Windows 7 Thread, Default c:\ Perms allows auth users to make folders. in Technical; Hi,
Anyone else find it strange how Windows 7 by default allows all authenticated users to create folders on the ...
10th March 2011, 11:32 AM #1
Default c:\ Perms allows auth users to make folders.
Anyone else find it strange how Windows 7 by default allows all authenticated users to create folders on the c:\ drive?
There is an ACL for authenticated users to create folders, once they've made that folder they can dump whatever they want in there.
According to the technet forums, it's safe to remove this ACL
Should Authenticated Users group have Modify privileges in C:\ root directory? How do I harden it?
I'm just a little paranoid about removing it myself although I can't see why on earth it would be required and as such I'd rather just get rid of it. If I remove it users get a UAC prompt if they try to do it in future.
Has anyone else done this? Or am I being over cautious? Granted I have c:\ access locked down on the students but still.
10th March 2011, 11:16 PM #2
Go for it. I reckon as long as your users still have full control over %userprofile% then they should be right...someone correct me if I'm wrong.
10th March 2011, 11:22 PM #3
@Chrisbrown, you are correct. We have set this up on many deployments.
11th March 2011, 08:12 AM #4
Are they set this way for compatibility reasons (legacy apps which attempt to write to the root of the C: drive)? When you browse to C:\ in Windows Explorer, there's a "Compatibility Files" button on the toolbar, which when clicked shows files stored in the user's VirtualStore folder. Although the UAC file virtualization driver (luafv.sys) doesn't deal with C:\, I still find files which should have been written to the root of C: in my VirtualStore folder.
Originally Posted by DrCheese
The file system locations that are virtualised for legacy processes are %ProgramFiles%, %ProgramData% and %SystemRoot%, excluding some specific subdirectories. However, any file with an executable extension, including .exe, .bat, .scr, .vbs, and others, is excluded from virtualisation. This means that programs that update themselves from a standard user account fail instead of creating private versions of their executables that arenít visible to an administrator running a global updater. (Source
Last Post: 14th September 2010, 07:48 AM
By link470 in forum Windows
Last Post: 2nd November 2009, 06:21 PM
By katem in forum Windows
Last Post: 11th March 2008, 11:36 AM
By daverage in forum Wireless Networks
Last Post: 31st March 2006, 02:13 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)