[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Setting security for Registry and Filesystem (more than cacls!) by batch

Posted on 2000-04-03
8
Medium Priority
?
1,039 Views
Last Modified: 2013-12-28
Hi,

for an unattended installation of NT-Workstation I need a way to set the permissions on Registry anmd Filesystem by performing a batch run.

For doing that, I need commandline tools  for setting the permission (freeware if possible, commercial software if necessary).

I need a too for registry permissions in general and I need a tool which can do more than the resource Kit cacls for the File System. At the filesystem I want to set the combination Read Write Delet (without execute) and read execute for restricting the users from copying executable files to the harddisk and execute those.

Thanks for help

Joerg
0
Comment
Question by:jbreuer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 2681394
REGADD or ADDREG - can't remember !
....can do this.
Use XCACLS to set specific permissions.
By far the best way is to use system policies, then you don't have to bother with .reg files / regkey permissions.
0
 
LVL 1

Expert Comment

by:3daysded
ID: 2682211
Micro soft has an nifty app called Security Configuration Manager.  
Your best bet for registry is to use policies. NT ZAK has a good .adm template for that.

DO NOT use the zero admin NTFS script as is, it can screw things up nicely.

On the securityfocus.com site they have a little script called securent. There are several batch files.

You can check out the ZAK and securent batch files and edit them to your liking. be very careful though.
0
 
LVL 1

Author Comment

by:jbreuer
ID: 2692752
Adjusted points from 100 to 200
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Author Comment

by:jbreuer
ID: 2692753
Okay, the xcacls tool solves the first part of my problem but I'm still looking for a way to set the registry rights within a batch procedure.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 2692812
Have you tried REGINI ?
That lets you set ACLs on registry keys.
Check the Resource Kit Tools Overview for details.
0
 
LVL 1

Expert Comment

by:rasty
ID: 2754742
for ntfs use xcacls.exe, for services SRVSEC.EXE, for shares SHRSEC.EXE (all from NT Resource Kit). For Registy Keys (and other NT objects), you can use SUBINACL.EXE (by Luc Talpe/Microsoft). I guess, this one is on NT Res Kit, too.

Rasty
0
 
LVL 1

Author Comment

by:jbreuer
ID: 2773637
I can't see how SUBINACL.exe should be able to set ACL on specific registry keys or Hives.
It only transfers Information from user to user or domain to domain.
How would I use this for my purpose ??
0
 
LVL 1

Accepted Solution

by:
rasty earned 600 total points
ID: 2773855
You can edit registry ACLs with subinacl.exe...

SubInAcl Editing Features
SubInAcl allows you to modify each part of a a security descriptor:

owner
See /owner=SID or /setowner=SID
primary group
see /setprimarygroup=GroupSID
system ACL (SubInAcl name = Audit ACL) with access control entries or ACEs (SubInAcl name = AAce = Audit ACE)
see /audit /aace=xxx
discretionary ACL (SubInAcl name = Perm ACL ) with Access Control Entries (SubInAcl name= PAce = Perm ACE)
see /perm /pace=xxx, /revoke=SID, /grant=SID=Access, and /deny=SID

You can use secadd for giving a user registry access:

secadd [-l KeyName] [-r \\ServerName KeyName] [-l -a KeyName UserName] [-r -a \\ServerName KeyName UserName]

You can still buy ntsec from http://www.pedestalsoftware.com/ntsec/ntcmds.htm. They have good tools for modifying acls.

Rasty
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question