Re: Security Templates

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/18/05


Date: Fri, 17 Jun 2005 22:21:44 -0700

On item 1 you are pretty much correct, at least from what I have
found "safe" using the Security Templates UI only. On item 2
the same comment applies. However, in both cases, after you
have saved the template, if you make yourself familiar with the
SDDL language in which the template encodes the permissions
in the resulting .inf text file, then you can edit this directly.
For item 1 you would need to adjust so the the CI, OI, or IO
flags that govern inheritance are removed and the NP that in
some OS levels prevents inheritance is added. For item 2 you
would remove the entire D section (the dacl) leaving only
the S section (the sacl).
http://msdn.microsoft.com/library/en-us/secauthz/security/security_descriptor_string_format.asp

The engine that analyzes and applies has no issue is SDDL
as allowed by the SDDL definition. What you are experiencing
is a limitation of the Security Templates user interface.

On your item 3, it varies some from version of OS to another
but what I do is take the template and analyze with it, and
then look at what it reports as the existing permissions on
the service. In some OS versions and SP levels I have found
that the service permissions actually come up pre-populated
with the current settings as the starting point.

-- 
Roger Abell
Microsoft MVP (Windows  Security)
"Maureen" <Maureen@discussions.microsoft.com> wrote in message
news:56D53403-1413-4A82-A9E1-C47D40149512@microsoft.com...
> 1.  I'm trying to write a security template for a standalone Win2000
server.
> Where I am running into issues is on File System and Registry settings.
> If I only want to make changes to a high level folder but only that
folder,
> do I have to add all lower level folders and files to the template to
avoid
> inheritance issues?
> ie.  If I wanted to change the permissions that the Everyone group had on
> %systemroot%, I would have to add every folder and file below that and
select
> "Do not allow permissions on this file or folder to be replaced"?  Is
there
> any way to say just this object?
>
> 2. Likewise, if I wanted to apply auditing to a particular folder, I'd
have
> to specify all of the default permissions on the folder to add the
auditing
> or I'd overwrite my permissions?
>
> 3.  If I want to do Services Settings, how do I determine the default
> permissions that should be there?  i.e. I want a service to come up as
> disabled, but it prompts me for permissions as well.