I appreciate you sharing your template and I will take a look at using it …. Likewise I dug into some of my old scripts and am testing using cacls.... so far so good cacls c:\ /e /c /r “creator owner” cacls c:\ /e /c /p users:r Thanks again. On 9/27/12, Jeremy Saunders <jeremy@xxxxxxxxxxxxxxxxxxxx> wrote: > I have a default security template I apply to all RDS and XenApp servers I > build to take care of things like that... > > --------------------------------------------------------------- > ; Windows 2008 R2 Security Configuration Template for RDS/Citrix Servers > > [version] > signature="$CHICAGO$" > revision=1 > DriverVer=06/21/2006,6.0.6001.18000 > > [Profile Description] > %SCEProfileDescription% > > [File Security] > "%SystemDrive%\",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;; > SY)(A;OICIIO;FA;;;CO)S:PAR(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" > "%ProgramFiles%",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)( > A;OICI;0x1200a9;;;AU)" > "%ProgramFiles(x86)%",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;; > ;SY)(A;OICI;0x1200a9;;;AU)" > "%SystemRoot%\system32",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA > ;;;SY)(A;OICI;0x1200a9;;;AU)" > "%SystemRoot%\syswow64",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA > ;;;SY)(A;OICI;0x1200a9;;;AU)" > "%SystemDrive%\Temp",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;; > SY)(A;OICI;0x1301BF;;;AU)" > "D:\",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICII > O;FA;;;CO)S:PAR(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" > "D:\Temp",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI; > 0x1301BF;;;AU)" > "D:\Spool",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI > ;0x1301BF;;;AU)" > > [Strings] > SCEProfileDescription = "Applies default root permissions to the OS > partition and propagates them to child objects that are inheriting from the > root. The propagation time depends on the number of unprotected child > objects. See online help for further information." > --------------------------------------------------------------- > > This is applied via a cmd file that contains... > > --------------------------------------------------------------- > Set Inf=W2K8R2Security.inf > ECHO Y|secedit /configure /db "%temp%\Security.sdb" /cfg %~dp0%inf% /areas > filestore /log "%temp%\ApplySecurity.log" > ECHO Y|secedit /analyze /db "%temp%\Security.sdb" > ECHO Y|secedit /export /db "%temp%\Security.sdb" /cfg > "%temp%\AuditSecurity.inf" /log "%temp%\AuditSecurity.log" > --------------------------------------------------------------- > > Some of it may be "old school"...but it works. > > Hope that helps. > > Cheers, > Jeremy. > > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On > Behalf > Of brad salazar > Sent: Friday, 28 September 2012 6:04 AM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: Default Perms Help > > Yup ... already doing things like hiding drives, software restriction > policies, loopback lockdown policies, etc. (No AppSense in > environment) ...but a savy user can always work around most of the built in > policies and obfuscation .... I was just hoping someone out there had a > NTFS permission tweak or similar. > > Thanks > > On 9/27/12, Rankin, James R <kz20fl@xxxxxxxxxxxxxx> wrote: >> I find if you alter those default perms a few bits of stuff stop working. >> Better to limit their access to c: and the tools needed to alter them >> (security tab, command prompt, etc.) >> >> ---Blackberried >> >> -----Original Message----- >> From: brad salazar <duplexed@xxxxxxxxx> >> Sender: thin-bounce@xxxxxxxxxxxxx >> Date: Thu, 27 Sep 2012 14:45:21 >> To: thin<thin@xxxxxxxxxxxxx> >> Reply-To: thin@xxxxxxxxxxxxx >> Subject: [THIN] Default Perms Help >> >> Default Perms on a 2K8R2 server running XA6.5 is allowing normal users >> the right to create directories off the root of "C". Does anyone have >> a recommended list of NTFS perms to use. >> >> Thanks in advance >> ************************************************ >> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation >> mode use the below link: >> //www.freelists.org/list/thin >> ************************************************ >> >> ************************************************ >> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation >> mode use the below link: >> //www.freelists.org/list/thin >> ************************************************ >> > ************************************************ > For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode > use the below link: > //www.freelists.org/list/thin > ************************************************ > > ************************************************ > For Archives, RSS, to Unsubscribe, Subscribe or > set Digest or Vacation mode use the below link: > //www.freelists.org/list/thin > ************************************************ > ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************