+ Post New Thread
Results 1 to 4 of 4
Windows 7 Thread, Default c:\ Perms allows auth users to make folders. in Technical; Hi, Anyone else find it strange how Windows 7 by default allows all authenticated users to create folders on the ...
  1. #1
    DrCheese's Avatar
    Join Date
    Apr 2008
    Posts
    1,035
    Thank Post
    97
    Thanked 161 Times in 110 Posts
    Rep Power
    60

    Default c:\ Perms allows auth users to make folders.

    Hi,
    Anyone else find it strange how Windows 7 by default allows all authenticated users to create folders on the c:\ drive?
    There is an ACL for authenticated users to create folders, once they've made that folder they can dump whatever they want in there.

    According to the technet forums, it's safe to remove this ACL
    Should Authenticated Users group have Modify privileges in C:\ root directory? How do I harden it?

    I'm just a little paranoid about removing it myself although I can't see why on earth it would be required and as such I'd rather just get rid of it. If I remove it users get a UAC prompt if they try to do it in future.

    Has anyone else done this? Or am I being over cautious? Granted I have c:\ access locked down on the students but still.

  2. #2
    chrisbrown's Avatar
    Join Date
    Aug 2010
    Location
    Melbourne, Australia
    Posts
    103
    Thank Post
    2
    Thanked 16 Times in 14 Posts
    Rep Power
    17
    Go for it. I reckon as long as your users still have full control over %userprofile% then they should be right...someone correct me if I'm wrong.

  3. #3

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    @Chrisbrown, you are correct. We have set this up on many deployments.

    Regards
    Sukh

  4. #4


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,387
    Thank Post
    241
    Thanked 2,815 Times in 2,077 Posts
    Rep Power
    813
    Quote Originally Posted by DrCheese View Post
    I can't see why on earth it would be required and as such I'd rather just get rid of it. If I remove it users get a UAC prompt if they try to do it in future.
    Are they set this way for compatibility reasons (legacy apps which attempt to write to the root of the C: drive)? When you browse to C:\ in Windows Explorer, there's a "Compatibility Files" button on the toolbar, which when clicked shows files stored in the user's VirtualStore folder. Although the UAC file virtualization driver (luafv.sys) doesn't deal with C:\, I still find files which should have been written to the root of C: in my VirtualStore folder.

    The file system locations that are virtualised for legacy processes are %ProgramFiles%, %ProgramData% and %SystemRoot%, excluding some specific subdirectories. However, any file with an executable extension, including .exe, .bat, .scr, .vbs, and others, is excluded from virtualisation. This means that programs that update themselves from a standard user account fail instead of creating private versions of their executables that arenít visible to an administrator running a global updater. (Source)

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 16
    Last Post: 14th September 2010, 06:48 AM
  2. Replies: 15
    Last Post: 2nd November 2009, 05:21 PM
  3. Replies: 2
    Last Post: 11th March 2008, 10:36 AM
  4. Make student folders available externaly
    By daverage in forum Wireless Networks
    Replies: 11
    Last Post: 31st March 2006, 01:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •