Avatar of victor2008
victor2008Flag for United States of America asked on

Network Drive not automatically connecting VIA login script after implementing security template.

Seems like my issue might have to do with section 6.6 of the Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist.  Seems like there are restrictions set on executable files.    On my computer, with the NISTWinXPPro_enterprise_R1.2.1.inf template, I get access is Denied with runing login.bat files as a local user, but not as a local administrator.

 6.6 File Permissions
This section provides general instructions regarding setting permissions through file system access
control entries (ACE)102 and access control lists (ACL) for Windows XP.103  The NIST templates and
GPOs restrict access to dozens of executables, protecting them from unauthorized modification and
usage.  Additional custom settings may be added that are specific to the environment in which the
Windows XP machine resides.  Changes to an ACL for a specific resource, such as a file or folder, can be
made using one of three possible methods:
 Open the Properties window for a resource from its context menu and click on the Security tab.  It
displays the privileges that each user or group has to the resource.  The Advanced button can be used
to set more granular permission rights and additional settings such as file auditing and the owner of
the resource.
                                                     
102
  An ACE is an entry that binds a security identifier (SID) to a set of permissions within an ACL.
103
  Once file permissions are applied, there is not an automatic way to undo them or otherwise return the files to their previous
permissions.  Additional procedures, such as recording the original file permissions before applying new ones, may be
needed to provide an undo capability.  The same is true for the registry permissions described in Section 6.7.

 Use the utility cacls.exe found in %SystemRoot%\system32.104  This is a command-line interface
used to set file ACLs, but it does not set Windows XP security descriptors.
 Use the MMC Security Template snap-in to apply settings from a template.
Windows XP uses an inheritance model for assigning ACEs.  An objects ACL can contain ACEs that it
inherited from its parent container.  For example, a file in an NTFS filesystem can inherit ACEs from the
directory that contains it.  In addition, an ACE that is directly applied to a filesystem object is given a
higher priority than an inherited ACE.  The directly applied ACE overrides any conflicting inherited
ACEs.  

OS Security

Avatar of undefined
Last Comment
McKnife

8/22/2022 - Mon
McKnife

"I get access is Denied with runing login.bat files as a local user, but not as a local administrator" - if you need help resolving this, please quote
A the batch
B the ACLs for all files of the batch (including net.exe)
ASKER
victor2008

Hi McKnife,

You want me to copy/paste what is in my login.bat file?  Also, how do I get the info for ACLs for all files of the batch (including net.exe)?  I tried using Process Monitor v1.22
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx but can't seem to get the filter to work to give me ACL info.

Thank you for your time!
McKnife

Yes, please quote the contents of login.bat. About ACLs, rightclick the files and select properties and go to the security tab. There you can see the ACL. Or you could use the command cacls. Example - the command
cacls c:\windows\system32\net.exe
returns
c:\windows\system32\net.exe BUILTIN\Users:R
                            BUILTIN\Power Users:R
                            BUILTIN\Administrators:F
                            NT AUTHORITY\SYSTEM:F
That's what we need for each file mentioned in the login.bat (if there are other files but net.exe [taken from net use]). Also retrieve the ACL for login.bat itself.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
victor2008

Thanks! Here's the info.  Note: I took out the original IP addresses and share names for anonymity.

Login.bat:

net use T: \\123.123.123.123\share1
net use u:  \\123.123.123.123\share2
net use V:  \\123.123.123.123\share3
net use W: \\123.123.123.123\share4
net use M:  \\123.123.123.123\share5
net use X:  \\123.123.123.123\share6

echo Configuring printers...

\\123.123.123.123\Scripts\con2prt /c \\123.123.123.123\108Print

\\123.123.123.123\Scripts\con2prt /c \\123.123.123.123\LANIERCopier

\\123.123.123.123\Scripts\con2prt /c \123.123.123.123\HPColor


ACLs:

C:\>cacls X:\login.bat
X:\login.bat DOMAIN\Grad-Staff-gs:F
             BUILTIN\Administrators:F
             NT AUTHORITY\SYSTEM:F
             BUILTIN\Users:R
McKnife

And cacls c:\windows\system32\net.exe?
ASKER
victor2008

sorry, here it is:

C:\>cacls c:\windows\system32\net.exe
c:\windows\system32\net.exe BUILTIN\Administrators:F
                            NT AUTHORITY\SYSTEM:F
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
McKnife

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
victor2008

Thanks so much!!!

Do you think the Security template changed permissions on net.exe?  The problem did not exist before I implemented the template.  I'm wondering how I can give local users read and execute rights to net.exe via changing the security template or should I just do this on each computer?

You deserve an A+ on this!
ASKER
victor2008

To fix what the template changed: Go to Security Settings, File System, %SystemRoot%\system32\net.exe  click edit security then add a security group to the list.  
McKnife

Yes, most probably the template did that. Takes away a lot of functionality. Your way to distribute the permissions is the right one.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23