|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Brian Arkills (brian_at_hansolo.stanford.edu)
Date: Thu Jul 11 2002 - 11:50:08 CDT
More than a dozen people contacted me requesting the useful online references for customizing security templates ... so here they are:
Security Configuration Manager overview (includes critical info about how you can use it on NT4)
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q245216
SDDL (security descriptor definition language) reference:
http://msdn.microsoft.com/library/en-us/security/Security/security_descriptor_definition_language.asp
This SDDL reference is pretty ugly IMO, so I wrote a summary of the important info (adding helpful info I found in "Inside Active Directory" by Kouti & Seitsonen) which you can find in the appendix of this document:
http://windows.stanford.edu/docs/ADSecurityOverview.htm
How to Add Custom Registry Settings to Security Configuration Editor
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q214752
How to add multiple multi_sz values using an .inf file
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q322083
Brian
> -----Original Message-----
> From: Brian Arkills
> Sent: Tuesday, July 09, 2002 11:47 AM
> To: focus-ms
securityfocus.com
> Subject: RE: Automatically updating File Permission through GP's on a
> stan d alone
>
>
> You'd want ACLs to get reset during every GP refresh? Scary;
> your system would be churning endlessly with little benefit.
> BTW, MS discourages this idea ...
>
> I'd recommend instead using the security analysis &
> configuration MMC (secedit from the command line) to set the
> ACLs once with a single template. Then you can audit those
> ACLs on a periodic basis using the same tool. The templates
> are pretty flexible (except they don't support wildcards like
> the old nt4 c2 config did), and you can set *any* registry
> value via them. I recently did some work with MS to get parts
> of the template format better documented ... I can send a
> link to a Q article if anyone is interested.
>
> Brian
>
> > -----Original Message-----
> > From: Michael Devlin [mailto:Michael.Devlinfigleaves.com]
> > Sent: Friday, July 05, 2002 9:53 AM
> > To: focus-mssecurityfocus.com
> > Subject: Automatically updating File Permission through GP's
> > on a stand
> > alone
> >
> >
> > On a stand alone 2000 machine you can import a section of a template
> > into gpedit.msc and the machine will happily apply those
> settings (eg
> > Password policy, IPSec policy la la la) as regular as you want....
> > HOWEVER..... There is no section for filesystem permissions in
> > Gpedit.msc (the same as there are for the equiv in AD), so.... My
> > question.....
> >
> > Is it possible to modify/add/hack a template file, with
> FilePermission
> > (and Reg permissions) into the GroupPolicy folder in
> system32 so that
> > they are applied at regular intervals with no user interaction.
> >
> > Incidentally, I have already set it up using a script, task
> > manager and
> > secedit.... But that is a little messy.
> >
> > Many thanks
> >
> > Michael Devlin
> >
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]