Trouble with XCACLS.VBS and denying Execute access

From: Gordon Fecyk (gordonf_at_pan-am.ca)
Date: 12/29/04 

Date: Tue, 28 Dec 2004 23:19:57 -0600

Several threads ago I asked about changing the default ACL for a user's
profile. This was an attempt to stop executables coming from the net,
including exploits that could work somehow as limited users.

I've run into a brick wall regarding changing the permissions
programatically on Windows 2000 Professional. I can do it, but the end
result is not the same as it is if done through the Win2K Security GUI.

The objective is to change the ACLs in %userprofile% so they look like this:

%userdomain%\%username%: Full Control (This Folder and Subfolders only)
%userdomain%\%username%: Special [Everything but Traverse Folders / Execeute
File]
                                      (Files Only)
BUILTIN\Administrators: Full Control (This Folder, Subfolders and Files)
NT AUTHORITY\SYSTEM: Full Control (This Folder, Subfolders and Files)

%userdomain% (which can also mean the local computer) and %username%
represent the current user and %userprofile% represents this user's
Documents and Settings folder.

If I change the permissions to look like those above through the GUI, the
system behaves exactly as I want it to. That is, everything works normally
(including shortcuts, the Send To menu and the Quick Launch toolbar) except
opening an executable returns "Access is Denied." Try this for yourself:
Copy notepad.exe to your desktop and attempt to open it to observe the
desired behaviour.

Now I'm attempting to do this programatically with xcacls.vbs. I've been in
a support ticket with Microsoft Support over this and we can't seem to get
it right. The end result LOOKS correct if I view it all with the GUI, but
shortcuts stop working. Sometimes, I lose visibility of the shortcuts
entirely.

The command lines I'm attempting this in are as follows:

cscript Xcacls.vbs "%userprofile%" /T /E /Q /L /SPEC C /P
"%userdomain%\%username%":F
cscript Xcacls.vbs "%userprofile%" /T /E /Q /L /G
"%userdomain%\%username%":12345789ABCDE

The first line REPLACES the ACL (/P) for the current user with the Full Cont
rol permissions I want for this folder and subfolders (/SPEC C). The second
line ADDS (/G) the Special permissions I want for files only (note the
absence of /SPEC). Notice that "6" (Traverse / Execute) is missing.

I suspect that when I replace the original ACL that the change isn't
propagating out, because the /T switch generates an "Access is Denied" error
according to the logs if I also do /L. Then when I add the second ACL, that
change also isn't propagating out. I've effectively locked myself out of
all of my files. I can restore access with the GUI.

I've also tried this:

cscript Xcacls.vbs "%userprofile%" /T /E /Q /L /G
"%userdomain%\%username%":12345789ABCDE;123456789ABCDE

According to the documentation for xcacls.vbs, the first set of switches
(everything but Traverse / Execute) is for "Files Only" and the second set
(absolutely everything) is for "This Folder and Subfolders". In practice,
the second set of switches is only valid for "This Folder Only" which locks
out all of the subfolders. The change does not propagate even though I set
/T.

So I need to figure out what the GUI is doing that xcacls.vbs isn't, and
make it do that.

I also tried adding a Deny (/D %username%:6) instead of doing two Allows.
If I do that I end up disabling all shortcuts again. Adding a Deny
Traverse/Execute for Files Only through the GUI does the same thing. 

-- 
PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc>
What's a PGP Key?  See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>

Relevant Pages

  • Re: Trouble with XCACLS.VBS and denying Execute access
    ... the GUI ACL editior has been used to remove a grant set on \test1 ... > result is not the same as it is if done through the Win2K Security GUI. ... Full Control (This Folder, Subfolders and Files) ...
    (microsoft.public.security)
  • Re: Newbie security programming questions
    ... > I am trying to get to the GUI described in this page to change the ACL ... > Is GUI ACL viewer not available with all versions of Windows? ... How to disable simplified sharing and set permissions on a shared folder ...
    (microsoft.public.platformsdk.security)
  • Re: Trouble with XCACLS.VBS and denying Execute access
    ... Strange how use of the shortcut in the xcacls.vbs set folder ... though ACL editor clearly shows this is granted and not denied. ... Full Control (This Folder and Subfolders only) ... > result is not the same as it is if done through the Win2K Security GUI. ...
    (microsoft.public.security)
  • Re: File Sharing (again - sorry, Pd)
    ... The specific problem is that some applications save new documents by ... creating them in a temporary folder, then move them into the folder ... A file moved into a folder doesn't inherit the ACL from the folder. ... Assuming other applications behave similarly to the patterns of either ...
    (uk.comp.sys.mac)
  • Re: Add or modify ACL on folder after using FSMT
    ... User_a can have an access to this folder after user_a login the Win2k3. ... you may use subinacl to replace the ACL. ... type subinacl /help at the command line. ...
    (microsoft.public.windows.server.migration)
Loading