[THIN] Re: Default Perms Help

  • From: "Jeremy Saunders" <jeremy@xxxxxxxxxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Fri, 28 Sep 2012 08:25:31 +0800

I've never ever had an issue with that template, and I've been using this for 
years as it's morphed from my 2003 template....and I build loads and loads of 
XenApp servers for many different customers. The trick with a security template 
is to apply it in the server build process and NOT after all the apps have been 
deployed, etc. You should also just apply the basics and not get too smart.

Cheers,
Jeremy.

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of 
Rankin, James R
Sent: Friday, 28 September 2012 7:40 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Default Perms Help

I'd definitely recommend some testing after deploying this...sorry I can't be 
more specific but I definitely recall some unexpected issues

---Blackberried

-----Original Message-----
From: brad salazar <duplexed@xxxxxxxxx>
Sender: thin-bounce@xxxxxxxxxxxxx
Date: Thu, 27 Sep 2012 16:38:28
To: <thin@xxxxxxxxxxxxx>
Reply-To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Default Perms Help

I appreciate you sharing your template and I will take a look at using it …. 
Likewise I dug into some of my old scripts and am testing using cacls.... so 
far so good

cacls c:\ /e /c /r “creator owner”
cacls c:\ /e /c /p users:r

Thanks again.

On 9/27/12, Jeremy Saunders <jeremy@xxxxxxxxxxxxxxxxxxxx> wrote:
> I have a default security template I apply to all RDS and XenApp 
> servers I build to take care of things like that...
>
> ---------------------------------------------------------------
> ; Windows 2008 R2 Security Configuration Template for RDS/Citrix 
> Servers
>
> [version]
> signature="$CHICAGO$"
> revision=1
> DriverVer=06/21/2006,6.0.6001.18000
>
> [Profile Description]
> %SCEProfileDescription%
>
> [File Security]
> "%SystemDrive%\",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)(A;OICI
> ;FA;;; 
> SY)(A;OICIIO;FA;;;CO)S:PAR(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
> "%ProgramFiles%",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;
> ;;SY)(
> A;OICI;0x1200a9;;;AU)"
> "%ProgramFiles(x86)%",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OIC
> I;FA;;
> ;SY)(A;OICI;0x1200a9;;;AU)"
> "%SystemRoot%\system32",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;O
> ICI;FA
> ;;;SY)(A;OICI;0x1200a9;;;AU)"
> "%SystemRoot%\syswow64",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;O
> ICI;FA
> ;;;SY)(A;OICI;0x1200a9;;;AU)"
> "%SystemDrive%\Temp",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI
> ;FA;;;
> SY)(A;OICI;0x1301BF;;;AU)"
> "D:\",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A
> ;OICII O;FA;;;CO)S:PAR(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
> "D:\Temp",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A
> ;OICI;
> 0x1301BF;;;AU)"
> "D:\Spool",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(
> A;OICI
> ;0x1301BF;;;AU)"
>
> [Strings]
> SCEProfileDescription = "Applies default root permissions to the OS 
> partition and propagates them to child objects that are inheriting 
> from the root.  The propagation time depends on the number of 
> unprotected child objects.  See online help for further information."
> ---------------------------------------------------------------
>
> This is applied via a cmd file that contains...
>
> ---------------------------------------------------------------
> Set Inf=W2K8R2Security.inf
> ECHO Y|secedit /configure /db "%temp%\Security.sdb" /cfg %~dp0%inf% 
> /areas filestore /log "%temp%\ApplySecurity.log"
> ECHO Y|secedit /analyze /db "%temp%\Security.sdb"
> ECHO Y|secedit /export /db "%temp%\Security.sdb" /cfg 
> "%temp%\AuditSecurity.inf" /log "%temp%\AuditSecurity.log"
> ---------------------------------------------------------------
>
> Some of it may be "old school"...but it works.
>
> Hope that helps.
>
> Cheers,
> Jeremy.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On 
> Behalf Of brad salazar
> Sent: Friday, 28 September 2012 6:04 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Default Perms Help
>
> Yup ... already doing things like hiding drives, software restriction 
> policies, loopback lockdown policies, etc. (No AppSense in
> environment) ...but a savy user can always work around most of the 
> built in policies and obfuscation ....  I was just hoping someone out 
> there had a NTFS permission tweak or similar.
>
> Thanks
>
> On 9/27/12, Rankin, James R <kz20fl@xxxxxxxxxxxxxx> wrote:
>> I find if you alter those default perms a few bits of stuff stop working.
>> Better to limit their access to c: and the tools needed to alter them 
>> (security tab, command prompt, etc.)
>>
>> ---Blackberried
>>
>> -----Original Message-----
>> From: brad salazar <duplexed@xxxxxxxxx>
>> Sender: thin-bounce@xxxxxxxxxxxxx
>> Date: Thu, 27 Sep 2012 14:45:21
>> To: thin<thin@xxxxxxxxxxxxx>
>> Reply-To: thin@xxxxxxxxxxxxx
>> Subject: [THIN] Default Perms Help
>>
>> Default Perms on a 2K8R2 server running XA6.5 is allowing normal 
>> users the right to create directories off the root of "C". Does 
>> anyone have a recommended list of NTFS perms to use.
>>
>> Thanks in advance
>> ************************************************
>> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or 
>> Vacation mode use the below link:
>> //www.freelists.org/list/thin
>> ************************************************
>>
>> ************************************************
>> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or 
>> Vacation mode use the below link:
>> //www.freelists.org/list/thin
>> ************************************************
>>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation 
> mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation 
> mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
>
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use 
the below link:
//www.freelists.org/list/thin
************************************************
­½IRn‰¹®¢´z­jžz¶z–†ÿÁz¶ƒ²

************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************

Other related posts: