Hi all, I've just noticed the default NTFS permission for all volumes in Windows 2008 and they scare me a lot... Local group 'Users' has 'Create folders/Append data' permission to any newly created volume! Moreover - this permission are granted on system drive, as well!!! Are those permission necessary? On data volumes, I think, i can safely remove them - but can I remove them on system volume? Will Windows work correctly if I'll remove those scaring permissions? Thanks!R.*

Hello, Set proper NTFS permissions to users and restrict them to access volumes/folders. Share Permissions Article: http://support.microsoft.com/kb/277867 Access Based Enumeration permissions:http://technet.microsoft.com/en-us/library/dd772681(v=ws.10).aspx Also create specific GPO to hide drives to normal domain users:http://support.microsoft.com/kb/231289Regards, Ravikumar P

Hello Ravikumar, I'm going to remove the permissions for Users (at least the permission to create files/folders) on data volumes. I, however, do little worry about the system volume - I'm not sure if those permission are necessary for Windows to work correctly (despite the 'Program Files' and 'Windows' folders seems to not inherit the permissions)...R.*

Hi R, Yes, you can restrict the access the system volume, but test that in a lab environment before applying that in production. If not properly done it may create lots of issues. Have a look. Miha has a nice write up about the NTFS security settings. http://www.winvistatips.com/re-minimum-ntfs-permissions-systemdrive-t763571.htmlRegards, Rafic If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

Hello Ravikumar, I'm going to remove the permissions for Users (at least the permission to create files/folders) on data volumes. I, however, do little worry about the system volume - I'm not sure if those permission are necessary for Windows to work correctly (despite the 'Program Files' and 'Windows' folders seems to not inherit the permissions)... R.* Since it is a server keep a default permissions to C drive. Here users means local users(server\users\) so no normal user can't login into the server unless and otherwise you allow them. Generally normal users will have below permissions and they can't modify or delete. Read & Execute User can read the contents of files in this folder and also execute files in this folder. Still you need more details, just go through below article and configure the settings according to your requirement. Share Permissions Article: http://support.microsoft.com/kb/277867 Regards, Ravikumar P

Hello Ravikumar, I've notices this permission on webserver, where one web application has started to create folders and files on other data volume then it runs on. So Users group contains also IIS AppPool accounts. Indeed, this specific issue rose from web app error, but the result of the default NTFS permissions is that any local user (and through hacked/misconfigured WebApp anyone from internet) can write data on any volume (the system one included!) on the server. I do not think it's good. Well, I'll look at links you and Rafic sent, and try to limit the default permissions as much as possible. I'll try to not forgot to report it back here :)R.*

Hi, Is the server a Domain Controller? On DC, Domain Users group is included in local Users group. So you could try to edit the default permission if it is necessary. As Rafic mentioned above, it is recommanded to test in a lab befre applying changes. TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

How are things going? Please let us know if there is anything we could help.TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

Hi Shaon, I've removed the permissions for Users group (Create folders and Created files) about 3 hours ago - GUI just fired several warnings about 'access denied' on /boot, /program files, /windows and about two other directories (all those seems to have disabled ACL inheritance), but no other difficulty has occured yet (nor event log warning/error). We're trying this on development web server with several websites and sql instances, and during 'normal' development work, so I assume we'll know about potencially problems very soon. I've create a snapshot before changing the ACLs and we've maintain daily full backup a week back - I hope I will not have to use those backups :) I'll let you know in few days, if some problems will occure. Ragards,R.*

Hi all, until now, there hasn't been any problem discovered. So I consider it safe. Let all write permissions for Users group to be gone :) Thanks all of you!R.*