I have a default security template I apply to all RDS and XenApp servers I build to take care of things like that... --------------------------------------------------------------- ; Windows 2008 R2 Security Configuration Template for RDS/Citrix Servers [version] signature="$CHICAGO$" revision=1 DriverVer=06/21/2006,6.0.6001.18000 [Profile Description] %SCEProfileDescription% [File Security] "%SystemDrive%\",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;; SY)(A;OICIIO;FA;;;CO)S:PAR(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" "%ProgramFiles%",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)( A;OICI;0x1200a9;;;AU)" "%ProgramFiles(x86)%",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;; ;SY)(A;OICI;0x1200a9;;;AU)" "%SystemRoot%\system32",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA ;;;SY)(A;OICI;0x1200a9;;;AU)" "%SystemRoot%\syswow64",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA ;;;SY)(A;OICI;0x1200a9;;;AU)" "%SystemDrive%\Temp",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;; SY)(A;OICI;0x1301BF;;;AU)" "D:\",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICII O;FA;;;CO)S:PAR(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" "D:\Temp",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI; 0x1301BF;;;AU)" "D:\Spool",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI ;0x1301BF;;;AU)" [Strings] SCEProfileDescription = "Applies default root permissions to the OS partition and propagates them to child objects that are inheriting from the root. The propagation time depends on the number of unprotected child objects. See online help for further information." --------------------------------------------------------------- This is applied via a cmd file that contains... --------------------------------------------------------------- Set Inf=W2K8R2Security.inf ECHO Y|secedit /configure /db "%temp%\Security.sdb" /cfg %~dp0%inf% /areas filestore /log "%temp%\ApplySecurity.log" ECHO Y|secedit /analyze /db "%temp%\Security.sdb" ECHO Y|secedit /export /db "%temp%\Security.sdb" /cfg "%temp%\AuditSecurity.inf" /log "%temp%\AuditSecurity.log" --------------------------------------------------------------- Some of it may be "old school"...but it works. Hope that helps. Cheers, Jeremy. -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of brad salazar Sent: Friday, 28 September 2012 6:04 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Default Perms Help Yup ... already doing things like hiding drives, software restriction policies, loopback lockdown policies, etc. (No AppSense in environment) ...but a savy user can always work around most of the built in policies and obfuscation .... I was just hoping someone out there had a NTFS permission tweak or similar. Thanks On 9/27/12, Rankin, James R <kz20fl@xxxxxxxxxxxxxx> wrote: > I find if you alter those default perms a few bits of stuff stop working. > Better to limit their access to c: and the tools needed to alter them > (security tab, command prompt, etc.) > > ---Blackberried > > -----Original Message----- > From: brad salazar <duplexed@xxxxxxxxx> > Sender: thin-bounce@xxxxxxxxxxxxx > Date: Thu, 27 Sep 2012 14:45:21 > To: thin<thin@xxxxxxxxxxxxx> > Reply-To: thin@xxxxxxxxxxxxx > Subject: [THIN] Default Perms Help > > Default Perms on a 2K8R2 server running XA6.5 is allowing normal users > the right to create directories off the root of "C". Does anyone have > a recommended list of NTFS perms to use. > > Thanks in advance > ************************************************ > For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation > mode use the below link: > //www.freelists.org/list/thin > ************************************************ > > ************************************************ > For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation > mode use the below link: > //www.freelists.org/list/thin > ************************************************ > ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************