Re: Deny _WRITE_ access to a file
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/02/05
- Next message: Roger Abell: "Re: Setting Act As Part of Operating System - VBScript"
- Previous message: Steve P.: "Windows Security Center Warning."
- In reply to: Javier J: "Re: Deny _WRITE_ access to a file"
- Next in thread: Javier J: "Re: Deny _WRITE_ access to a file"
- Reply: Javier J: "Re: Deny _WRITE_ access to a file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 1 Mar 2005 18:33:08 -0700
"Javier J" <no.mail@please.no> wrote in message
news:vpf921h1j3tgiliegad4u4kj7e7urhl72l@4ax.com...
> Hi!!
>
> Thanks a lot for the response.
>
> First of all, regarding LOGON SCRIPT, the mistake is mine: What I was
> trying to talk about was a STARTUP script (if I'm not mistaken, that
> script runs as BUILTIN\SYSTEM).
>
> I think I'd rather explain a bit more about the envirnoment so that
> it's clear of why I'm asking for such strange things:
>
> The situation is as follows: The PCs in question (Win 200 PRO, SP4+,
> W2000 Mixed Domain) "belong" to a group of users who, as part of their
> normal duties, have to handle sensitive information using an internal
> company app. To avoid undue information leakage, these users have
> *TWO* logon users for the domain, a highly restricted one that is used
> to run the corporate app/access sensitve information, and a "Normal"
> user for the rest of everyday tasks.
>
> The "normal" user can run all software EXCEPT the restricted app, and
> can work normally.
>
> The setup for the restricted user (using GPO, crypto software et al)
> is such that the restricted user only can run the "sensitive" app,
> they can't browse or "see" in Explorer the local folders, their
> profile is redirected to an encrypted network etc etc...
>
> Also, using an STARTUP batch script, the members of the restricted
> group have been DENIED access to different .exes that restricted users
> should not run (ftp.exe, telnet.exe and other) and folders they don't
> need access to. (Windows already protects system folders against
> accidental change). The problem is, there are a couple of folders on
> C:\ (such as c:\local_settings) that the user logon needs to be able
> to read, because it sets machine-specific config. (such as the
> building's mail server, the NT server, and suchlike)
>
> The problem is that the folder is set to be writeable by "Everyone".
> I'd like to be able to "change" it so "no write" for the users of this
> particular group. I can DENY access, but these users are part of
> "Everyone", so even if "RestrictedG" has only READ acces, as they are
> members of "Everyone"; they get to write there...
>
> Why am I exploring the "deny" route, instead of limiting the rights of
> "Everyone".. because there are some cases where the normal users has
> to be able to write, so "Everyone:W" is a valid permission.... as long
> as I could do something like "RestrictedG":DENY WRITE....
>
> I know that permission is "settable" (is that a word?) as it can be
> set usign (the "simple) NTFS Perms. tab... but to script it is what is
> driving me crazy!!
>
> Thanks a lot. Any help _WILL_ Be more than welocome!!
>
> Javier J
The xcacls.vbs will do what you are after, and, it will provide you
with example of lines need to do it in your own script.
Deny overrides Grant - where you discuss need for Everyone, but
not the RestrictedG. The only thing is that you need to be very aware
and careful about explicit vs inherited.
Inherited or Explicit Deny overrides an Inherited Grant
Explicit Deny overrides an Explicit Grant, but an Inherited
Deny does not override an Explicit Grant.
-- Roger > > On Mon, 28 Feb 2005 22:12:30 -0700, "Roger Abell" <mvpNOSpam@asu.edu> > wrote: > > >Al is quite right in picking up on your mention of use in a > >login script - which skipped my attention. > >To do as you had planned you would need to do this in > >a startup/shutdown script, not login/logoff script. > > > >However, you really, really would IMO be better off by > >restructuring so that all files with this requirement are in > >a folder with appropriate grants, not mixed in with other > >files in a folder where the default NTFS permissions will > >need to be changed. >
- Next message: Roger Abell: "Re: Setting Act As Part of Operating System - VBScript"
- Previous message: Steve P.: "Windows Security Center Warning."
- In reply to: Javier J: "Re: Deny _WRITE_ access to a file"
- Next in thread: Javier J: "Re: Deny _WRITE_ access to a file"
- Reply: Javier J: "Re: Deny _WRITE_ access to a file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
