Re: Inheritable/Can Propagate ?
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 01/28/05
- Next message: Roger Abell: "Re: Local user accounts constantly locking out - please help!"
- Previous message: EdT: "Re: SecEdit INF format"
- In reply to: ambharish: "Inheritable/Can Propagate ?"
- Next in thread: ambharish: "Re: Inheritable/Can Propagate ?"
- Reply: ambharish: "Re: Inheritable/Can Propagate ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 Jan 2005 08:13:39 -0700
I am not quite sure this will answer you.
In the NTFS DACL editor one set the inheritance properties
of an ACE by use of the advance edit view, where one then
gains access to the dropbox having selections for what the
highlighted ACE applies to, such as
This folder, subfolders, and files (i.e. this gets inherited)
This folder only (i.e. this is not inherited)
etc.
Some aspects of the selections in this dropbox control whether
the ACE is applicable only for objects (i.e. files) or for contaniners
(i.e. folders) or both.
There are also two checkboxes that impact the inheritance
characteristics of the ACLing. One blocks inheritance from
above, so that any inheritable ACE in the parental chain will
not inherit onto what is having its ACL edited (or any children).
The other box causes the ACL being edited to get applied to
its children, not a direct copy onto, but a "forced" inheritance
on down of what is inherited. This is different from just
applying the new ACL and letting it inherit as the case may
be due to the contained ACEs in that use of this checkbox
will also clear any points in the child structure where the
inheritance is blocked and will remove any explicit ACEs
set in the child structure.
In SDDL, the inheritace is represented in the OI, CI, and IO
strings you will see. The best way to become familiar with
the SDDL representation is to use the Security Templates
MMC snap-in to define some different ACLs and then to
save the template and look at it with notepad to see how the
different choices have been encoded. Learning by example
is often more direct than by trying to decode the effect of
what is documented in the MSDN statements of the SDDL
specification.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "ambharish" <ambharish@discussions.microsoft.com> wrote in message news:C0745901-280B-4899-BD55-53C49C2915C5@microsoft.com... > I want to use Microsoft Solutions for Security (Securing Windows 2000 > Server.pdf) securiyt guide to harden my Domain Server > > I feel this is a fundooo security guide > > I have a small question about the recommendations for Registries given in > appendix B > > I want to know where does "Inheritable/Can Propagate" fit ? > (either in DACL editor or SDDL) > > Thanks in advance !!! > > Cheers, > Shekar > > > > > > > > > > > > > > > > > >
- Next message: Roger Abell: "Re: Local user accounts constantly locking out - please help!"
- Previous message: EdT: "Re: SecEdit INF format"
- In reply to: ambharish: "Inheritable/Can Propagate ?"
- Next in thread: ambharish: "Re: Inheritable/Can Propagate ?"
- Reply: ambharish: "Re: Inheritable/Can Propagate ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
