Group Memberships & ACL permissions?

Gerald W. Carter cartegw at Eng.Auburn.EDU
Thu Apr 16 16:23:05 GMT 1998


Luke Kenneth Casson Leighton wrote:

> > I have a script I use to secure lab machines.  It is constantly
> > evolving, but I can send it to you directly if you wish.  Don't want
> > to post it directly to the list here due to space.
> 
> awww, spoil-sport, gerald :-)


OK.  Since I have had a couple of requests....I don't 
claim this to be prefect.  If it breaks something...well 
you know the drill....Also remember that I am a control 
freak on my network so I generally try to lock down 
everything I can ( like have you every moved the 
%systemroot%\Fonts to %systemdrive%\Fonts?  Weird 
things happen...)

The igrant / grant / setowner utilities are ones I got 
from Pedastal softwqare ( $5 per copy for EDU sites ).  
You could probably use cacls.exe to do the same thing.  
I have found that I need to run the script anytime I add 
software which puts things in system32 due to the fact 
that Administrator will own the file and Everyone does 
not have RX permission.


Anyways...Here goes....Note that some lines may be wrapped.
May the source be with you :^)




j-
________________________________________________________________________
                            Gerald ( Jerry ) Carter	
Engineering Network Services                           Auburn University 
jerry at eng.auburn.edu             http://www.eng.auburn.edu/users/cartegw

       "...a hundred billion castaways looking for a home."
                                  - Sting "Message in a Bottle" ( 1979 )

@echo off
rem #########################################################
rem ##
rem ## Script to set initial File permissions / ownership on 
rem ## College of Engineering student lab NT 4.0 Workstations
rem ##
rem ## Author           : Gerald Carter
rem ##                    jerry at eng.auburn.edu
rem ## File created     : Sometime in '97
rem ## Last update      : March 27, 1998
rem ## 
rem ## Notes :  USE THIS AT YOUR OWN RISK!!  I AM NOT
rem ##          RESPONSIBLE FOR TIME LOST DUE TO ANYTHING
rem ##          THAT THIS SCRIPT DOES!
rem ##
rem ##    The igrant / grant / setowner utilities are from
rem ##    Pedastal software 
rem ##         http://www.pedestalsoftware.com/ntsec.htm
rem ##    Note that you could probably do the same type of
rem ##    script using the cacls.exe utility that comes with
rem ##    Windows NT.
rem ##
rem #########################################################
 
rem ******** Environment variables for script ********
set ROOTPERM=Administrators:all SYSTEM:all
set OWNER="CREATOR OWNER:all"
set LOGFILE=%SYSTEMROOT%\local\log\init-sec.log
set LOCALBIN=%SYSTEMROOT%\local\bin
 
rem ******** Set the ownership of the files ********
echo.
echo Setting the ownership of...
echo Root files
%LOCALBIN%\setowner Administrators %SystemDrive%\ > %LOGFILE%
 
echo %SYSTEMROOT%
%LOCALBIN%\setowner -r Administrators %SYSTEMROOT% >> %LOGFILE%
 
echo %SystemDrive%\Temp
%LOCALBIN%\setowner Administrators %SystemDrive%\Temp >> %LOGFILE%
 
 
rem ******** Set the permissions on the files ********
echo.
echo.
echo Setting the files permissions on...
echo Root files
%LOCALBIN%\igrant -clear %ROOTPERM% Everyone:rx %SystemDrive%\ >>
%LOGFILE%
%LOCALBIN%\grant -clear %ROOTPERM% Everyone:rx %SystemDrive%\* >>
%LOGFILE%
 
echo %SYSTEMROOT%
%LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT% >>
%LOGFILE%
%LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\* >>
%LOGFILE%
 
echo %SYSTEMROOT%\Config
%LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Config
>> %LOGFILE%
%LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Config\*
>> %LOGFILE%
 
echo %SYSTEMROOT%\COOKIES
%LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\COOKIES
>> %LOGFILE%
%LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\COOKIES\*
>> %LOGFILE%
 
echo %SYSTEMROOT%\Cursors
%LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Cursors
>> %LOGFILE%
%LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Cursors\*
>> %LOGFILE%
 
echo %SYSTEMROOT%\forms
%LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\forms >>
%LOGFILE%
%LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\forms\*
>> %LOGFILE%
 
