0

Question:

Should I change “advance security settings” c:\ [owner] from “everyone” to “system” or “admin” because each time I try to save a settings with select permissions for users/admins I’m prompted multiple enumeration failed dialogs and doesn’t seem to save correctly, I have ran sfc /scannow, and tried to take ownership with cmd to manually fix this issue.

I have googled the enumeration issue and best security practices and there are limited answers, I typically want to just have permissions/groups/user corrected or for best security practices to limit additional and current users since it has been modified incorrectly and seems a bit unstable.

c:\ properties > security > advanced >

[Security Tabs] permissions + auditing + effective access;

*Include or replace inhabitable parent objects and audit entries?

Theory: I feel like having “everyone” could lead to some back door privileges escalations, I originally had my computer with 3 accounts on windows 11 pro; one for policy, one for adding and removing limited programs like photoshops and such so they can’t sniff/copy/read my files and a guest account.

Improve this question
1
  • Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer.
    – Community Bot
    Commented Sep 5, 2022 at 22:10

2 Answers 2

Reset to default
0

I do not think you need to change Windows 11 permissions. Basic Windows 11 is already very secure.

I think you may have alluded to some errors on restart as a result of change you have made (prior to an edit of the question). If so, you should try to determine why you had these errors on restart (that is, what changes were made prior and try to revert if possible). If not see below about rebuilding the system.

My physical machines are Windows 11 Pro, I did not make security changes, and they are operating both securely and properly.

I feel like having “everyone” could lead to some back door privileges escalations,

Folders in general should not be permitted to Everyone. Security settings for Program Files (and x86) and User AppData folder should not be changed. Documents should be left permitted to just you, not Everyone.

a guest account whenever I want to sign into ...

There is no active Guest account anymore, so any Guest Account you make is just a standard account.

I suggest just using Windows 11 the way it was designed for security (like Windows 10 before it).

$recycle bin couldn’t be enumerated after changes .... So should I remove EVERYONE ...

I have been using Windows 11 for over a year with none of these issues.

So with respect, if you continue having security issues, you may wish to back everything up, reinstall Windows, leave Security settings as standard, and then restore data.

Improve this answer
3
  • Comments are not for extended discussion; this conversation has been moved to chat.
    – Journeyman Geek
    Commented Sep 6, 2022 at 1:22
  • Correct, but is there a command I can run to fix the issue or correct documents to reference from because even after reinstall it seem to persist, this is why I think it’s a bug, the c:\ owner is is now “system” with three exact principles under permissions, audit/effective access is also set to system, I have tried “everyone” and “admins” one of the settings aren’t correct because it still prompts the failed to enumerate popups.
    – Windowsuser1995
    Commented Sep 6, 2022 at 2:28
  • No. I have not seen such a command. Changing permissions as you have done has broken your system.
    – anon
    Commented Sep 6, 2022 at 11:10
0

On the root of c:, there's more than what meets the eye. In addition to NTFS security, there's a non-standard integrity level set on c: which requires elevation, no matter what NTFS says, whenever one tries to save a file directly to c:

Please Google chml.exe and integrity together if you would like to learn about integrity levels.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .