Security, et al

The value of the Authenticated Users special principal is overrated. This is especially true with regard to the common recommendation to replace occurrences of the Everyone special principal in ACLs with Authenticated Users. This recommendation is made out of the over hyped risk that granting access to Everyone in file permissions would allow anonymous users (aka Null Sessions) to access those files.

Actually there’s very little risk of that. By default Windows Server 2003 doesn’t allow null sessions to access any folders you share – period. See [Network access:Shares that can be accessed anonymously] under Security Options in any group policy object.

The real risk with Everyone and Authenticated Users is the scope of these special principals and how they are effected by trust relationships. On a member server both Everyone and Authenticated Users include all local accounts in the server’s SAM, all domain accounts in the server’s domain and all accounts in any trusted domains. That means all users in the entire forest.

But as soon as you set up a cross forest trust or an external trust to a domain outside the forest Everyone and Authenticated Users immediately includes all users from that trusted domain. Any resources that you originally granted to either of these principles with the intent of giving everyone in the forest access are suddenly accessible to many more users.

In general I say that trusting another domain or forest doesn’t result in granting access to any resources; that trust relationships are about authentication. But resources that grant access Everyone and Authenticated Users are the exception to that statement.

Instead of using either of these principles I recommend using Domain Users which is a real global group in AD as opposed to a special principle. AD automatically adds new user accounts to Domain Users. But the nice thing about Domain Users is that since it is a global group it is prohibited from having any members from outside its domain. Therefore when you use Domain Users in ACLs you can rest assured you are granting access to that domain’s users and no one else.

While global groups are limited in terms of their members, global groups can be used in ACLs anywhere in the forest and in externally trusted domains and forests. If you want the ability to grant access to all users within the entire forest without adding each domain’s Domain Users group, just create a Forest Users universal group and add each domain’s Domain Users group as a member.