It has been revealed to us from a vulnerability scan that a program that many people use has an ACE of Everyone, Full Control. I have found that I am able to remove that entry and replace it with Authenticated users, Read and Execute and the program still works. Real dick move from these developers!!! I am now in the process writing a PowerShell script to accomplish this. Here is the script that I have so far:
$Acl = Get-Acl "C:\Program Files (x86)\Fakeprogram\subfolder"
$AU = New-Object System.Security.AccessControl.FileSystemAccessRule("Authenticated Users", "ReadAndExecute" , "Allow")
$Everyone = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "FullControl" , "Allow")
Set-Acl "C:\Program Files (x86)\Fakeprogram\subfolder" $Acl
The result of this is that it adds the authenticated users group, but on the security tab, it just says, "special permissions," you go to advanced and then you see that Read & Execute and the Everyone group is the same way after this, but it says full control in the Advanced permissions and that is obviously not true because I now get prompted for admin credentials when I go to change the permissions back in the GUI. I am frustrated with this one, because I read a bunch of things online about this, did what everyone told me and these are the results that I am getting. Can anyone tell me if I am doing anything wrong that is causing all this weirdness? I think that you can all imagine that I am just trying to remove Everyone: Full Control and add Authenticated Users Read and Execute and have look as if I did it through the GUI.
changing ACL from "EveryOne" to "Authenticated Users" is not a big change!
The only difference is "guest users" who are probably not enabled.
Now, the problem that you have, is that "administrators" are members of "authenticated users" as all other users. So, they have the same restrictions (Read and Execute) as all other normal users.
You should create another ACL(ACE) entry to let all permissions to admin users.
Take also care of inherited or not inherited permissions.