Skip navigation

Should You Use the Authenticated Users Group?

While reviewing the NTFS permissions on my server, I found that the Everyone group has Read and Execute permissions on many files and folders. To tighten security, some publications suggest using the Authenticated Users group instead of the Everyone group. However, I'm not sure how the Authenticated Users group is more secure. What's the difference between the Everyone group and the Authenticated Users group?

The differences between the Everyone, Users, and Authenticated Users groups aren't apparent from the group names. In a nutshell, the Everyone group is the least secure of these groups because it does indeed include everyone. The Everyone group often contains the same set of users as the Users and Authenticated Users groups. However, if you've enabled the Guest account, you'll find that users who have logged on as Guest are members of Everyone but not members of Users or Authenticated Users.

The difference between the Users and Authenticated Users groups is a bit more esoteric. After all, if all users must authenticate, aren't all users authenticated users? If they are, why do you need a different group called Authenticated Users? The answer is that not all members of the Users group are authenticated. Windows networks include the ability to have computer-to-computer connections that involve null sessions. Computers use these sessions to exchange lists of shared folders, printers, and other network resources; workstations use null sessions to connect to domain controllers (DCs) before users authenticate to the domain. (For more information about null sessions, see the Microsoft articles "Local System Account and Null Sessions in Windows NT" at default.aspx?scid=kb;en-us;q132679 and "Restricting Information Available to Anonymous Logon Users" at;en-us;q143474.)

Don't confuse null sessions, which are sometimes called anonymous sessions or anonymous connections, with Anonymous authentication in IIS. These concepts are completely different. Users who use Anonymous authentication to access IIS use the built-in IUSR_computername account and are members of the Everyone, Users, and Authenticated Users groups.

The inclusion of null connections in User group membership represents a security problem. Consequently, Microsoft introduced the Authenticated Users group around the time of Windows NT 4.0 Service Pack 3 (SP3) to include users who have authenticated but exclude null sessions. So, to answer your question, yes—for NTFS permissions, you should use Authenticated Users instead of Everyone.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.