What is the difference between the Everyone and Authenticated Users groups?
In order to maintain a proper level of access control, it is important to unambiguously understand what each object in the access control list (ACL) represents, including those built into Windows.
There are many built-in accounts with obscure names and vague descriptions that can lead to confusion in understanding the difference between them. A very common question: “What is the difference between the Everyone and Authenticated Users groups?”
The most important
The Authenticated Users group covers all users who are logged in using an account and password. The Everyone group covers all users who are logged in with the account and password, as well as built-in, password-protected accounts such as Guest and LOCAL_SERVICE.
')
More details
If the above described seemed simplistic to you, then a little more detail goes on.
The Authenticated Users group includes all users whose authenticity was confirmed when they logged on to the system, and they include both local and trusted domain accounts.
The Everyone group includes all members of the Authenticated Users group, as well as the guest Guest account and some other built-in accounts, such as likeSERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc. Guest Guest account is disabled by default, but if it is active, it allows get into the system without entering a password.
Contrary to popular belief, anyone who logs in anonymously, i.e. Those who do not pass the authentication procedure will not be included in the Everyone group. This was the case previously, but changed since Windows 2003 and Windows XP (SP2).
findings
When it comes to the allocation of permissions, there is one important question that we should be able to answer: what specific people have access to this resource?
Most of the permissions that we see are not given to specific people, but to security groups (and this is correct), whose role is not always obvious. As a result, you have to spend a lot of time to find out the answer to the question above.
There is a solution. When your CEO asks, “Who has access to Salary Sheet.doc?” You can quickly, confidently and absolutely answer, instead of making assumptions after weekly investigations.
There are many built-in accounts with obscure names and vague descriptions that can lead to confusion in understanding the difference between them. A very common question: “What is the difference between the Everyone and Authenticated Users groups?”
The most important
The Authenticated Users group covers all users who are logged in using an account and password. The Everyone group covers all users who are logged in with the account and password, as well as built-in, password-protected accounts such as Guest and LOCAL_SERVICE.
')
More details
If the above described seemed simplistic to you, then a little more detail goes on.
The Authenticated Users group includes all users whose authenticity was confirmed when they logged on to the system, and they include both local and trusted domain accounts.
The Everyone group includes all members of the Authenticated Users group, as well as the guest Guest account and some other built-in accounts, such as likeSERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc. Guest Guest account is disabled by default, but if it is active, it allows get into the system without entering a password.
Contrary to popular belief, anyone who logs in anonymously, i.e. Those who do not pass the authentication procedure will not be included in the Everyone group. This was the case previously, but changed since Windows 2003 and Windows XP (SP2).
findings
When it comes to the allocation of permissions, there is one important question that we should be able to answer: what specific people have access to this resource?
Most of the permissions that we see are not given to specific people, but to security groups (and this is correct), whose role is not always obvious. As a result, you have to spend a lot of time to find out the answer to the question above.
There is a solution. When your CEO asks, “Who has access to Salary Sheet.doc?” You can quickly, confidently and absolutely answer, instead of making assumptions after weekly investigations.
Source: https://habr.com/ru/post/281691/
All Articles