Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1043
  • Last Modified:

Setting security for Registry and Filesystem (more than cacls!) by batch

Hi,

for an unattended installation of NT-Workstation I need a way to set the permissions on Registry anmd Filesystem by performing a batch run.

For doing that, I need commandline tools  for setting the permission (freeware if possible, commercial software if necessary).

I need a too for registry permissions in general and I need a tool which can do more than the resource Kit cacls for the File System. At the filesystem I want to set the combination Read Write Delet (without execute) and read execute for restricting the users from copying executable files to the harddisk and execute those.

Thanks for help

Joerg
0
jbreuer
Asked:
jbreuer
  • 3
  • 2
  • 2
  • +1
1 Solution
 
Tim HolmanCommented:
REGADD or ADDREG - can't remember !
....can do this.
Use XCACLS to set specific permissions.
By far the best way is to use system policies, then you don't have to bother with .reg files / regkey permissions.
0
 
3daysdedCommented:
Micro soft has an nifty app called Security Configuration Manager.  
Your best bet for registry is to use policies. NT ZAK has a good .adm template for that.

DO NOT use the zero admin NTFS script as is, it can screw things up nicely.

On the securityfocus.com site they have a little script called securent. There are several batch files.

You can check out the ZAK and securent batch files and edit them to your liking. be very careful though.
0
 
jbreuerAuthor Commented:
Adjusted points from 100 to 200
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
jbreuerAuthor Commented:
Okay, the xcacls tool solves the first part of my problem but I'm still looking for a way to set the registry rights within a batch procedure.
0
 
Tim HolmanCommented:
Have you tried REGINI ?
That lets you set ACLs on registry keys.
Check the Resource Kit Tools Overview for details.
0
 
rastyCommented:
for ntfs use xcacls.exe, for services SRVSEC.EXE, for shares SHRSEC.EXE (all from NT Resource Kit). For Registy Keys (and other NT objects), you can use SUBINACL.EXE (by Luc Talpe/Microsoft). I guess, this one is on NT Res Kit, too.

Rasty
0
 
jbreuerAuthor Commented:
I can't see how SUBINACL.exe should be able to set ACL on specific registry keys or Hives.
It only transfers Information from user to user or domain to domain.
How would I use this for my purpose ??
0
 
rastyCommented:
You can edit registry ACLs with subinacl.exe...

SubInAcl Editing Features
SubInAcl allows you to modify each part of a a security descriptor:

owner
See /owner=SID or /setowner=SID
primary group
see /setprimarygroup=GroupSID
system ACL (SubInAcl name = Audit ACL) with access control entries or ACEs (SubInAcl name = AAce = Audit ACE)
see /audit /aace=xxx
discretionary ACL (SubInAcl name = Perm ACL ) with Access Control Entries (SubInAcl name= PAce = Perm ACE)
see /perm /pace=xxx, /revoke=SID, /grant=SID=Access, and /deny=SID

You can use secadd for giving a user registry access:

secadd [-l KeyName] [-r \\ServerName KeyName] [-l -a KeyName UserName] [-r -a \\ServerName KeyName UserName]

You can still buy ntsec from http://www.pedestalsoftware.com/ntsec/ntcmds.htm. They have good tools for modifying acls.

Rasty
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now