Jump to content

Locking down C: drive through unattended install...

wlandymore
 Share

Recommended Posts

wlandymore

wlandymore

Posted
Posted

Is there a way that you can setup an unattended DVD so that it restricts what users can do with the C: drive? For example, I'm looking for a way to make the C: drive invisable to any user who isn't an administrator and only give them the rights to write to another partition - D:.

Can this kind of stuff be done with an unattended DVD?


gosh

gosh

Posted
Posted

Windows XP uses a special inf just for applying ntfs permissions to the root of the drive.

rootsec.inf

; © Microsoft Corporation 1997-2000

;

; Security Configuration Template for Security Configuration Manager

[version]

signature="$CHICAGO$"

DriverVer=07/01/2001,5.1.2600.0

[Profile Description]

%SCEProfileDescription%

[File Security]

"%SystemDrive%\",0,"D:AR(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICIIO;GA;;;CO)(A;CIOI;GRGX;;;BU)(A;CI;0x00000004;;;BU)(

;CIIO;0x00000002;;;BU)(A;;GRGX;;;WD)"

[strings]

SCEProfileDescription = "Applies default root permissions to the OS partition and propagates them to child objects that are inheriting from the root. The propagation time depends on the number of unprotected child objects. See online help for further information."

obviously you could modify this file to change the default permissions. HOWEVER, you should never do so.

If you accidently screw up the root ntfs permissions, such as removing or denying the everyone group:

1 - The computer might not boot

2 - You can't change this back using recovery console since it doesn't have a command to modify ntfs permissions

3 - You can't reinstall windows because it won't be able to write to the root of the drive

4 - You can't do a parallel install because you can't write to the root of the drive

Only solution would be a format. And yes, i've worked on 2 incidents where the customer stupidly did this and had to format.

So my advice is don't do it!

-gosh

wlandymore

wlandymore

Posted
  • Author
Posted

I'm not worried about having to format a computer. I do this stuff in a virtual machine anyway, so if you have to blow it away so be it! :)

Thanks for the help.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...