Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Brian Arkills (brian_at_hansolo.stanford.edu)
Date: Thu Jul 11 2002 - 11:50:08 CDT
More than a dozen people contacted me requesting the useful online references for customizing security templates ... so here they are:
Security Configuration Manager overview (includes critical info about how you can use it on NT4)
SDDL (security descriptor definition language) reference:
This SDDL reference is pretty ugly IMO, so I wrote a summary of the important info (adding helpful info I found in "Inside Active Directory" by Kouti & Seitsonen) which you can find in the appendix of this document:
How to Add Custom Registry Settings to Security Configuration Editor
How to add multiple multi_sz values using an .inf file
> -----Original Message-----
> From: Brian Arkills
> Sent: Tuesday, July 09, 2002 11:47 AM
> To: focus-mssecurityfocus.com
> Subject: RE: Automatically updating File Permission through GP's on a
> stan d alone
> You'd want ACLs to get reset during every GP refresh? Scary;
> your system would be churning endlessly with little benefit.
> BTW, MS discourages this idea ...
> I'd recommend instead using the security analysis &
> configuration MMC (secedit from the command line) to set the
> ACLs once with a single template. Then you can audit those
> ACLs on a periodic basis using the same tool. The templates
> are pretty flexible (except they don't support wildcards like
> the old nt4 c2 config did), and you can set *any* registry
> value via them. I recently did some work with MS to get parts
> of the template format better documented ... I can send a
> link to a Q article if anyone is interested.
> > -----Original Message-----
> > From: Michael Devlin [mailto:Michael.Devlinfigleaves.com]
> > Sent: Friday, July 05, 2002 9:53 AM
> > To: focus-mssecurityfocus.com
> > Subject: Automatically updating File Permission through GP's
> > on a stand
> > alone
> > On a stand alone 2000 machine you can import a section of a template
> > into gpedit.msc and the machine will happily apply those
> settings (eg
> > Password policy, IPSec policy la la la) as regular as you want....
> > HOWEVER..... There is no section for filesystem permissions in
> > Gpedit.msc (the same as there are for the equiv in AD), so.... My
> > question.....
> > Is it possible to modify/add/hack a template file, with
> > (and Reg permissions) into the GroupPolicy folder in
> system32 so that
> > they are applied at regular intervals with no user interaction.
> > Incidentally, I have already set it up using a script, task
> > manager and
> > secedit.... But that is a little messy.
> > Many thanks
> > Michael Devlin