In Windows Server (and Windows 10, but more focused on Server right now), by default, Users have Read & execute, List folder contents, and Read access at the root level of every new drive, including the C: drive. It looks like key directories on the drive have unique non-inherited permissions, so I'm not sure that the users either benefit from or need any permissions at the root of the volume. I don't want users to have access to system folders, only their own documents, mail, and custom shares we have created.
I couldn't find any articles that reference this, which surprised me, because I would think this is a common question or something for which every IT guy has an opinion: for best security practices should we just always remove Users from having any permissions on the root level of a drive? Will this break anything? Why do users even have this access by default? The fact that MS does have this on by default makes me think that maybe it's needed.
I want to remove it so that new folders don't inherit that user access and to only add user access manually when it's really needed, but don't want to do it if any critical folders needed by all users (Users, DFS, etc.) might break if I remove users from the root level permissions. I think all of those have unique, non-inherited permissions, but I'm not certain and fear making a change like this and risking users suddenly having problems. Specifically wondering if I make this change on the Windows Servers and Domain Controllers, could this affect any AD users on Windows 10 stations (we do use DFS and redirected folders, so everyone's documents are housed on the Servers for backup purposes and also made available offline on their local stations)?
Thanks for any guidance.
Colin
