Start Free TrialLog in
Avatar of victor2008
victor2008Flag for United States of America

asked on 

Network Drive not automatically connecting VIA login script after implementing security template.

Seems like my issue might have to do with section 6.6 of the Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist.  Seems like there are restrictions set on executable files.    On my computer, with the NISTWinXPPro_enterprise_R1.2.1.inf template, I get access is Denied with runing login.bat files as a local user, but not as a local administrator.

 6.6 File Permissions
This section provides general instructions regarding setting permissions through file system access
control entries (ACE)102 and access control lists (ACL) for Windows XP.103  The NIST templates and
GPOs restrict access to dozens of executables, protecting them from unauthorized modification and
usage.  Additional custom settings may be added that are specific to the environment in which the
Windows XP machine resides.  Changes to an ACL for a specific resource, such as a file or folder, can be
made using one of three possible methods:
 Open the Properties window for a resource from its context menu and click on the Security tab.  It
displays the privileges that each user or group has to the resource.  The Advanced button can be used
to set more granular permission rights and additional settings such as file auditing and the owner of
the resource.
                                                     
102
  An ACE is an entry that binds a security identifier (SID) to a set of permissions within an ACL.
103
  Once file permissions are applied, there is not an automatic way to undo them or otherwise return the files to their previous
permissions.  Additional procedures, such as recording the original file permissions before applying new ones, may be
needed to provide an undo capability.  The same is true for the registry permissions described in Section 6.7.

 Use the utility cacls.exe found in %SystemRoot%\system32.104  This is a command-line interface
used to set file ACLs, but it does not set Windows XP security descriptors.
 Use the MMC Security Template snap-in to apply settings from a template.
Windows XP uses an inheritance model for assigning ACEs.  An objects ACL can contain ACEs that it
inherited from its parent container.  For example, a file in an NTFS filesystem can inherit ACEs from the
directory that contains it.  In addition, an ACE that is directly applied to a filesystem object is given a
higher priority than an inherited ACE.  The directly applied ACE overrides any conflicting inherited
ACEs.  

OS Security
Avatar of undefined
Last Comment
McKnife
Avatar of McKnife
McKnife
Flag of Germany image
"I get access is Denied with runing login.bat files as a local user, but not as a local administrator" - if you need help resolving this, please quote
A the batch
B the ACLs for all files of the batch (including net.exe)
Avatar of victor2008
victor2008
Flag of United States of America image

ASKER

Hi McKnife,

You want me to copy/paste what is in my login.bat file?  Also, how do I get the info for ACLs for all files of the batch (including net.exe)?  I tried using Process Monitor v1.22
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx but can't seem to get the filter to work to give me ACL info.

Thank you for your time!
Avatar of McKnife
McKnife
Flag of Germany image
Yes, please quote the contents of login.bat. About ACLs, rightclick the files and select properties and go to the security tab. There you can see the ACL. Or you could use the command cacls. Example - the command
cacls c:\windows\system32\net.exe
returns
c:\windows\system32\net.exe BUILTIN\Users:R
                            BUILTIN\Power Users:R
                            BUILTIN\Administrators:F
                            NT AUTHORITY\SYSTEM:F
That's what we need for each file mentioned in the login.bat (if there are other files but net.exe [taken from net use]). Also retrieve the ACL for login.bat itself.
Avatar of victor2008
victor2008
Flag of United States of America image

ASKER

Thanks! Here's the info.  Note: I took out the original IP addresses and share names for anonymity.

Login.bat:

net use T: \\123.123.123.123\share1
net use u:  \\123.123.123.123\share2
net use V:  \\123.123.123.123\share3
net use W: \\123.123.123.123\share4
net use M:  \\123.123.123.123\share5
net use X:  \\123.123.123.123\share6

echo Configuring printers...

\\123.123.123.123\Scripts\con2prt /c \\123.123.123.123\108Print

\\123.123.123.123\Scripts\con2prt /c \\123.123.123.123\LANIERCopier

\\123.123.123.123\Scripts\con2prt /c \123.123.123.123\HPColor


ACLs:

C:\>cacls X:\login.bat
X:\login.bat DOMAIN\Grad-Staff-gs:F
             BUILTIN\Administrators:F
             NT AUTHORITY\SYSTEM:F
             BUILTIN\Users:R
Avatar of McKnife
McKnife
Flag of Germany image
And cacls c:\windows\system32\net.exe?
Avatar of victor2008
victor2008
Flag of United States of America image

ASKER

sorry, here it is:

C:\>cacls c:\windows\system32\net.exe
c:\windows\system32\net.exe BUILTIN\Administrators:F
                            NT AUTHORITY\SYSTEM:F
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image
Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of victor2008
victor2008
Flag of United States of America image

ASKER

Thanks so much!!!

Do you think the Security template changed permissions on net.exe?  The problem did not exist before I implemented the template.  I'm wondering how I can give local users read and execute rights to net.exe via changing the security template or should I just do this on each computer?

You deserve an A+ on this!
Avatar of victor2008
victor2008
Flag of United States of America image

ASKER

To fix what the template changed: Go to Security Settings, File System, %SystemRoot%\system32\net.exe  click edit security then add a security group to the list.  
Avatar of McKnife
McKnife
Flag of Germany image
Yes, most probably the template did that. Takes away a lot of functionality. Your way to distribute the permissions is the right one.
OS Security
OS Security

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

22K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts

  • "Invaluable tool for our organization"

    Josh Regalski

  • "Your help has saved me hundreds of hours of internet surfing."

    @fblack61

  • "Just a dang good service!"

    @golferski

  • "Worth every penny."

    Steve Hougom

  • "It’s been a life saver."

    Maria Halt

  • "Best support site I’ve seen!"

    Bob Schneider

  • "I would be lost without them."

    @fblack61

  • "Saved my job multiple times."

    Walt Forbes

  • "I love this site."

    Maria Duwe

  • "Friendly respectful help."

    Andrew Kowtalo

  • "Such top-notch experts."

    @magento

  • "The best money I have ever spent."

    @rwheeler23

  • "Beyond any comprehensible value"

    George Morris

  • "Invaluable tool for our organization"

    Josh Regalski

Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo
© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent