Registry and File System Lockdown
Registry and file system permissions are crucial to Windows 2000 security. Default security permissions can be viewed from the Security Templates snap-in. The basicdc.inf, basicsv.inf, and basicwk.inf templates are the only ones that modify File System and Registry group policy security settings. A GPO should be used to enforce these default templates and ensure that all users and services are covered by the secure file and Registry settings. These templates also reflect the default file and Registry permissions for all Windows 2000 installations, and are considered secure. The other default templates in the Security Template snap-in are designed to cover other security policy areas.
In addition to manipulating the security templates to reflect the appropriate lockdown levels, four additional rules should be applied:
Use NTFS and take advantage of Windows 2000 file/folder permissions, auditing, and file encryption.
Do not place any sensitive information or system files on a FAT partition. There are no file/folder permissions for local access on a FAT file system.
Remember that the file owner always maintains full control over the object. Even if the administrator denies the owner all permissions, the owner can still view and modify security settings.
When auditing file systems, never neglect the file owner.