Security Templates

G

Guest

1. I'm trying to write a security template for a standalone Win2000 server.
Where I am running into issues is on File System and Registry settings.
If I only want to make changes to a high level folder but only that folder,
do I have to add all lower level folders and files to the template to avoid
inheritance issues?
ie. If I wanted to change the permissions that the Everyone group had on
%systemroot%, I would have to add every folder and file below that and select
"Do not allow permissions on this file or folder to be replaced"? Is there
any way to say just this object?

2. Likewise, if I wanted to apply auditing to a particular folder, I'd have
to specify all of the default permissions on the folder to add the auditing
or I'd overwrite my permissions?

3. If I want to do Services Settings, how do I determine the default
permissions that should be there? i.e. I want a service to come up as
disabled, but it prompts me for permissions as well.
 
R

Roger Abell

On item 1 you are pretty much correct, at least from what I have
found "safe" using the Security Templates UI only. On item 2
the same comment applies. However, in both cases, after you
have saved the template, if you make yourself familiar with the
SDDL language in which the template encodes the permissions
in the resulting .inf text file, then you can edit this directly.
For item 1 you would need to adjust so the the CI, OI, or IO
flags that govern inheritance are removed and the NP that in
some OS levels prevents inheritance is added. For item 2 you
would remove the entire D section (the dacl) leaving only
the S section (the sacl).
http://msdn.microsoft.com/library/en-us/secauthz/security/security_descriptor_string_format.asp

The engine that analyzes and applies has no issue is SDDL
as allowed by the SDDL definition. What you are experiencing
is a limitation of the Security Templates user interface.

On your item 3, it varies some from version of OS to another
but what I do is take the template and analyze with it, and
then look at what it reports as the existing permissions on
the service. In some OS versions and SP levels I have found
that the service permissions actually come up pre-populated
with the current settings as the starting point.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Security Template does not apply folder permissions 17
W2k server local security/permissions settings 2
Security Group Settings/Usage 5
Windows 2003 - Share Permissions & Security Permissions 1
NTFS permission issue 1
programmatically change permissions on folder in windows? 2
NTFS Permissions return to default upon server reboot 1
fixing folder permissions 2

Top