none
Securing SYSVOL access best practice recommendation ?

    Question

  • Hi People,

    I'd like to know what's the security best practice for the SYSVOL folder in the domain controller?
    I've got about multiple (~14+) Domain Controller/GlobalCatalog which is running 2008 R2 and 2012 R2.

    From what I can see, authenticated users have unrestricted access to SYSVOL, which means they can edit logon scripts, GPO or do any malicious thing.

    See the below NTFS permission:


    The Share permission:

    Let me know if there is anything that can be edited to make it more secure.
    Any help would be greatly appreciated.

    Thanks


    /* Server Support Specialist */

    • Moved by Amy Wang_Moderator Wednesday, April 12, 2017 6:41 AM from Windows Server 2012 General Forum
    Wednesday, April 12, 2017 1:25 AM

Answers

  • Hi,

    In my lab environment, security permissions for Authenticated Users are Read & Execute, you may check more details within these two screenshots below:

    Pic 1. SYSVOL Security Permissions

    Pic 2. Authenticated Users Advanced Permissions

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 12, 2017 7:02 AM
    Moderator

All replies

  • Hi,

    In my lab environment, security permissions for Authenticated Users are Read & Execute, you may check more details within these two screenshots below:

    Pic 1. SYSVOL Security Permissions

    Pic 2. Authenticated Users Advanced Permissions

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 12, 2017 7:02 AM
    Moderator
  • Thanks Amy, what about the share permission ?

    I got that first screen from your lab was for NTFS permission.


    /* Server Support Specialist */

    Wednesday, April 12, 2017 7:35 AM
  • Thanks Amy, what about the share permission ?

    I got that first screen from your lab was for NTFS permission.

    Hi,

    Check this:

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 12, 2017 7:40 AM
    Moderator
  • Thanks, Amy.

    So in this case, I will use your screenshot to compare it with my current AD SYSVOL permission since I believe that it is best not to make any changes on this directory.


    /* Server Support Specialist */

    Wednesday, April 12, 2017 7:43 AM