Re: Trouble with XCACLS.VBS and denying Execute access

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 12/29/04


Date: Wed, 29 Dec 2004 01:59:50 -0700

Hi Gordon,

I can repro much of what you report, just have not looked at
the log to see the part about non-recurse, but that seems in line
with what I mentioned in earlier thread about how it seemed
/t was being handled by inheritance rather than actual recurse.

Strange how use of the shortcut in the xcacls.vbs set folder
just silently fails to open the target.
Also, I notice that I am not allowed to delete the shortcut in
the dir where xcacls.vbs has perms set per your xcacls spec even
though ACL editor clearly shows this is granted and not denied.
Further, I seem to have ruled out this being an interference due
to the profiles being special folders, as this can repro in any
old directory.

I do not have my ACL low-level dump tools installed here,
but tomorrow will repro on a box with them and look at the
SD in detail, as there must be differences within.

-- 
Roger
PS.
Note that the two grants to %userdomain%\%username% of
Full Control (This Folder and Subfolders only)
Special [Everything but Traverse Folders / Execute File]  (Files Only)
are functionally equivalent to the following two grants
Full Control (This Folder and Subfolders only)
Special [Everything but Traverse Folders / Execute File]  (This folder,
subfolders and files)
"Gordon Fecyk" <gordonf@pan-am.ca> wrote in message
news:eom7EYW7EHA.2192@TK2MSFTNGP14.phx.gbl...
> Several threads ago I asked about changing the default ACL for a user's
> profile.  This was an attempt to stop executables coming from the net,
> including exploits that could work somehow as limited users.
>
> I've run into a brick wall regarding changing the permissions
> programatically on Windows 2000 Professional.  I can do it, but the end
> result is not the same as it is if done through the Win2K Security GUI.
>
> The objective is to change the ACLs in %userprofile% so they look like
this:
>
> %userdomain%\%username%: Full Control (This Folder and Subfolders only)
> %userdomain%\%username%: Special [Everything but Traverse Folders /
Execeute
> File]
>                                       (Files Only)
> BUILTIN\Administrators:  Full Control (This Folder, Subfolders and Files)
> NT AUTHORITY\SYSTEM:     Full Control (This Folder, Subfolders and Files)
>
> %userdomain% (which can also mean the local computer) and %username%
> represent the current user and %userprofile% represents this user's
> Documents and Settings folder.
>
> If I change the permissions to look like those above through the GUI, the
> system behaves exactly as I want it to.  That is, everything works
normally
> (including shortcuts, the Send To menu and the Quick Launch toolbar)
except
> opening an executable returns "Access is Denied."  Try this for yourself:
> Copy notepad.exe to your desktop and attempt to open it to observe the
> desired behaviour.
>
> Now I'm attempting to do this programatically with xcacls.vbs.  I've been
in
> a support ticket with Microsoft Support over this and we can't seem to get
> it right.  The end result LOOKS correct if I view it all with the GUI, but
> shortcuts stop working.  Sometimes, I lose visibility of the shortcuts
> entirely.
>
> The command lines I'm attempting this in are as follows:
>
> cscript Xcacls.vbs "%userprofile%" /T /E /Q /L /SPEC C /P
> "%userdomain%\%username%":F
> cscript Xcacls.vbs "%userprofile%" /T /E /Q /L /G
> "%userdomain%\%username%":12345789ABCDE
>
> The first line REPLACES the ACL (/P) for the current user with the Full
Cont
> rol permissions I want for this folder and subfolders (/SPEC C).  The
second
> line ADDS (/G) the Special permissions I want for files only (note the
> absence of /SPEC).  Notice that "6" (Traverse / Execute) is missing.
>
> I suspect that when I replace the original ACL that the change isn't
> propagating out, because the /T switch generates an "Access is Denied"
error
> according to the logs if I also do /L.  Then when I add the second ACL,
that
> change also isn't propagating out.  I've effectively locked myself out of
> all of my files.  I can restore access with the GUI.
>
> I've also tried this:
>
> cscript Xcacls.vbs "%userprofile%" /T /E /Q /L /G
> "%userdomain%\%username%":12345789ABCDE;123456789ABCDE
>
> According to the documentation for xcacls.vbs, the first set of switches
> (everything but Traverse / Execute) is for "Files Only" and the second set
> (absolutely everything) is for "This Folder and Subfolders".  In practice,
> the second set of switches is only valid for "This Folder Only" which
locks
> out all of the subfolders.  The change does not propagate even though I
set
> /T.
>
> So I need to figure out what the GUI is doing that xcacls.vbs isn't, and
> make it do that.
>
> I also tried adding a Deny (/D %username%:6) instead of doing two Allows.
> If I do that I end up disabling all shortcuts again.  Adding a Deny
> Traverse/Execute for Files Only through the GUI does the same thing.
>
> -- 
> PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc>
> What's a PGP Key?  See <http://www.pan-am.ca/free.html>
> GOD BLESS AMER, er, THE INTERNET.
<http://vmyths.com/rant.cfm?id=401&page=4>
>
>


Relevant Pages

  • Re: Setting Up Folder Inheritance
    ... In the little I've dealt with ACL ... When I set a complex ACL with inheritance in a folder: ... If I create a file inside that folder from the command line it uses the ... No, because I was comparing the GUI of Windows to the GUI of Macintosh, ...
    (comp.sys.mac.system)
  • Trouble with XCACLS.VBS and denying Execute access
    ... Full Control (This Folder, Subfolders and Files) ... If I change the permissions to look like those above through the GUI, ... The first line REPLACES the ACL for the current user with the Full Cont ...
    (microsoft.public.security)
  • Re: Trouble with XCACLS.VBS and denying Execute access
    ... the GUI ACL editior has been used to remove a grant set on \test1 ... > result is not the same as it is if done through the Win2K Security GUI. ... Full Control (This Folder, Subfolders and Files) ...
    (microsoft.public.security)
  • RE: Disappearing Network Share Subfolders
    ... Thank you for posting to the SBS Newsgroup. ... I understand that some of your Windows XP SP2 clients cannot view the ... subfolders in share folders on SBS 2K Server. ... Does the problematic share folder locate at NTFS or FAT32 disk? ...
    (microsoft.public.windows.server.sbs)
  • Re: Newbie security programming questions
    ... > I am trying to get to the GUI described in this page to change the ACL ... > Is GUI ACL viewer not available with all versions of Windows? ... How to disable simplified sharing and set permissions on a shared folder ...
    (microsoft.public.platformsdk.security)