asked on

Network Drive not automatically connecting VIA login script after implementing security template.

Seems like my issue might have to do with section 6.6 of the Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist. Seems like there are restrictions set on executable files. On my computer, with the NISTWinXPPro_enterprise_R1.2.1.inf template, I get access is Denied with runing login.bat files as a local user, but not as a local administrator.

6.6 File Permissions
This section provides general instructions regarding setting permissions through file system access
control entries (ACE)102 and access control lists (ACL) for Windows XP.103 The NIST templates and
GPOs restrict access to dozens of executables, protecting them from unauthorized modification and
usage. Additional custom settings may be added that are specific to the environment in which the
Windows XP machine resides. Changes to an ACL for a specific resource, such as a file or folder, can be
made using one of three possible methods:
Open the Properties window for a resource from its context menu and click on the Security tab. It
displays the privileges that each user or group has to the resource. The Advanced button can be used
to set more granular permission rights and additional settings such as file auditing and the owner of
the resource.

102
An ACE is an entry that binds a security identifier (SID) to a set of permissions within an ACL.
103
Once file permissions are applied, there is not an automatic way to undo them or otherwise return the files to their previous
permissions. Additional procedures, such as recording the original file permissions before applying new ones, may be
needed to provide an undo capability. The same is true for the registry permissions described in Section 6.7.

Use the utility cacls.exe found in %SystemRoot%\system32.104 This is a command-line interface
used to set file ACLs, but it does not set Windows XP security descriptors.
Use the MMC Security Template snap-in to apply settings from a template.
Windows XP uses an inheritance model for assigning ACEs. An objects ACL can contain ACEs that it
inherited from its parent container. For example, a file in an NTFS filesystem can inherit ACEs from the
directory that contains it. In addition, an ACE that is directly applied to a filesystem object is given a
higher priority than an inherited ACE. The directly applied ACE overrides any conflicting inherited
ACEs.

McKnife

"I get access is Denied with runing login.bat files as a local user, but not as a local administrator" - if you need help resolving this, please quote
A the batch
B the ACLs for all files of the batch (including net.exe)

victor2008

ASKER

Hi McKnife,

You want me to copy/paste what is in my login.bat file? Also, how do I get the info for ACLs for all files of the batch (including net.exe)? I tried using Process Monitor v1.22
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx but can't seem to get the filter to work to give me ACL info.

Thank you for your time!

McKnife

Yes, please quote the contents of login.bat. About ACLs, rightclick the files and select properties and go to the security tab. There you can see the ACL. Or you could use the command cacls. Example - the command
cacls c:\windows\system32\net.exe
returns
c:\windows\system32\net.exe BUILTIN\Users:R
BUILTIN\Power Users:R
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
That's what we need for each file mentioned in the login.bat (if there are other files but net.exe [taken from net use]). Also retrieve the ACL for login.bat itself.

victor2008

ASKER

Thanks! Here's the info. Note: I took out the original IP addresses and share names for anonymity.

Login.bat:

net use T: \\123.123.123.123\share1
net use u: \\123.123.123.123\share2
net use V: \\123.123.123.123\share3
net use W: \\123.123.123.123\share4
net use M: \\123.123.123.123\share5
net use X: \\123.123.123.123\share6

echo Configuring printers...

\\123.123.123.123\Scripts\con2prt /c \\123.123.123.123\108Print

\\123.123.123.123\Scripts\con2prt /c \\123.123.123.123\LANIERCopier

\\123.123.123.123\Scripts\con2prt /c \123.123.123.123\HPColor

ACLs:

C:\>cacls X:\login.bat
X:\login.bat DOMAIN\Grad-Staff-gs:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Users:R

McKnife

And cacls c:\windows\system32\net.exe?

victor2008

ASKER

sorry, here it is:

C:\>cacls c:\windows\system32\net.exe
c:\windows\system32\net.exe BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

ASKER CERTIFIED SOLUTION

McKnife

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

victor2008

ASKER

Thanks so much!!!

Do you think the Security template changed permissions on net.exe? The problem did not exist before I implemented the template. I'm wondering how I can give local users read and execute rights to net.exe via changing the security template or should I just do this on each computer?

You deserve an A+ on this!

victor2008

ASKER

To fix what the template changed: Go to Security Settings, File System, %SystemRoot%\system32\net.exe click edit security then add a security group to the list.

McKnife

Yes, most probably the template did that. Takes away a lot of functionality. Your way to distribute the permissions is the right one.