Hallo, i have a ftp server (FileZilla) that runs as a service and thus can be started in a different user context. I want to harden it as much as possible. The best way would be to grant it only access to a very few selected folders (own binary folder and FTP shared folder). I tried to setup a new user that seems useless though because it always has 'user' and 'authenticated user' rights that have nearly full access to standard NTFS HDD layout. Then i picked 'network service' and 'local service' as logon but these are also 'authenticated users'? :) Any chance to change them by GPOs and remove some security principals? The 'guest' user doesn't allow the service to start up (no registry access allowed). In terms of NTFS access it would be perfect though. Is there any way to create a new custom user that is not a member of 'authenticated user' or 'user'? I mean, its a server applications. How is it meant by Microsoft to harden such applications? Explicitly denying every folder/file is not an option.