The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (WN16-SO-000290).Review the permissions for the Windows installation directory (usually C:\Windows). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. (Individual accounts must not be used to assign permissions.)If permissions are not as restrictive as the default permissions listed below, this is a finding.Viewing in File Explorer:For each folder, view the Properties.Select the "Security" tab and the "Advanced" button.Default permissions:\WindowsType - "Allow" for allInherited from - "None" for allPrincipal - Access - Applies toTrustedInstaller - Full control - This folder and subfoldersSYSTEM - Modify - This folder onlySYSTEM - Full control - Subfolders and files onlyAdministrators - Modify - This folder onlyAdministrators - Full control - Subfolders and files onlyUsers - Read & execute - This folder, subfolders, and filesCREATOR OWNER - Full control - Subfolders and files onlyALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and filesALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and filesAlternately, use icacls:Open a Command prompt (admin).Enter "icacls" followed by the directory:"icacls c:\windows"The following results should be displayed for each when entered:c:\windowsNT SERVICE\TrustedInstaller:(F)NT SERVICE\TrustedInstaller:(CI)(IO)(F)NT AUTHORITY\SYSTEM:(M)NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)BUILTIN\Administrators:(M)BUILTIN\Administrators:(OI)(CI)(IO)(F)BUILTIN\Users:(RX)BUILTIN\Users:(OI)(CI)(IO)(GR,GE)CREATOR OWNER:(OI)(CI)(IO)(F)APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)Successfully processed 1 files; Failed processing 0 files

Maintain the default file ACLs and configure the Security Option "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (WN16-SO-000290).Default permissions:Type - "Allow" for allInherited from - "None" for allPrincipal - Access - Applies toTrustedInstaller - Full control - This folder and subfoldersSYSTEM - Modify - This folder onlySYSTEM - Full control - Subfolders and files onlyAdministrators - Modify - This folder onlyAdministrators - Full control - Subfolders and files onlyUsers - Read & execute - This folder, subfolders, and filesCREATOR OWNER - Full control - Subfolders and files onlyALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and filesALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files