Re: More before-the-fact advice for 2K and XP?
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 12/27/04
- Next message: af b's: "tell me how i will sign in to my account"
- Previous message: Shenan Stanley: "Re: Noob's first post..need a wee bit o'help"
- In reply to: Gordon Fecyk: "Re: More before-the-fact advice for 2K and XP?"
- Next in thread: Roger Abell: "Re: More before-the-fact advice for 2K and XP?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 27 Dec 2004 00:10:28 -0700
It would be a great deal more simple if the template
for new profile ACLing were accessible.
The behavior you noted for shortcuts are curious,
able to use them without a grant of execute but not
if also with a deny of (file only) execute. Strange that.
Good luck.
-- Roger "Gordon Fecyk" <gordonf@pan-am.ca> wrote in message news:%23SInETg6EHA.2876@TK2MSFTNGP12.phx.gbl... > > It looks to me like you need both a startup script, to remove the > > permission to change permission of the specific account, and a > > login script to handle new profiles. I would as a first step in > > modifying a profile write a null .txt file and set its permissions > > so it will stay put, and then check profiles for this file and avoid > > processing if present (else attempting to modify an already > > modified is guaranteed to fail). > > > > All very messy. > > First off, the security templates I referred to don't seem to let me specify > %userprofile% at all. As you pointed out, needing to change newly created > profiles makes that difficult. > > Which is why I wanted to know where in the OS it defaults to "Full Control" > for user profiles in the first place. > > Group Policy for XP lets you specify allow/deny for executables by path, as > well as by hash, digital signature, etc, so this could work for XP: > > http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/srp_path.mspx > > I haven't yet tried this to see if it takes environment variables like > %userprofile% into account. This seems like the best solution but it > requires XP. > > Now I've just been in a support ticket with a MS tech on this. He told me > about xcacls.vbs, which I now have a copy of. We first tried /E 6 (deny > execute, files only) which denies executables alright, but as you pointed > out, also breaks shortcuts (send to and Quick Launch also break). > > By comparison, if I create two ACLs with the GUI - one for "this folder and > subfolders" with Full Control, and one for "Files Only" with all but Execute > granted, shortcuts work again but executables do not, which is exactly the > behaviour I'm looking for. I just need to figure out how to translate these > ACLs into command lines that work in xcacls.vbs. > > I only have to have one line (or maybe two lines) in a login script, one for > each ACL, and I'm assured that %userprofile% exists before the login script > launches. I could repeat this step with %homedrive%\%homepath% (or whatever) > in a domain if the logon server is Win2K or better. On a P-3 with a > reasonably fast hard drive, it only takes 1.5 seconds (according to > xcacls.vbs) to execute. > > Sure a smart user could go and change the ACL for a single file they > downloaded. If they want to deliberately go and damage their profile, well, > that's one extra hurdle a user has to jump. If seeing "Access Denied" once > makes the user think, well, making the user think is half the battle. > > I'll come back to this after I've had a chance to play more with the > xcacls.vbs. > > -- > PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc> > Sometimes it's hard to tell where the game ends and where reality bites, > er, begins. <http://vmyths.com/resource.cfm?id=50&page=1> > >
- Next message: af b's: "tell me how i will sign in to my account"
- Previous message: Shenan Stanley: "Re: Noob's first post..need a wee bit o'help"
- In reply to: Gordon Fecyk: "Re: More before-the-fact advice for 2K and XP?"
- Next in thread: Roger Abell: "Re: More before-the-fact advice for 2K and XP?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
