NTFS permissions and how they are changed

NTFS permissions and how they are changed

I would like to know what are the default NTFS permissions for the Windows folder in Windows XP, and I can't seem to find that information anywhere from Microsoft's TechNet or support knowledgebase.

Does anyone know where to find this info? More precisely I'm interested in a couple of a specific subfolders in the Windows folder:

-WindowsDebugUserMode

-WindowsDebugWPD

-WindowspchealthErrorRepQHEADLES

-WindowspchealthErrorRepQSIGNOFF

-WindowsRegistrationCRMLog

-Windowssystem32spoolPRINTERS

-WindowsTasks

-WindowsTemp

I know that generally the Windows folder has permissions that enabled admins/powerusers to write but users only to read, so that limited users cannot edit critical system files or add drivers to the system or things like that.

But, I ran AccessEnum on C:Windows the other day and according to AccessEnum, those folders in my list have permissions that grant users write access, allowing users to create and edit files.

Isn't this a bit problematic? Limited users can write in any of those folders according to AccessEnum, and that should mean any malware that gets to run under a limited user account can write into any of those folders, in spite of that fact that they are system critical folders and inside the Windows folder.

I would think that would be especially problematic in an enterprise setting, especially if there is a "whitelist" software restriction policy active, because then not only limited users could download files into those folders but also execute them, completely bypassing the protections.

Or is my thinking wrong somewhere along the line?

So what to do with those folders and their permissions? Are they not a security issue?

 (Source: https://support.microsoft.com/ph/1173)

Thanks!