[THIN] Re: Default Perms Help

• From: "Jeremy Saunders" <jeremy@xxxxxxxxxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Fri, 28 Sep 2012 07:06:08 +0800

I have a default security template I apply to all RDS and XenApp servers I
build to take care of things like that...

---------------------------------------------------------------
; Windows 2008 R2 Security Configuration Template for RDS/Citrix Servers

[version]
signature="$CHICAGO$"
revision=1
DriverVer=06/21/2006,6.0.6001.18000

[Profile Description]
%SCEProfileDescription%

[File Security]
"%SystemDrive%\",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;
SY)(A;OICIIO;FA;;;CO)S:PAR(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
"%ProgramFiles%",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(
A;OICI;0x1200a9;;;AU)"
"%ProgramFiles(x86)%",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;
;SY)(A;OICI;0x1200a9;;;AU)"
"%SystemRoot%\system32",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA
;;;SY)(A;OICI;0x1200a9;;;AU)"
"%SystemRoot%\syswow64",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA
;;;SY)(A;OICI;0x1200a9;;;AU)"
"%SystemDrive%\Temp",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;
SY)(A;OICI;0x1301BF;;;AU)"
"D:\",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICII
O;FA;;;CO)S:PAR(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
"D:\Temp",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;
0x1301BF;;;AU)"
"D:\Spool",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI
;0x1301BF;;;AU)"

[Strings]
SCEProfileDescription = "Applies default root permissions to the OS
partition and propagates them to child objects that are inheriting from the
root.  The propagation time depends on the number of unprotected child
objects.  See online help for further information."
---------------------------------------------------------------

This is applied via a cmd file that contains...

---------------------------------------------------------------
Set Inf=W2K8R2Security.inf
ECHO Y|secedit /configure /db "%temp%\Security.sdb" /cfg %~dp0%inf% /areas
filestore /log "%temp%\ApplySecurity.log"
ECHO Y|secedit /analyze /db "%temp%\Security.sdb"
ECHO Y|secedit /export /db "%temp%\Security.sdb" /cfg
"%temp%\AuditSecurity.inf" /log "%temp%\AuditSecurity.log"
---------------------------------------------------------------

Some of it may be "old school"...but it works.

Hope that helps.

Cheers,
Jeremy.

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of brad salazar
Sent: Friday, 28 September 2012 6:04 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Default Perms Help

Yup ... already doing things like hiding drives, software restriction
policies, loopback lockdown policies, etc. (No AppSense in
environment) ...but a savy user can always work around most of the built in
policies and obfuscation ....  I was just hoping someone out there had a
NTFS permission tweak or similar.

Thanks

On 9/27/12, Rankin, James R <kz20fl@xxxxxxxxxxxxxx> wrote:
> I find if you alter those default perms a few bits of stuff stop working.
> Better to limit their access to c: and the tools needed to alter them 
> (security tab, command prompt, etc.)
>
> ---Blackberried
>
> -----Original Message-----
> From: brad salazar <duplexed@xxxxxxxxx>
> Sender: thin-bounce@xxxxxxxxxxxxx
> Date: Thu, 27 Sep 2012 14:45:21
> To: thin<thin@xxxxxxxxxxxxx>
> Reply-To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Default Perms Help
>
> Default Perms on a 2K8R2 server running XA6.5 is allowing normal users 
> the right to create directories off the root of "C". Does anyone have 
> a recommended list of NTFS perms to use.
>
> Thanks in advance
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation 
> mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation 
> mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
>
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
//www.freelists.org/list/thin
************************************************

************************************************
For Archives, RSS, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************

• Follow-Ups:
  • [THIN] Re: Default Perms Help
    • From: brad salazar
  • [THIN] Re: Default Perms Help
    • From: Robert K Coffman Jr. -Info From Data Corp.

• References:
  • [THIN] Default Perms Help
    • From: brad salazar
  • [THIN] Re: Default Perms Help
    • From: Rankin, James R
  • [THIN] Re: Default Perms Help
    • From: brad salazar

Other related posts:

• » [THIN] Default Perms Help- brad salazar
• » [THIN] Re: Default Perms Help- Rankin, James R
• » [THIN] Re: Default Perms Help- brad salazar
• » [THIN] Re: Default Perms Help - Jeremy Saunders
• » [THIN] Re: Default Perms Help- brad salazar
• » [THIN] Re: Default Perms Help- Rankin, James R
• » [THIN] Re: Default Perms Help- Jeremy Saunders
• » [THIN] Re: Default Perms Help- Robert K Coffman Jr. -Info From Data Corp.

1. Home
2. thin
3. Archive
4. 09-2012

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---