Hello, on Windows 2003 I was sued to remove USERS builtin group into NTFS ACL on C:\ After I did it on Windows 2008 I notice I need to add ACL traverse (this folder only) for local service and network service on C:\ otherwise Windows Update generates some errors. Anybody know what is the best practice for Windows 2008 ? Thanks

On Tue, 28 Dec 2010 15:09:34 +0000, Zucchetti wrote: Anybody know what is the best practice for Windows 2008 ? The best practice is to really leave the DACL settings at the defaults. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Want custom ringtones on your Windows Phone 7 device? Why do we want intelligent terminals when there are so many stupid users?

Hi, I agree with Paul as generally we do not change the default permission on system drive in Windows 2008. As UAC function is added, remove USERS group may cause issue when a user (even in Administrators group) access drive c.Shaon Shan |TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tngfb@microsoft.com

I understand your logic but we can't allow users to browse root folders when using Terminal Server. How do you suggest me to configure DACL ?

You can try to set a group policy like Prevent access to drives from My Computer: http://support.microsoft.com/kb/278295Shaon Shan |TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tngfb@microsoft.com

Why not? There shouldn't be anything particularly sensitive there.

I tried but the application can browse resource since user has permission

Server is used by different customers and they can't see each one

There is nothing sensitive on C:\ . It would be good to remove from users CreateFolders/WriteData permission on the root of C:\, but you should not remove Read permission, anyways. MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor