OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Darren W. MacDonald (darrydooaci.on.ca)
Date: Wed Apr 03 2002 - 16:56:28 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Greetings.

    First, thanks to all those who responded, on and off the list.
    Suggestions appreciated.

    Alas, I am unable to leverage AD, as this is for NT4 workstations in an
    NT4 domain. Sorry for not providing more details of the environment. W2K
    Server/AD/XP Desktop development is currently underway, and we will
    certainly be using Group Policy to implement this going forward. I still
    have at least 18 months of supporting the NT4 environment. :-(

    At this point, I believe that I have three options: stick with the
    status quo, and accept the risk of different ACLs for net-new and
    upgraded boxes; set all ACL's to Change using wildcards and then go back
    and re-set the exceptions to Read; use my currently-developed hour-long
    batch file. I really wish I had a fourth option... :-)

    Unfortunately, I'm not a developer/programmer, so writing code to do
    this more quickly, instead of using the slow batch method, is not an
    option for me.

    TTYL
    Darren

    > -----Original Message-----
    > From: Richard Hesse [mailto:rhessemicrosoft.com]
    > Sent: April 3, 2002 1:23 PM
    > To: focus-mssecurityfocus.com
    > Subject: RE: A different NTFS ACL question
    >
    > In addition to using batch files or a scripting language, Group Policy
    > Objects assigned to an OU can accomplish this very easily. They also
    > have the ability to skip certain directories. Like Mike mentioned you
    > should be aware of the various user accounts and services. We have
    > separate GPOs for different OUs to accommodate for things like IIS,
    > NTFRS, etc. Cheers.
    >
    > Richard Hesse
    > Systems Administrator
    > MSN Messenger
    >
    > -----Original Message-----
    > From: Mike Coppins [mailto:mikelegolas.com]
    > Sent: Wednesday, April 03, 2002 4:57 AM
    > To: focus-mssecurityfocus.com
    > Subject: re: A different NTFS ACL question
    >
    >
    > (Only joined this list today, so I'm reading your post off the
    website,
    > so
    > I'm not able to easily quote - sorry)
    >
    > I've found it generally easier to just rewrite C drive ACLs from
    scratch
    >
    > rather than doing lots of little edits. This may seem like a major
    > project
    > to embark on, but it depends on what level of security you're trying
    to
    > achieve (you also learn a shedload of out-of-the-way bizarre
    permissions
    >
    > info, especially on Win2k! :-)). The only issue I see (if you want to
    > keep
    >
    > [deletia]