security policies

Randy · Nov 4, 2003

I want to implement some of the security policies out
there, and I also want to make some custom modifications.
I would also like to be able to understand what some of
the functions are for and what they do so I'm not blindly
implementing (or testing) them.

I've figure about everything except lines like:
%ProgramFiles%,2,"D

AR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)
(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)"

how do I decipher the stuff in quotes?

:Randy

Nick Finco [MSFT] · Nov 4, 2003

It's a security descriptor represented in SDDL.

http://msdn.microsoft.com/library/d...ecurity/security_descriptor_string_format.asp

N

Guest · Nov 4, 2003

Thanks

-----Original Message-----
It's a security descriptor represented in SDDL.

http://msdn.microsoft.com/library/default.asp? url=/library/en-
us/security/security/security_descriptor_string_format.asp

N

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms specified at http://www.microsoft.com/info/cpyright.htm

.

Randy · Nov 5, 2003

Nick,

Thanks again for the response, I have another question.
Is there a cross-reference to reference the policies to
the registry entries?

There are a few policies I'd like to convert to registry
entries. Is there a way I can do this outside of doing
before/after shots of the registry and then comparing
them when making a policy changes?

Q2:
I also want to document my script when I have it working
the way I want. so a reverse cross-reference would be
handy too... e.g. I'd
document "ClearPageFileAtShutdown=4,1" to day
changes "security settings\local policies\security
options\Shutdown: Clear Virtual memory pagefile" to
enable.

Any idea where I can get some of the less obvious ones?

:Randy

Curtis Clay III [MSFT] · Nov 5, 2003

Hello Randy,
The Windows 2000 Resource Kit has all of the registry entries detailed for
each policy that it corresponds to.

http://www.microsoft.com/windows2000/techinfo/reskit/rktour/server/reference
..asp#GP

This posting is provided "AS IS" with no warranties, and confers no rights.

Guest · Nov 22, 2003

Nick (Or anyone else),

The web link you posted was a great help. However I
still do not see anything that helps me figure out the
access parts that have hex numbers in them... stuff
like: "(A;OICI;0x1200a9;;;BU)"

Does anyone have any suggestions or assistance?

:Randy

Nick Finco [MSFT] · Nov 24, 2003

The hex numbers are a tricky point. Essentially those map to the different
permissions like FR, KW, etc. If you look at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/access_mask.asp,
it shows some of the bits in that hex number. For 0-15 they are specific to
the type of object that you are configuring though. I don't know of a handy
reference for these bits. You might be able to find the info on google
though.

N

security GPO inf permissions	2	Mar 4, 2004
Using Group names in the security templates (inf files)	1	Nov 24, 2003
Internal security problem with RPCSS	1	Jul 18, 2005
Errors in File Security settings in Windows XP Security guide security template?	1	Jan 24, 2006
Window 2003 Logon Problem after upgrading Window 2000	0	Oct 3, 2003
Set permissions on ENUM key with Group Policy? - issues	1	Sep 21, 2005
Local Security Policies	2	Jun 17, 2005
User-level security policies without domain?	8	Sep 26, 2004

security policies

Randy

Nick Finco [MSFT]

Guest

Randy

Curtis Clay III [MSFT]

Guest

Nick Finco [MSFT]

Ask a Question

Similar Threads