Re: File/Directory Permission Setting in Windows 2k/2003 Security Template

Hi Rick,

The abbreviations are security descriptor definition
language (aka "SDDL") strings. Microsoft has info on
SDDL at:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/security_descriptor_definition_language.asp

If you're trying to figure out what the string
represents, Microsoft's info should be enough.

If you want to write your own SDDL strings from
scratch, you may find this helpful:

1. Create a sample file
2. Set the permissions you want on the file
3. Run Microsoft's subinacl.exe resource kit utility
against it like so:
subinacl /file thefile.txt /display=sddl
4. Copy the SDDL string that subinacl outputs

Some versions of the subinacl utility have an annoying
bug in it, so I recommend you download the updated
version from Microsoft at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&DisplayLang=en

Good luck.

Scott

--- Rick Zhong <sagiko@xxxxxxxxx> wrote:

Hi,
Is there any listing or table to explain all the
abbreviations which
are used in defining file/directory permissions in
windows security
template? I googled quite a bit and cannot find any
useful info except
openning the template in mmc to view it from GUI.

For example:(Taken from win2003 security guide
template - SSLF-Domain
Controller.inf )

[File Security]

"%systemRoot%\system32\tlntsvr.exe",1,"D:PAR(A;OIIO;FA;;;BA)(A;OIIO;FA;;;SY)"

"%systemRoot%\system32\tftp.exe",1,"D:PAR(A;OIIO;FA;;;BA)(A;OIIO;FA;;;SY)"

Any docs, tutorial or links to explain these
permission setting will
be very helpful. Thanks.

regards,
Rick


---------------------------------------------------------------------------

---------------------------------------------------------------------------




__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Relevant Pages

  • Re: security enhacement to C runtime library (XXX_s)
    ... In the below link MS announces a security update to the C runtime ... Every buffer overflow error that was made before can still be ... strings in C the way they are used in every other programming ... how can we increase the programmer ...
    (comp.std.c)
  • Viewing Event Logs
    ... How to set event log security locally or by using Group Policy in Windows ... Descriptor Definition Language (SDDL) syntax. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Possible break in
    ... I had ran strings on it too, and tried to find some of the strings on ... >> Security Linux, the comprehensive security solution that combines six ... Protect your network against hackers, viruses, spam and other risks with Astaro ...
    (Incidents)
  • Re: snmp vulnerablities
    ... my post about treating SNMP ... security mechanism) in isolation. ... obfuscated community string in the UDP ... simply the 'safety' of your community strings. ...
    (Pen-Test)
  • Re: web.config location
    ... we encrypt the values in the web.config, as they pertain to connection ... strings and such. ... Just use an encryption class and decrypt when using them. ... > cannot be served and it has file level security against it being viewed by ...
    (microsoft.public.dotnet.framework.aspnet)