Should You Use the Authenticated Users Group?

Thanks for your insight and straight-forward, no-nonsense, so fluff, clear and concise writing style - so much easier to follow and interpret than over-rated, over-stated techno-speak!

My added questions are:

Is it really necessary to have "authenticated users" or users as groups on a small [less than 10 user] network?

Would it be more secure to create a custom group that memics the attributes / permissions of "authenticated users", but make an obscure name that would not be looked for by the "uninvited guest?

How would one go about making a global modification to permissions to remove undesired groups, eg,"everyone" or "users", replacing them with either "authenticated users", or a custom group name as above?

Your comments and recommendations are appreciated,

m

So many fail at reading comprehension.

I also think there is something incorrect about this article.

In the MS KB article 143474, it says that null session connections are considered ANONYMOUS LOGON users. This article says that null session connections are part of the Users group, which means ANONYMOUS LOGON is part of the Users group. I really don't think ANONYMOUS LOGON is part of the Users group. I have seen numerous MS documentation say that as of XP SP2, ANONYMOUS LOGON is no longer part of the Everyone group. If it had also been part of the Users group, they would have also mentioned the Users group in addition to the Everyone group.

I'm confused by this statement:

"The inclusion of null connections in User group membership represents a security problem"

Does this imply that a 'null' connection is considered a member of the 'Users' group?

After reading the linked-to documents, it appears 'null' connections are used to enumerate shared network resources. This ability is configurable from the registry.

I could not find mention of 'null' connections being associated with the 'Users' group. Nowhere did the articles indicate that a 'null' connection was a member of, or equivalent to a member of the 'Users' group.

Instead, it appears the only security context that includes 'null' connections is the 'Everyone' group, as this association is mentioned several times in the document "Local System Account and Null Sessions in Windows NT"

specifically:

When this context is used to access the network, a null session is used. This produces the following context on remote computers:

Default Owner: Everyone
User: Everyone
Groups: AnonymousLogon, Network

It appears the main aspect of the 'Authenticated Users' group is that it differs from the 'Everyone' in that it does not allow 'null' connections.


Thus, I assume that the above quoted sentence should instead read: "The inclusion of null connections in 'Everyone' group membership represents a security problem"
notice the 'Everyone' in place of 'Users'.


also:

The user 'Guest', when logged on, is a member of both 'Everyone' and 'Authenticated Users', as the guest account, is indeed 'authenticated'. Accordingly, users in the 'Guests' group, when logged on, are also considered members of 'Everyone' and 'Authenticated users'

see the bottom of the page at:
http://technet.microsoft.com/en-us/library/bb726982.aspx
regarding this.

According to the Users and Passwords dialog in Windows 2000: "Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted". This might answer the previous poster's comment: if you have a user which is a member of Guests, but not "Guest", it will have the same access as a User. Only the "Guest" account itself would not be considered "Authenticated".