spinjector Posted March 15, 2010 Share Posted March 15, 2010 My users just never follow the rule of not dumping crap onto the root of the C:\ drive.Are there any tricks to making C:\ read-only to all but the "System:", "Local Service:", and/or other system critical processes..?Thanks. Link to comment Share on other sites More sharing options...
fdv Posted March 16, 2010 Share Posted March 16, 2010 Sure.Expand, and have a look in, DEFLTWK.INFYou will see security descriptor permissions for root, as well as all other windows directories.You can even do clever stuff like deny system write to certain directories, or open them up so that the undeletable can be deleted easily by you.Of course, this is only for new installs. It might help also to copy Vista or 7 permission data from their security files to XP's. I have never done that. But I have edited DEFLTWK.INF and I know it works to my satisfaction.I think this might help you:;---------------------------------------------------------------------------------------; Descriptors;---------------------------------------------------------------------------------------; A - ACCESS ALLOWED; D - ACCESS DENIED; OA - OBJECT ACCESS ALLOWED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).; OD - OBJECT ACCESS DENIED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).; AU - SYSTEM AUDIT; AL - SYSTEM ALARM; OU - OBJECT SYSTEM AUDIT; OL - OBJECT SYSTEM ALARM;---------------------------------------------------------------------------------------; CI - CONTAINER INHERIT: Directories inherit the ACE as an explicit ACE.; OI - OBJECT INHERIT: Files inherit the ACE as an explicit ACE.; ID - ACE IS INHERITED; NP - NO PROPAGATE: ONLY IMMEDIATE CHILDREN INHERIT THIS ACE.; IO - INHERITANCE ONLY: ACE DOESN’T APPLY TO THIS OBJECT, BUT MAY AFFECT CHILDREN VIA INHERITANCE.; SA - SUCCESSFUL ACCESS AUDIT; FA - FAILED ACCESS AUDIT;---------------------------------------------------------------------------------------; P - Inheritance from containers that are higher in the folder hierarchy are blocked.; AI - Inheritance is allowed, assuming that "P" is not also set.; AR - Child objects inherit permissions from this object.;---------------------------------------------------------------------------------------; GA - GENERIC ALL; GR - GENERIC READ; GW - GENERIC WRITE; GX - GENERIC EXECUTE; *********************** Directory service access rights; RC - Read Permissions; SD - Delete; WD - Modify Permissions; WO - Modify Owner; RP - Read All Properties; WP - Write All Properties; CC - Create All Child Objects; DC - Delete All Child Objects; LC - List Contents; SW - All Validated Writes; LO - List Object; DT - Delete Subtree; CR - All Extended Rights; *********************** File access rights; FA - FILE ALL ACCESS; FR - FILE GENERIC READ; FW - FILE GENERIC WRITE; FX - FILE GENERIC EXECUTE;---------------------------------------------------------------------------------------; AO - Account operators; RU - Alias to allow previous Windows 2000; AN - Anonymous logon; AU - Authenticated users; BA - Built-in administrators; BG - Built-in guests; BO - Backup operators; BU - Built-in users; CA - Certificate server administrators; CG - Creator group; CO - Creator owner; DA - Domain administrators; DC - Domain computers; DD - Domain controllers; DG - Domain guests; DU - Domain users; EA - Enterprise administrators; ED - Enterprise domain controllers; WD - Everyone; PA - Group Policy administrators; IU - Interactively logged-on user; LA - Local administrator; LG - Local guest; LS - Local service account; SY - Local system; NU - Network logon user; NO - Network configuration operators; NS - Network service account; PO - Printer operators; PS - Personal self; PU - Power users; RS - RAS servers group; RD - Terminal server users; RE - Replicator; RC - Restricted code; SA - Schema administrators; SO - Server operators; SU - Service logon userWhile you're here, be kind and let users change the time when it's wrong:SeSystemTimePrivilege = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-547, *S-1-5-32-545, *S-1-1-0Let's disable Prefetching, in conjunction with the registry edit:"%SystemRoot%\Prefetch",2,"D:PAR(D;;FAGAGRGWGXWD;;;SY)" ; DENY systemLet's make a few useless directories easier to delete after installation:"%SystemDirectory%\ias",2,"D:P(A;CIOI;GA;;;WD)(A;CI;GA;;;WD)" ; allow world"%SystemDirectory%\oobe",2,"D:P(A;CIOI;GA;;;WD)(A;CI;GA;;;WD)" ; allow world"%SystemDirectory%\inetsrv",2,"D:P(A;CIOI;GA;;;WD)(A;CI;GA;;;WD)" ; allow worldetc etc. Link to comment Share on other sites More sharing options...
jaclaz Posted March 16, 2010 Share Posted March 16, 2010 (edited) The "old" way:kb214752 appears like "lost forever":http://unidyne.webdesignery.com/blog/2009/02/running-net-apps-from-shared-drives/BUT, knowing how to find it, it's still on The Wayback Machine :http://web.archive.org/web/20050208035236/http://support.microsoft.com/kb/214752/EN-US/And, just for the record and FYI, how to workaround it. http://www.boot-land.net/forums/index.php?showtopic=10745jaclaz Edited March 16, 2010 by jaclaz Link to comment Share on other sites More sharing options...
fdv Posted March 16, 2010 Share Posted March 16, 2010 The "old" way:I don't see protecting the root here. I once contacted MS about doing this in Win2k and they didn't know!! WTH?! I know that copying Vista perms to XP does work only because I read it in a MS blog.And, just for the record and FYI, how to workaround it.Ohhh, that's pretty clever jaclaz!! Any link to the SYS file download? That looks awesome. Esp for recovery console! Link to comment Share on other sites More sharing options...
cdob Posted March 16, 2010 Share Posted March 16, 2010 Any link to the SYS file download?http://www.hobeanu.com/blog/bypassing-file-system-security-in-windows/ Link to comment Share on other sites More sharing options...
joakim Posted March 16, 2010 Share Posted March 16, 2010 The enhanced write filter (ewf) could give you a complete read-only system drive, but then again not even the LocalSystem would be able to write anything (unless committing changes when configured in disk mode). So maybe not..Joakim Link to comment Share on other sites More sharing options...
jaclaz Posted March 16, 2010 Share Posted March 16, 2010 Any link to the SYS file download? That looks awesome. Esp for recovery console!SHAME on you! You lost trace at 2nd hop! http://www.boot-land.net/forums/index.php?showtopic=10745http://www.boot-land.net/forums/index.php?showtopic=10579&st=0&p=93201entry93201www.hobeanu.com/bloghttp://www.hobeanu.com/blog/bypassing-file-system-security-in-windows/http://www.hobeanu.com/blog/accessgain-tool/http://www.hobeanu.com/blog/downloads/AccessGain.zipjaclaz Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now