Re: Deny _WRITE_ access to a file

From: Al Dunbar [MS-MVP] (alan-no-drub-spam_at_hotmail.com)
Date: 03/02/05

• Next message: Torgeir Bakken \(MVP\): "Re: random file name"
• Previous message: Roger Abell [MVP]: "Re: random file name"
• In reply to: Javier J: "Re: Deny _WRITE_ access to a file"
• Next in thread: Javier J: "Re: Deny _WRITE_ access to a file"
• Reply: Javier J: "Re: Deny _WRITE_ access to a file"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 2 Mar 2005 11:39:41 -0700

"Javier J" <no.mail@please.no> wrote in message
news:vpf921h1j3tgiliegad4u4kj7e7urhl72l@4ax.com...
> Hi!!
>
> Thanks a lot for the response.

You are welcome...

> First of all, regarding LOGON SCRIPT, the mistake is mine: What I was
> trying to talk about was a STARTUP script (if I'm not mistaken, that
> script runs as BUILTIN\SYSTEM).
>
> I think I'd rather explain a bit more about the envirnoment so that
> it's clear of why I'm asking for such strange things:
>
> The situation is as follows: The PCs in question (Win 200 PRO, SP4+,
> W2000 Mixed Domain) "belong" to a group of users who, as part of their
> normal duties, have to handle sensitive information using an internal
> company app. To avoid undue information leakage, these users have
> *TWO* logon users for the domain, a highly restricted one that is used
> to run the corporate app/access sensitve information, and a "Normal"
> user for the rest of everyday tasks.

Interesting. In our environment, any exceptionally privileged accounts are
restricted in what they can do only by policies written on paper rather than
being enforced by GPO. Admin accounts are not allowed to use the browser,
but they are not actually prevented from doing so. We do not have any
applications that need to be run in a context where the rest of the
infrastructure is made inaccessible, so access to such apps is granted to
normal user accounts.

> The "normal" user can run all software EXCEPT the restricted app, and
> can work normally.
>
> The setup for the restricted user (using GPO, crypto software et al)
> is such that the restricted user only can run the "sensitive" app,
> they can't browse or "see" in Explorer the local folders, their
> profile is redirected to an encrypted network etc etc...

... still having some trouble envisioning how this type of operation can be
configured without creating complications for adminstration. I mean, who
here can list all of the files on a Windows system to which ANY user MUST
have READ access? WRITE access?

> Also, using an STARTUP batch script,

Fine. But what if the system is not restarted between user sessions?

> the members of the restricted
> group have been DENIED access to different .exes that restricted users
> should not run (ftp.exe, telnet.exe and other) and folders they don't
> need access to. (Windows already protects system folders against
> accidental change). The problem is, there are a couple of folders on
> C:\ (such as c:\local_settings) that the user logon needs to be able
> to read, because it sets machine-specific config. (such as the
> building's mail server, the NT server, and suchlike)
>
> The problem is that the folder is set to be writeable by "Everyone".
> I'd like to be able to "change" it so "no write" for the users of this
> particular group. I can DENY access, but these users are part of
> "Everyone", so even if "RestrictedG" has only READ acces, as they are
> members of "Everyone"; they get to write there...

The explicit DENY will generally override the ALLOW.

> Why am I exploring the "deny" route, instead of limiting the rights of
> "Everyone".. because there are some cases where the normal users has
> to be able to write, so "Everyone:W" is a valid permission.... as long
> as I could do something like "RestrictedG":DENY WRITE....
>
> I know that permission is "settable" (is that a word?) as it can be
> set usign (the "simple) NTFS Perms. tab... but to script it is what is
> driving me crazy!!

I sympathize! But I fear that the approach may not be as bullet proof as you
appear to need it to be.

Apparently members of the restricted group can logon and establish their
redirected session having only READ access to the "c:\local_settings\"
folder. If it is possible to script a permissions change such that the
folder remains read/write for everyone except for the restricted group who
have read-only access, then surely it should be possible to apply that
permission setting ONCE using the GUI, and just leave it at the setting you
need.

I tried this and it seemed to work, however, I had to put a checkmark beside
WRITE in the DENY column. When I tried to DENY the MODIFY access, I found I
could not do so without also denying READ, READ&EXECUTE, and LIST FOLDER
CONTENTS. That would appear to be a limitation or constraint applied by the
GUI itself.

I would recommend that you try the following from the GUI: Everyone:W and
RestrictedG:DENY WRITE, and then test the results to see if it achieves your
purpose without causing problems for the restricated users.

If that fails in any way, then I would suggest drilling down to the advanced
tab and denying everything associated with being able to modify or write.

If that fails in any way, then I would suggest playing with cacls or
cacls.vbs to see if the extra granularity allows you to do what you want.

If THAT fails, then, IMHO, you will be unable to accomplish this in a
startup script. If it succeeds, then you will not need to do it in a startup
script if you can configure the permissions of that folder as a default in
your image, or as part of the restricted application installation process.

/Al

> Thanks a lot. Any help _WILL_ Be more than welocome!!
>
> Javier J
>
> On Mon, 28 Feb 2005 22:12:30 -0700, "Roger Abell" <mvpNOSpam@asu.edu>
> wrote:
>
> >Al is quite right in picking up on your mention of use in a
> >login script - which skipped my attention.
> >To do as you had planned you would need to do this in
> >a startup/shutdown script, not login/logoff script.
> >
> >However, you really, really would IMO be better off by
> >restructuring so that all files with this requirement are in
> >a folder with appropriate grants, not mixed in with other
> >files in a folder where the default NTFS permissions will
> >need to be changed.
>

---

• Next message: Torgeir Bakken \(MVP\): "Re: random file name"
• Previous message: Roger Abell [MVP]: "Re: random file name"
• In reply to: Javier J: "Re: Deny _WRITE_ access to a file"
• Next in thread: Javier J: "Re: Deny _WRITE_ access to a file"
• Reply: Javier J: "Re: Deny _WRITE_ access to a file"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: "Recovered Files" Always in Trash ... What the script did was to set the permissions correctly on your invisible ... Temporary Items folder. ... Thanks for the advice and the script. ... (microsoft.public.mac.office.word) Problem Creating HomeDirectories and Permissions using VBScript ... and assigning permissions to it in a VBScript script. ... it creates the setting for the folder inside the ... (microsoft.public.win2000.active_directory) Re: Logon Script Elevated Privileges ... script within the GPO if you want, such as selecting from between user ... I'm using XCacls.vbs to create the permissions structure. ... the root folder to create the folder, ... (microsoft.public.windows.group_policy) Re: Logon Script Elevated Privileges ... script within the GPO if you want, such as selecting from between user ... I'm using XCacls.vbs to create the permissions structure. ... > the root folder to create the folder, ... >> of a GPO using elevated privileges. ... (microsoft.public.windows.group_policy) Re: Deny _WRITE_ access to a file ... > trying to talk about was a STARTUP script (if I'm not mistaken, ... > script runs as BUILTIN\SYSTEM). ... If it is possible to script a permissions change such that the ... folder remains read/write for everyone except for the restricted group who ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)