Solved

Setting security for Registry and Filesystem (more than cacls!) by batch

Posted on 2000-04-03
8
1,027 Views
Last Modified: 2013-12-28
Hi,

for an unattended installation of NT-Workstation I need a way to set the permissions on Registry anmd Filesystem by performing a batch run.

For doing that, I need commandline tools  for setting the permission (freeware if possible, commercial software if necessary).

I need a too for registry permissions in general and I need a tool which can do more than the resource Kit cacls for the File System. At the filesystem I want to set the combination Read Write Delet (without execute) and read execute for restricting the users from copying executable files to the harddisk and execute those.

Thanks for help

Joerg
0
Comment
Question by:jbreuer
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 2681394
REGADD or ADDREG - can't remember !
....can do this.
Use XCACLS to set specific permissions.
By far the best way is to use system policies, then you don't have to bother with .reg files / regkey permissions.
0
 
LVL 1

Expert Comment

by:3daysded
ID: 2682211
Micro soft has an nifty app called Security Configuration Manager.  
Your best bet for registry is to use policies. NT ZAK has a good .adm template for that.

DO NOT use the zero admin NTFS script as is, it can screw things up nicely.

On the securityfocus.com site they have a little script called securent. There are several batch files.

You can check out the ZAK and securent batch files and edit them to your liking. be very careful though.
0
 
LVL 1

Author Comment

by:jbreuer
ID: 2692752
Adjusted points from 100 to 200
0
 
LVL 1

Author Comment

by:jbreuer
ID: 2692753
Okay, the xcacls tool solves the first part of my problem but I'm still looking for a way to set the registry rights within a batch procedure.
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 2692812
Have you tried REGINI ?
That lets you set ACLs on registry keys.
Check the Resource Kit Tools Overview for details.
0
 
LVL 1

Expert Comment

by:rasty
ID: 2754742
for ntfs use xcacls.exe, for services SRVSEC.EXE, for shares SHRSEC.EXE (all from NT Resource Kit). For Registy Keys (and other NT objects), you can use SUBINACL.EXE (by Luc Talpe/Microsoft). I guess, this one is on NT Res Kit, too.

Rasty
0
 
LVL 1

Author Comment

by:jbreuer
ID: 2773637
I can't see how SUBINACL.exe should be able to set ACL on specific registry keys or Hives.
It only transfers Information from user to user or domain to domain.
How would I use this for my purpose ??
0
 
LVL 1

Accepted Solution

by:
rasty earned 200 total points
ID: 2773855
You can edit registry ACLs with subinacl.exe...

SubInAcl Editing Features
SubInAcl allows you to modify each part of a a security descriptor:

owner
See /owner=SID or /setowner=SID
primary group
see /setprimarygroup=GroupSID
system ACL (SubInAcl name = Audit ACL) with access control entries or ACEs (SubInAcl name = AAce = Audit ACE)
see /audit /aace=xxx
discretionary ACL (SubInAcl name = Perm ACL ) with Access Control Entries (SubInAcl name= PAce = Perm ACE)
see /perm /pace=xxx, /revoke=SID, /grant=SID=Access, and /deny=SID

You can use secadd for giving a user registry access:

secadd [-l KeyName] [-r \\ServerName KeyName] [-l -a KeyName UserName] [-r -a \\ServerName KeyName UserName]

You can still buy ntsec from http://www.pedestalsoftware.com/ntsec/ntcmds.htm. They have good tools for modifying acls.

Rasty
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Suggested Solutions

Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now