echo %SYSTEMROOT%\fonts
%LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\fonts >>
%LOGFILE%
%LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\fonts\*
>> %LOGFILE%
 
echo %SYSTEMROOT%\Help
%LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Help >>
%LOGFILE%
%LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Help\* >>
%LOGFILE%
 
echo %SYSTEMROOT%\History
%LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\History
>> %LOGFILE%
%LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\History\*
>> %LOGFILE%
 
echo %SYSTEMROOT%\Java
%LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Java >>
%LOGFILE%
%LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Java\* >>
%LOGFILE%
 
echo %SYSTEMROOT%\Media
%LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Media >>
%LOGFILE%
%LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Media\*
>> %LOGFILE%
 
echo %SYSTEMROOT%\Profiles
%LOCALBIN%\igrant -clear %ROOTPERM% Everyone:rwdx %SYSTEMROOT%\Profiles
>> %LOGFILE%
 
echo %SYSTEMROOT%\local
%LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\local >>
%LOGFILE%
%LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\local\*
>> %LOGFILE%
 
echo %SYSTEMROOT%\System
%LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System >> %LOGFILE%
%LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System\* >> %LOGFILE%
 
echo %SYSTEMROOT%\System32
%LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32 >> %LOGFILE%
%LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32\* >> %LOGFILE%
 
echo %SYSTEMROOT%\System32\dhcp
%LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32\dhcp >> %LOGFILE%
%LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32\dhcp\* >> %LOGFILE%
 
echo %SYSTEMROOT%\System32\drivers
%LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32\drivers >> %LOGFILE%
%LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32\drivers\* >> %LOGFILE%
 
echo %SYSTEMROOT%\System32\os2
%LOCALBIN%\igrant -clear -r %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32\os2 >> %LOGFILE%
%LOCALBIN%\grant -clear -r %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32\os2\* >> %LOGFILE%
 
echo %SYSTEMROOT%\System32\Repl
%LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32\Repl >> %LOGFILE%
%LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32\Repl\* >> %LOGFILE%
 
echo %SYSTEMROOT%\System32\spool
%LOCALBIN%\igrant -clear -r %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32\spool >> %LOGFILE%
%LOCALBIN%\grant -clear -r %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32\spool\* >> %LOGFILE%
 
echo %SYSTEMROOT%\System32\spool\Printers
%LOCALBIN%\igrant -r -clear %ROOTPERM% %OWNER% Everyone:wxrd
%SYSTEMROOT%\System32\spool\Printers >> %LOGFILE%
%LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:wxrd
%SYSTEMROOT%\System32\spool\Printers\* >> %LOGFILE%
 
echo %SYSTEMROOT%\System32\viewers
%LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32\viewers >> %LOGFILE%
%LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32\viewers\* >> %LOGFILE%
 
echo %SYSTEMROOT%\System32\wins
%LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32\wins >> %LOGFILE%
%LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx
%SYSTEMROOT%\System32\wins\* >> %LOGFILE%
 
echo %SYSTEMROOT%\repair
%LOCALBIN%\igrant -clear %ROOTPERM% %SYSTEMROOT%\repair >> %LOGFILE%
%LOCALBIN%\grant -clear %ROOTPERM% %SYSTEMROOT%\repair\* >> %LOGFILE%
 
echo %SYSTEMROOT%\System32\Config
%LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:wx
%SYSTEMROOT%\System32\Config >> %LOGFILE%
 
%LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:wx
%SYSTEMROOT%\System32\Config\* >> %LOGFILE%
 
echo %SYSTEMROOT%\System32\RAS
%LOCALBIN%\igrant -r -clear %ROOTPERM% %OWNER% Everyone:wxrd
%SYSTEMROOT%\System32\RAS >> %LOGFILE%
%LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:wxrd
%SYSTEMROOT%\System32\RAS\* >> %LOGFILE%
 
 
echo %SystemDrive%\Temp
%LOCALBIN%\igrant -r -clear %ROOTPERM% %OWNER% Everyone:rwx
%SystemDrive%\Temp >> %LOGFILE%
%LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rwx
%SystemDrive%\Temp\* >> %LOGFILE%
 
GOTO end
 
 
:end
 
rem ######## end of init-sec.bat ##################################
rem ###############################################################


More information about the samba-ntdom mailing list