Re: Confusion over IO (Inherit Only) ACE on Vista

Hi Jialiang Ge,

My question is "which method is best"?

I think it depends on your specific use of DACL. Having two ACEs allows us to separate the security of the current dir from the inheritance. If your business environment does not require the separation, we can use one ACE entry. The default DACL setting configured by Format.exe is to solve the problem of "Denise Smith and Brian in Windows XP".

OK, I notice it's similar on Windows 7 too. My view is that XP was broken, Vista and Windows 7 are fixed for home users, but Windows Servers have more simplified (and arguably better) default layout.

I understand your concerns. Another way to output the results in standard Security Descriptor Definition Language (SDDL) is to use cacls with the /s switch. However, cacls is a legacy command-line routine for investigating and setting ACLs and is being replaced by icacls (though not very thoroughly). I will convey your concerns to the owner of the tool, and hopefully, it can be improved soon.

OK, thanks. As you say, cacls is legacy, so I'd like to see the switch added to icacls.exe

0x1301bf is a combination of Read, Write, Append, ReadEA, WriteEA, Execute, ReadAttr, WriteAttr, Del, RCtl, and Sync.

Read: 0x0001 (FILE_READ_DATA)
Write: 0x0002 (FILE_WRITE_DATA)
Append: 0x0004 (FILE_APPEND_DATA)
ReadEA: 0x0008 (FILE_READ_EA)
WriteEA: 0x0010 (FILE_WRITE_EA)
Execute: 0x0020 (FILE_EXECUTE)
ReadAttr: 0x0080 (FILE_READ_ATTRIBUTES)
WriteAttr: 0x0100 (FILE_WRITE_ATTRIBUTES)
Del: 0x00010000L (DELETE)
RCtl: 0x00020000L (READ_CONTROL)
Sync: 0x00100000L (SYNCHRONIZE)

Perfect! Thanks.

I do not find a built-in COM component exposing these consts. I think you would need to include <winnt.h>

OK, that's my finding also.

--
Gerry Hickman (London UK)
.

Relevant Pages

  • Re: (mayayana) RE: NT Permissions
    ... How to Shoot Yourself in the Foot with Security, Part 2: To ACL or Not to ACL ... If no ACEs are present in the ACL then no user has the type of access represented by the ACL." ... For example, as part of the service hardening work in Windows Vista, a service will now be an identifiable entity that can have permissions associated with it. ...
    (microsoft.public.vb.general.discussion)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
    (Securiteam)
  • [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
    (Securiteam)
  • Re: The Myth of the secure Mac
    ... OEM Windows XP Home goes for a bit under $100. ... >> secure than Home. ... Though this really has nothing to do with security. ... Microsoft counts on third-party developers to provide more ...
    (comp.sys.mac.advocacy)
  • SecurityFocus Microsoft Newsletter #120
    ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows File Protection Signed File Replacement... ... PlatinumFTPServer Information Disclosure Vulnerability ...
    (Focus-Microsoft)