[gptalk] Re: drive access

  • From: "Jim Bangle" <Jim.Bangle@xxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 20 Sep 2006 11:51:40 -0700

Has anyne successfully used the Shared Computer Tool Kit and Disk Lcking to 
overcome some of these issues?  While I'm not advocating leaving security out 
of this discussion, I have found that in the right setting it is easier to blow 
away changes to the C: drive with a reboot than it is to try to come up with a 
perfect security model.

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx>
To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx>
Sent: Wed Sep 20 10:47:22 2006
Subject: [gptalk] Re: drive access

Doug's points are well taken here. Using File System Security policy is 
DANGEROUS when you're operating on the root of a volume. This is why I tend to 
just prefer using something like cacls.exe instead of GP. Cacls lets you append 
permissions, whereas GP is not as flexible. And since you only need to do this 
once, GP's periodic refresh feature is probably overkill.


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Delaney, Doug
Sent: Wednesday, September 20, 2006 10:18 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: drive access

I would add the %SystemDrive% to the File System entries, under Computer 
Configuration | Windows Settings | Security Settings | File System and 
configure the (Advanced) permissions for the user group required (my example 
user the "Users" built-in group).  Ensure you select This folder only in the 
apply onto field, and deny creating files and folders.  Also ensure that you 
configure all other security settings required (to match what they are locally) 
as this will replace the existing permissions with a new set of permissions... 
so be VERY careful w/regard to inheritance.  This means you be replacing the 
entire set of permissions on drive C: so will will have to add an addition 
entry for Users (in my example) that apply onto is set to "subfolders and files 
only".   When you click ok, then click on Configure this file or folder then, 
select replace permissions on all subfolders and files.  Please ensure you 
include ALL other groups currently defined on Drive C...  Everywhere, paying 
special attention to Program Files, Documents and Settings, and the 
%SystemRoot% folders.  AGAIN, you are replacing ALL security settings on drive 
C: using this method.  But, it gives you complete and granular control.  You 
also want to TEST using only one entry for users at the root of C:, and see if 
that does or does not replace all lower permissions (subfolders) if you select 
propagate inheritable permissions on all subfolders and files (instead of 
replace), but I have not had the expected results using that in the past.  
Warning: Don't lock out Administrators or SYSTEM...
Such as 

Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>  

Note: The information in this email is intended solely for the addressee. 
Access to this email by anyone else is unauthorized. If you are not the 
intended recipient, any disclosure, copying, distribution or any action taken 
or omitted to be taken in reliance on it is prohibited.



        From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] 
On Behalf Of Eric Middleton
        Sent: Wednesday, September 20, 2006 12:48 PM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] drive access

        Anyone know how to make the root of c non accessible.  I have told the 
group policy not to allow saving of files to c however if you creat a new 
folder you can save to that folder.  Anyone know how to stop this?

Other related posts: