[THIN] Re: Default Perms Help
- From: brad salazar <duplexed@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Thu, 27 Sep 2012 16:38:28 -0700
I appreciate you sharing your template and I will take a look at using
it …. Likewise I dug into some of my old scripts and am testing using
cacls.... so far so good
cacls c:\ /e /c /r “creator owner”
cacls c:\ /e /c /p users:r
Thanks again.
On 9/27/12, Jeremy Saunders <jeremy@xxxxxxxxxxxxxxxxxxxx> wrote:
> I have a default security template I apply to all RDS and XenApp servers I
> build to take care of things like that...
>
> ---------------------------------------------------------------
> ; Windows 2008 R2 Security Configuration Template for RDS/Citrix Servers
>
> [version]
> signature="$CHICAGO$"
> revision=1
> DriverVer=06/21/2006,6.0.6001.18000
>
> [Profile Description]
> %SCEProfileDescription%
>
> [File Security]
> "%SystemDrive%\",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;
> SY)(A;OICIIO;FA;;;CO)S:PAR(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
> "%ProgramFiles%",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(
> A;OICI;0x1200a9;;;AU)"
> "%ProgramFiles(x86)%",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;
> ;SY)(A;OICI;0x1200a9;;;AU)"
> "%SystemRoot%\system32",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA
> ;;;SY)(A;OICI;0x1200a9;;;AU)"
> "%SystemRoot%\syswow64",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA
> ;;;SY)(A;OICI;0x1200a9;;;AU)"
> "%SystemDrive%\Temp",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;
> SY)(A;OICI;0x1301BF;;;AU)"
> "D:\",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICII
> O;FA;;;CO)S:PAR(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
> "D:\Temp",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;
> 0x1301BF;;;AU)"
> "D:\Spool",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI
> ;0x1301BF;;;AU)"
>
> [Strings]
> SCEProfileDescription = "Applies default root permissions to the OS
> partition and propagates them to child objects that are inheriting from the
> root. The propagation time depends on the number of unprotected child
> objects. See online help for further information."
> ---------------------------------------------------------------
>
> This is applied via a cmd file that contains...
>
> ---------------------------------------------------------------
> Set Inf=W2K8R2Security.inf
> ECHO Y|secedit /configure /db "%temp%\Security.sdb" /cfg %~dp0%inf% /areas
> filestore /log "%temp%\ApplySecurity.log"
> ECHO Y|secedit /analyze /db "%temp%\Security.sdb"
> ECHO Y|secedit /export /db "%temp%\Security.sdb" /cfg
> "%temp%\AuditSecurity.inf" /log "%temp%\AuditSecurity.log"
> ---------------------------------------------------------------
>
> Some of it may be "old school"...but it works.
>
> Hope that helps.
>
> Cheers,
> Jeremy.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
> Behalf
> Of brad salazar
> Sent: Friday, 28 September 2012 6:04 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Default Perms Help
>
> Yup ... already doing things like hiding drives, software restriction
> policies, loopback lockdown policies, etc. (No AppSense in
> environment) ...but a savy user can always work around most of the built in
> policies and obfuscation .... I was just hoping someone out there had a
> NTFS permission tweak or similar.
>
> Thanks
>
> On 9/27/12, Rankin, James R <kz20fl@xxxxxxxxxxxxxx> wrote:
>> I find if you alter those default perms a few bits of stuff stop working.
>> Better to limit their access to c: and the tools needed to alter them
>> (security tab, command prompt, etc.)
>>
>> ---Blackberried
>>
>> -----Original Message-----
>> From: brad salazar <duplexed@xxxxxxxxx>
>> Sender: thin-bounce@xxxxxxxxxxxxx
>> Date: Thu, 27 Sep 2012 14:45:21
>> To: thin<thin@xxxxxxxxxxxxx>
>> Reply-To: thin@xxxxxxxxxxxxx
>> Subject: [THIN] Default Perms Help
>>
>> Default Perms on a 2K8R2 server running XA6.5 is allowing normal users
>> the right to create directories off the root of "C". Does anyone have
>> a recommended list of NTFS perms to use.
>>
>> Thanks in advance
>> ************************************************
>> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation
>> mode use the below link:
>> //www.freelists.org/list/thin
>> ************************************************
>>
>> ************************************************
>> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation
>> mode use the below link:
>> //www.freelists.org/list/thin
>> ************************************************
>>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode
> use the below link:
> //www.freelists.org/list/thin
> ************************************************
>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
>
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
Other related posts:
