|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Mike Coppins (mike
legolas.com)Date: Wed Apr 03 2002 - 06:57:29 CST
(Only joined this list today, so I'm reading your post off the website, so
I'm not able to easily quote - sorry)
I've found it generally easier to just rewrite C drive ACLs from scratch
rather than doing lots of little edits. This may seem like a major project
to embark on, but it depends on what level of security you're trying to
achieve (you also learn a shedload of out-of-the-way bizarre permissions
info, especially on Win2k! :-)). The only issue I see (if you want to keep
things simple and fast) is that it would probably be best to expire user's
locally-cached profiles and force them to be re-obtained from the domain
controller/fileserver (wherever you store your roaming profiles). If that
isn't possible, then resorting to VBS will slow down script execution
significantly, but it'll give you more flexibility.
Generally I've found on desktops that rewriting ACLs from a batch file
using xcacls will take a minute to completely execute. It might take a
little longer if you specifically install apps to C drive (or loads of
other files are on C).
Docs and Settings (or 'profiles') you don't need to worry about supplying
specific permissions to if you expire profiles, except for local admin
accounts, which you should remove auth:R from. When the roaming profiles
are re-requested, the proper ACLs required will be automatically set by the
system.
Other stuff you need to worry about (off the top of my head):
- Program Files (whether you allow auth write access to [specifics])
- Temp dirs
- IIS (IUSR and IWAM aren't 'auth users' so specific allows are required)
- replicator service
- revoking access to dllcache, repair, servicepackfiles, patch uninstall dirs
-- Mike Coppins mike
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]