RE: Automatically updating File Permission through GP's on a stan d alone
From: Brian Arkills (brian@hansolo.stanford.edu)Date: 07/11/02
- Previous message: Jake Scobie: "RE: New XP-AutoUpdate"
- Maybe in reply to: Brian Arkills: "RE: Automatically updating File Permission through GP's on a stan d alone"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Brian Arkills <brian@hansolo.stanford.edu> To: focus-ms@securityfocus.com Date: Thu, 11 Jul 2002 09:50:08 -0700
More than a dozen people contacted me requesting the useful online references for customizing security templates ... so here they are:
Security Configuration Manager overview (includes critical info about how you can use it on NT4)
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q245216
SDDL (security descriptor definition language) reference:
http://msdn.microsoft.com/library/en-us/security/Security/security_descriptor_definition_language.asp
This SDDL reference is pretty ugly IMO, so I wrote a summary of the important info (adding helpful info I found in "Inside Active Directory" by Kouti & Seitsonen) which you can find in the appendix of this document:
http://windows.stanford.edu/docs/ADSecurityOverview.htm
How to Add Custom Registry Settings to Security Configuration Editor
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q214752
How to add multiple multi_sz values using an .inf file
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q322083
Brian
> -----Original Message-----
> From: Brian Arkills
> Sent: Tuesday, July 09, 2002 11:47 AM
> To: focus-ms@securityfocus.com
> Subject: RE: Automatically updating File Permission through GP's on a
> stan d alone
>
>
> You'd want ACLs to get reset during every GP refresh? Scary;
> your system would be churning endlessly with little benefit.
> BTW, MS discourages this idea ...
>
> I'd recommend instead using the security analysis &
> configuration MMC (secedit from the command line) to set the
> ACLs once with a single template. Then you can audit those
> ACLs on a periodic basis using the same tool. The templates
> are pretty flexible (except they don't support wildcards like
> the old nt4 c2 config did), and you can set *any* registry
> value via them. I recently did some work with MS to get parts
> of the template format better documented ... I can send a
> link to a Q article if anyone is interested.
>
> Brian
>
> > -----Original Message-----
> > From: Michael Devlin [mailto:Michael.Devlin@figleaves.com]
> > Sent: Friday, July 05, 2002 9:53 AM
> > To: focus-ms@securityfocus.com
> > Subject: Automatically updating File Permission through GP's
> > on a stand
> > alone
> >
> >
> > On a stand alone 2000 machine you can import a section of a template
> > into gpedit.msc and the machine will happily apply those
> settings (eg
> > Password policy, IPSec policy la la la) as regular as you want....
> > HOWEVER..... There is no section for filesystem permissions in
> > Gpedit.msc (the same as there are for the equiv in AD), so.... My
> > question.....
> >
> > Is it possible to modify/add/hack a template file, with
> FilePermission
> > (and Reg permissions) into the GroupPolicy folder in
> system32 so that
> > they are applied at regular intervals with no user interaction.
> >
> > Incidentally, I have already set it up using a script, task
> > manager and
> > secedit.... But that is a little messy.
> >
> > Many thanks
> >
> > Michael Devlin
> >
>
- Previous message: Jake Scobie: "RE: New XP-AutoUpdate"
- Maybe in reply to: Brian Arkills: "RE: Automatically updating File Permission through GP's on a stan d alone"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
