Q: correct acls for windows\system32?

[Malcolm Dew-Jones]

Hello.

This is on XP home edition. (Suggestions for a better group to post in
would be welcome.)

I was cleaning up a system that had the W32.Chod.D worm. Using cacls.exe
I notice that files in \windows\system32 all seem to have the wrong
permissions. For example

cd C:\WINDOWS\SYSTEM32
cacls wuauclt.exe

outputs =>

C:\WINDOWS\SYSTEM32\wuauclt.exe NT AUTHORITY\SYSTEM:F
Everyone:F

I assume that the "Everyone:F" must be wrong, presumably these files must
be read-only for most people, but I don't work with NT enough to know for
sure what is correct or not.

QUESTION: is there a list of the normal correct permissions for the
windows system files that I can get from somewhere?

QUESTION: also, is there a GUI tool on XP that I could use to reset the
acls, instead of using cacls?

I downloaded a thing called "Microsoft Baseline Security Analyzer 2.0"
but it didn't complain about any file permissions, so I assume that it
must not check them (?).

Feedback welcomed, thanks.

 

[Steven L Umbach]

If you boot into Safe Mode and logon as the built in administrator account
then you can use Explorer to manage NTFS permissions and security tab should
show on the folder properties. The default permissions for the Windows
folder are system/administrator full control, power users
read/list/execute/write/modify, and users read/list/execute. Users and/or
everyone do not have more than read/list/execute to any folders other than
their profile folder under documents and settings and possibly the shared
folder in the all users profile folder. There are many files in the Windows
and Windows 32 folder that have explicit permissions that will not inherit
the folder permissions but users/everyone should not have more than
read/list/execute. There is a free tool from SystemTools.com called dumpsec
that you may find useful in dumping folder permissions to a text file for
review. I think MBSA only checks share permissions. If you do a
repair/upgrade install that should also reset permissions to default levels
though you need to first install the service pack [if not on your install
disk] and then install all security updates at Windows Updates when done
which could be a big deal to a dialup user. --- Steve

 

[Malcolm Dew-Jones]

Steven L Umbach ([email protected]) wrote:
: If you boot into Safe Mode and logon as the built in administrator account
: then you can use Explorer to manage NTFS permissions and security tab should
: show on the folder properties. The default permissions for the Windows
: folder are system/administrator full control, power users
: read/list/execute/write/modify, and users read/list/execute. Users and/or
: everyone do not have more than read/list/execute to any folders other than
: their profile folder under documents and settings and possibly the shared
: folder in the all users profile folder. There are many files in the Windows
: and Windows 32 folder that have explicit permissions that will not inherit
: the folder permissions but users/everyone should not have more than
: read/list/execute. There is a free tool from SystemTools.com called dumpsec
: that you may find useful in dumping folder permissions to a text file for
: review. I think MBSA only checks share permissions. If you do a
: repair/upgrade install that should also reset permissions to default levels
: though you need to first install the service pack [if not on your install
: disk] and then install all security updates at Windows Updates when done
: which could be a big deal to a dialup user. --- Steve

Yes, explorer - right click - properties - security. I'm not sure why I
couldn't find that earlier, but I've got it now, thanks.

Anyway, there are options to force a folder to inherit from above and to
push its settings down to the children, so it turned out to be easy enough
to reset the entire system32 folder tree without too much trouble while
still getting to point and click at a menu. No easy way for me to know if
certain files need to be different but so far the computer appears to work
just fine.

I did use cacls to strip of a user with F permission on numeruos files in
the entire tree. I don't know if the W32.Chod.D did something to cause
that, it isn't mentioned anywhere I looked, so perhaps that's from some
other problem earlier on, but I can't imagine that user was supposed to
have full access to lots of .DLL's in \windows.

cd \windows
cacls * /T /E /C /T D75XZD43\Tom

Anyway, thanks for responding, it certainly got me started.



: : > Hello.
: >
: > This is on XP home edition. (Suggestions for a better group to post in
: > would be welcome.)
: >
: > I was cleaning up a system that had the W32.Chod.D worm. Using cacls.exe
: > I notice that files in \windows\system32 all seem to have the wrong
: > permissions. For example
: >
: > cd C:\WINDOWS\SYSTEM32
: > cacls wuauclt.exe
: >
: > outputs =>
: >
: > C:\WINDOWS\SYSTEM32\wuauclt.exe NT AUTHORITY\SYSTEM:F
: > Everyone:F
: >
: > I assume that the "Everyone:F" must be wrong, presumably these files must
: > be read-only for most people, but I don't work with NT enough to know for
: > sure what is correct or not.
: >
: > QUESTION: is there a list of the normal correct permissions for the
: > windows system files that I can get from somewhere?
: >
: > QUESTION: also, is there a GUI tool on XP that I could use to reset the
: > acls, instead of using cacls?
: >
: > I downloaded a thing called "Microsoft Baseline Security Analyzer 2.0"
: > but it didn't complain about any file permissions, so I assume that it
: > must not check them (?).
: >
: > Feedback welcomed, thanks.
: >
: > --
: >
: > This programmer available for rent.