all Program Files MQSeries qmggr Queues Folder Files Subfolders for each Queues folder Administrators Authenticated Users CREATOR OWNER SYSTEM all RWX all all UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Appendix ADefense Information Systems Agency A 10 UNCLASSIFIED A 2Registry Key Permissions Note for Domain Controllers all references to the Users group should be changed to the Authenticated Users group A 2 1 Hive HKEY LOCAL MACHINE Object NameAccount Assignment Permission SOFTWARE include all subkeys Administrators CREATOR OWNER subkeys only SYSTEM Users all all all read QENR SOFTWARE Classes AppidAdministrators Users Interactive User SYSTEM all read QENR QSCEN R key only all SOFTWARE Microsoft NetDDEAdministrators SYSTEM all all SOFTWARE Microsoft OS 2 Subsystem for NTAdministrators CREATOR OWNER subkeys only SYSTEM all all all SOFTWARE Microsoft Windows CurrentVersion Group PolicyAdministrators Authenticated Users SYSTEM all read QENR all SOFTWARE Microsoft Windows CurrentVersion InstallerAdministrators Users SYSTEM all read QENR all SOFTWARE Microsoft Windows CurrentVersion PoliciesAdministrators Authenticated Users SYSTEM all read QENR all UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Appendix ADefense Information Systems Agency A 11 UNCLASSIFIED Object NameAccount Assignment Permission SOFTWARE Microsoft Windows NT CurrentVersion AsrCommandsAdministrators Backup Operators CREATOR OWNER Subkeys only SYSTEM Users all Query Set Value Create Subkey Enumerate Notify Delete Read permissions all all Read QENR SOFTWARE Microsoft Windows NT CurrentVersion PerflibAdministrators INTERACTIVE CREATOR OWNER SYSTEM all read QENR all all SYSTEMAdministrators CREATOR OWNER subkeys only SYSTEM Users all all all read QENR SYSTEM controlset001Administrators CREATOR OWNER subkeys only SYSTEM Users all all all read QENR SYSTEM controlset002Administrators CREATOR OWNER subkeys only SYSTEM Users all all all read QENR UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Appendix ADefense Information Systems Agency A 12 UNCLASSIFIED Object NameAccount Assignment Permission SYSTEM controlset003Administrators CREATOR OWNER subkeys only SYSTEM Users all all all read QENR SYSTEM controlset004Administrators CREATOR OWNER subkeys only SYSTEM Users all all all read QENR SYSTEM controlset005Administrators CREATOR OWNER subkeys only SYSTEM Users all all all read QENR SYSTEM controlset006Administrators CREATOR OWNER subkeys only SYSTEM Users all all all read QENR SYSTEM controlset007Administrators CREATOR OWNER subkeys only SYSTEM Users all all all read QENR SYSTEM controlset008Administrators CREATOR OWNER subkeys only SYSTEM Users all all all read QENR UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Appendix ADefense Information Systems Agency A 13 UNCLASSIFIED Object NameAccount Assignment Permission SYSTEM controlset009Administrators CREATOR OWNER subkeys only SYSTEM Users all all all read QENR SYSTEM controlset010Administrators CREATOR OWNER subkeys only SYSTEM Users all all all read QENR SYSTEM CurrentControlSet Control SecurePipeServers winregAdministrators Backup O