Possible to make root of C:\ drive read-only ro users..?

[spinjector]

My users just never follow the rule of not dumping crap onto the root of the C:\ drive.

Are there any tricks to making C:\ read-only to all but the "System:", "Local Service:", and/or other system critical processes..?

Thanks.

[fdv]

Sure.

Expand, and have a look in, DEFLTWK.INF

You will see security descriptor permissions for root, as well as all other windows directories.

You can even do clever stuff like deny system write to certain directories, or open them up so that the undeletable can be deleted easily by you.

Of course, this is only for new installs. It might help also to copy Vista or 7 permission data from their security files to XP's. I have never done that. But I have edited DEFLTWK.INF and I know it works to my satisfaction.

I think this might help you:

;---------------------------------------------------------------------------------------
; Descriptors
;---------------------------------------------------------------------------------------
;  A - ACCESS ALLOWED
;  D - ACCESS DENIED
; OA - OBJECT ACCESS ALLOWED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).
; OD - OBJECT ACCESS DENIED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).
; AU - SYSTEM AUDIT
; AL - SYSTEM ALARM
; OU - OBJECT SYSTEM AUDIT
; OL - OBJECT SYSTEM ALARM
;---------------------------------------------------------------------------------------
; CI - CONTAINER INHERIT: Directories inherit the ACE as an explicit ACE.
; OI - OBJECT INHERIT: Files inherit the ACE as an explicit ACE.
; ID - ACE IS INHERITED
; NP - NO PROPAGATE: ONLY IMMEDIATE CHILDREN INHERIT THIS ACE.
; IO - INHERITANCE ONLY: ACE DOESN’T APPLY TO THIS OBJECT, BUT MAY AFFECT CHILDREN VIA INHERITANCE.
; SA - SUCCESSFUL ACCESS AUDIT
; FA - FAILED ACCESS AUDIT
;---------------------------------------------------------------------------------------
;  P - Inheritance from containers that are higher in the folder hierarchy are blocked.
; AI - Inheritance is allowed, assuming that "P" is not also set.
; AR - Child objects inherit permissions from this object.
;---------------------------------------------------------------------------------------
; GA - GENERIC ALL
; GR - GENERIC READ
; GW - GENERIC WRITE
; GX - GENERIC EXECUTE
; *********************** Directory service access rights
; RC - Read Permissions
; SD - Delete
; WD - Modify Permissions
; WO - Modify Owner
; RP - Read All Properties
; WP - Write All Properties
; CC - Create All Child Objects
; DC - Delete All Child Objects
; LC - List Contents
; SW - All Validated Writes
; LO - List Object
; DT - Delete Subtree
; CR - All Extended Rights
; *********************** File access rights
; FA - FILE ALL ACCESS
; FR - FILE GENERIC READ
; FW - FILE GENERIC WRITE
; FX - FILE GENERIC EXECUTE
;---------------------------------------------------------------------------------------
; AO - Account operators
; RU - Alias to allow previous Windows 2000
; AN - Anonymous logon
; AU - Authenticated users
; BA - Built-in administrators
; BG - Built-in guests
; BO - Backup operators
; BU - Built-in users
; CA - Certificate server administrators
; CG - Creator group
; CO - Creator owner
; DA - Domain administrators
; DC - Domain computers
; DD - Domain controllers
; DG - Domain guests
; DU - Domain users
; EA - Enterprise administrators
; ED - Enterprise domain controllers
; WD - Everyone
; PA - Group Policy administrators
; IU - Interactively logged-on user
; LA - Local administrator
; LG - Local guest
; LS - Local service account
; SY - Local system
; NU - Network logon user
; NO - Network configuration operators
; NS - Network service account
; PO - Printer operators
; PS - Personal self
; PU - Power users
; RS - RAS servers group
; RD - Terminal server users
; RE - Replicator
; RC - Restricted code
; SA - Schema administrators
; SO - Server operators
; SU - Service logon user

While you're here, be kind and let users change the time when it's wrong:

SeSystemTimePrivilege = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-547, *S-1-5-32-545, *S-1-1-0

Let's disable Prefetching, in conjunction with the registry edit:

"%SystemRoot%\Prefetch",2,"D:PAR(D;;FAGAGRGWGXWD;;;SY)" ; DENY system

Let's make a few useless directories easier to delete after installation:

"%SystemDirectory%\ias",2,"D:P(A;CIOI;GA;;;WD)(A;CI;GA;;;WD)" ; allow world

"%SystemDirectory%\oobe",2,"D:P(A;CIOI;GA;;;WD)(A;CI;GA;;;WD)" ; allow world

"%SystemDirectory%\inetsrv",2,"D:P(A;CIOI;GA;;;WD)(A;CI;GA;;;WD)" ; allow world

etc etc.

[jaclaz]

The "old" way:

kb214752 appears like "lost forever":

http://unidyne.webdesignery.com/blog/2009/02/running-net-apps-from-shared-drives/

BUT, knowing how to find it, it's still on The Wayback Machine :

http://web.archive.org/web/20050208035236/http://support.microsoft.com/kb/214752/EN-US/

And, just for the record and FYI, how to workaround it.

http://www.boot-land.net/forums/index.php?showtopic=10745

jaclaz

Edited March 16, 2010 by jaclaz

[fdv]

The "old" way:

I don't see protecting the root here. I once contacted MS about doing this in Win2k and they didn't know!! WTH?! I know that copying Vista perms to XP does work only because I read it in a MS blog.

And, just for the record and FYI, how to workaround it.

Ohhh, that's pretty clever jaclaz!! Any link to the SYS file download? That looks awesome. Esp for recovery console!

[cdob]

Any link to the SYS file download?

http://www.hobeanu.com/blog/bypassing-file-system-security-in-windows/

[joakim]

The enhanced write filter (ewf) could give you a complete read-only system drive, but then again not even the LocalSystem would be able to write anything (unless committing changes when configured in disk mode). So maybe not..

Joakim

[jaclaz]

Any link to the SYS file download? That looks awesome. Esp for recovery console!

SHAME on you!

You lost trace at 2nd hop!

1. http://www.boot-land.net/forums/index.php?showtopic=10745
   
2. http://www.boot-land.net/forums/index.php?showtopic=10579&st=0&p=93201entry93201
   
3. www.hobeanu.com/blog
   
4. http://www.hobeanu.com/blog/bypassing-file-system-security-in-windows/
   
5. http://www.hobeanu.com/blog/accessgain-tool/
   
6. http://www.hobeanu.com/blog/downloads/AccessGain.zip
   

jaclaz