Solved

Setting security for Registry and Filesystem (more than cacls!) by batch

Posted on 2000-04-03
8
1,037 Views
Last Modified: 2013-12-28
Hi,

for an unattended installation of NT-Workstation I need a way to set the permissions on Registry anmd Filesystem by performing a batch run.

For doing that, I need commandline tools  for setting the permission (freeware if possible, commercial software if necessary).

I need a too for registry permissions in general and I need a tool which can do more than the resource Kit cacls for the File System. At the filesystem I want to set the combination Read Write Delet (without execute) and read execute for restricting the users from copying executable files to the harddisk and execute those.

Thanks for help

Joerg
0
Comment
Question by:jbreuer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 2681394
REGADD or ADDREG - can't remember !
....can do this.
Use XCACLS to set specific permissions.
By far the best way is to use system policies, then you don't have to bother with .reg files / regkey permissions.
0
 
LVL 1

Expert Comment

by:3daysded
ID: 2682211
Micro soft has an nifty app called Security Configuration Manager.  
Your best bet for registry is to use policies. NT ZAK has a good .adm template for that.

DO NOT use the zero admin NTFS script as is, it can screw things up nicely.

On the securityfocus.com site they have a little script called securent. There are several batch files.

You can check out the ZAK and securent batch files and edit them to your liking. be very careful though.
0
 
LVL 1

Author Comment

by:jbreuer
ID: 2692752
Adjusted points from 100 to 200
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:jbreuer
ID: 2692753
Okay, the xcacls tool solves the first part of my problem but I'm still looking for a way to set the registry rights within a batch procedure.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 2692812
Have you tried REGINI ?
That lets you set ACLs on registry keys.
Check the Resource Kit Tools Overview for details.
0
 
LVL 1

Expert Comment

by:rasty
ID: 2754742
for ntfs use xcacls.exe, for services SRVSEC.EXE, for shares SHRSEC.EXE (all from NT Resource Kit). For Registy Keys (and other NT objects), you can use SUBINACL.EXE (by Luc Talpe/Microsoft). I guess, this one is on NT Res Kit, too.

Rasty
0
 
LVL 1

Author Comment

by:jbreuer
ID: 2773637
I can't see how SUBINACL.exe should be able to set ACL on specific registry keys or Hives.
It only transfers Information from user to user or domain to domain.
How would I use this for my purpose ??
0
 
LVL 1

Accepted Solution

by:
rasty earned 200 total points
ID: 2773855
You can edit registry ACLs with subinacl.exe...

SubInAcl Editing Features
SubInAcl allows you to modify each part of a a security descriptor:

owner
See /owner=SID or /setowner=SID
primary group
see /setprimarygroup=GroupSID
system ACL (SubInAcl name = Audit ACL) with access control entries or ACEs (SubInAcl name = AAce = Audit ACE)
see /audit /aace=xxx
discretionary ACL (SubInAcl name = Perm ACL ) with Access Control Entries (SubInAcl name= PAce = Perm ACE)
see /perm /pace=xxx, /revoke=SID, /grant=SID=Access, and /deny=SID

You can use secadd for giving a user registry access:

secadd [-l KeyName] [-r \\ServerName KeyName] [-l -a KeyName UserName] [-r -a \\ServerName KeyName UserName]

You can still buy ntsec from http://www.pedestalsoftware.com/ntsec/ntcmds.htm. They have good tools for modifying acls.

Rasty
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Determining the an SCCM package name from the Package ID
Windows 10 Creator Update has just been released and I have it working very well on my laptop. Read below for issues, fixes and ideas.
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question