Saturday, March 15, 2008

Create or modify a security template for NTFS permissions

This process will allow you to create a security template that can be applied on an NTFS volume. The major benefit of this is to have a known-good record of NTFS security, which can be reapplied at any time. This can be useful in reversing/recovering from unwanted changes, providing audit information, and generally allowing more rigour when securing a shared file system.


Method:
  1. If modifying an existing template, skip to step 3.
  2. Copy an existing template or use the sample template from the 'References' section to create a new security template.
  3. Ensure the ACL is correctly set on the source path (including object and container inheritance)
  4. Run 'setacl -ot file -actn list -lst f:sddl -on \\SERVER%\%PATH%'
  5. For Each SID, run psgetsid \\%SERVER% %SID% to verify the group is correct.
  6. Copy the string into the [File Security] section and replace the '\\?\UNC\%SERVER%\%PATH%' reference with the local path (eg 'D:\Temp')
  7. Run 'secedit /configure /db %TEMP%\SEC%RANDOM%.SDB /cfg %NEWLY_CREATED_INF% /areas FILESTORE /log %TEMP%\SEC%RANDOM%.Log' to test the newly created template.
  8. If the template applies successfully, use cacls or the GUI to verify the permissions are still set correctly (including inheritance and propagation).
  9. If the template doesn’t apply successfully, check the log, and beware that permissions may be in an unpredictable state as the security template application stopped.

Requirements:

  • SetACL.exe, publicly available commandline utility (see references below)
  • PSGetSid.exe, SysInternals utility (see references below)

Notes:

  1. This procedure has been tested only on Windows Server 2003.
  2. The SetACL command above specifies an ObjectType of file, an Action of list, a List format with an output format in SDDL syntax from the specified Object Name. eg. setacl -ot file -actn list -lst f:sddl -on \\%server%\d$
  3. When using PsGetSID, if the SID refers to a domain object other than the domain your workstation is in, you will need to supply a Domain Controller for the domain.
  4. If you are confident with the SDDL syntax, you can skip steps 3 and 4, simply finding the SID and creating/modifying a template.
  5. Note that if a directory in a security template entry does not exist, application of the security template will stop, potentially leaving the ACLs in an unpredictable state.

References

SDDL syntax in secedit security templates
http://waynes-world-it.blogspot.com/2008/03/sddl-syntax-in-secedit-security.html

SetACL commandline utility:
http://setacl.sourceforge.net

PSGetSID commandline utility:
http://www.sysinternals.com

SDDL Syntax:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/security_descriptor_string_format.asp


Example template:
[Unicode]
Unicode=yes

[Version]
signature="$CHICAGO$"
Revision=1

; Change Control
[File Security]
"C:\Template",0,"D:AR(A;OICI;FA;;;BA)(A;OICI;0x1301bf;;;S-1-5-21-%SubAuthority%-%RID%)(A;OICI;FA;;;SY)"




Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.
at

No comments:

Post a Comment