Re: Security Templates

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/18/05


Date: Fri, 17 Jun 2005 22:21:44 -0700

On item 1 you are pretty much correct, at least from what I have
found "safe" using the Security Templates UI only. On item 2
the same comment applies. However, in both cases, after you
have saved the template, if you make yourself familiar with the
SDDL language in which the template encodes the permissions
in the resulting .inf text file, then you can edit this directly.
For item 1 you would need to adjust so the the CI, OI, or IO
flags that govern inheritance are removed and the NP that in
some OS levels prevents inheritance is added. For item 2 you
would remove the entire D section (the dacl) leaving only
the S section (the sacl).
http://msdn.microsoft.com/library/en-us/secauthz/security/security_descriptor_string_format.asp

The engine that analyzes and applies has no issue is SDDL
as allowed by the SDDL definition. What you are experiencing
is a limitation of the Security Templates user interface.

On your item 3, it varies some from version of OS to another
but what I do is take the template and analyze with it, and
then look at what it reports as the existing permissions on
the service. In some OS versions and SP levels I have found
that the service permissions actually come up pre-populated
with the current settings as the starting point.

-- 
Roger Abell
Microsoft MVP (Windows  Security)
"Maureen" <Maureen@discussions.microsoft.com> wrote in message
news:56D53403-1413-4A82-A9E1-C47D40149512@microsoft.com...
> 1.  I'm trying to write a security template for a standalone Win2000
server.
> Where I am running into issues is on File System and Registry settings.
> If I only want to make changes to a high level folder but only that
folder,
> do I have to add all lower level folders and files to the template to
avoid
> inheritance issues?
> ie.  If I wanted to change the permissions that the Everyone group had on
> %systemroot%, I would have to add every folder and file below that and
select
> "Do not allow permissions on this file or folder to be replaced"?  Is
there
> any way to say just this object?
>
> 2. Likewise, if I wanted to apply auditing to a particular folder, I'd
have
> to specify all of the default permissions on the folder to add the
auditing
> or I'd overwrite my permissions?
>
> 3.  If I want to do Services Settings, how do I determine the default
> permissions that should be there?  i.e. I want a service to come up as
> disabled, but it prompts me for permissions as well.


Relevant Pages

  • Re: Saving Default Fonts and Paragraph Settings - Word 2007
    ... Right-click the Folder and select Properties. ... MVP FAQ site: http://mvps.org/ ... and check the permissions for your Templates folder. ... saving changes to your Normal template so you don't need to try the ...
    (microsoft.public.office.misc)
  • Re: Document based on template doesnt have correct page setup
    ... Could they copy the template locally into their own folder and use it? ... Yes, they can change the settings for the newly-created document, but we ... Does everyone involved have the same permissions to change printer settings ... Authenticated users have the following permissions on the templates folder: ...
    (microsoft.public.word.vba.general)
  • Security Template does not apply folder permissions
    ... Right now I have a folder that has some permissions directly on it. ... I created a security template, and in the File System section I added ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Copy & Pasting files/folders but security doesnt copy over
    ... I believe that you can use robocopy to transfer the permissions from one directory to a new directory. ... use robocopy to copy from the master template (or folder) to your desired location. ...
    (microsoft.public.windows.server.general)
  • Re: How to create a template of folders including permissions
    ... mmc and then add the two snapins: Security Templates, ... When done, save the template. ... I'd like to create a template of folders for the end users, ... Most of the sub-folders would be fine inheriting the permissions, ...
    (microsoft.public.win2000.security)