I would like to contribute some lines of my code to the community (as I have noticed that several people had problems using setacl.exe from within AutoIt). Probably there are more includes than neccessary...feel free to cleanup here as well as in other areas...
To use it you will have to copy the x86 and x64 versions of setacl.exe to a tools-directory with the following names: "SetACL-x64.exe" and "SetACL-x32.exe".
AutoIt
#include <Constants.au3> #include <GUIConstants.au3> #include <GUIConstantsEx.au3> #include <WindowsConstants.au3> #include <StaticConstants.au3> #include <String.au3> #include <file.au3> #include <Array.au3> ; Define global variables ; ================================================================================================== Global $s_ini_file = "setacls.ini" Global $s_ini_sections = IniReadSectionNames($s_ini_file) ; Run da shi-i-iiit! ; ================================================================================================== _setACLs() ; Function _setACLs to harden ACLs on security relevant files and directories specified in the INI-File ; ============================================================================================== Func _setACLs() ; Create an array for the objects to change the ACLs on ; Check how many of the 20 possible Objects are defined in the INI-File ($counter) Local $counter = 0 For $j = 0 To 19 $actualACLobject = "ACLobject_" & $j If IniRead($s_ini_file, "Settings", $actualACLobject, "") <> '' Then $counter = $counter + 1 EndIf Next ; Create the array $arrACLobjects (dynamically in size depending on $counter's value) Local $arrACLobjects[$counter] For $j = 0 To $counter $actualACLobject = "ACLobject_" & $j If IniRead($s_ini_file, "Settings", $actualACLobject, "") <> '' Then $arrACLobjects[$j] = IniRead($s_ini_file, "Settings", $actualACLobject, "") EndIf Next ; Set a variable containing the right filename for SetACL.exe depending on the local machines bit count (x32 or x64) $s_ToolsShare = IniRead($s_ini_file, "Settings", "ToolsShare", "") If Not _OSBits() = 32 Then $s_ACLtool = "SetACL-x64.exe" Else $s_ACLtool = "SetACL-x32.exe" EndIf ; Set the ACLs for all objects specified in the INI-File For $i = 0 To UBound($arrACLobjects) - 1 $InfoValue = "Setting File and Directory ACLs..." _InfoGui($InfoValue) ; revoke AllAccess for "Everyone", "Users" and "Power Users" ; set FullAccess for "Administrators" and "System" ; remove inherited permissions ; inherit the new ones recursivly $cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $arrACLobjects[$i] & """ -ot file -actn ace -ace ""n:everyone;m:revoke"" -ace ""n:users;m:revoke"" -ace ""n:power users;m:revoke"" -ace ""n:S-1-5-32-544;p:full;s:y"" -ace ""n:S-1-5-18;p:full;s:y"" -actn setprot -op ""dacl:p_nc;sacl:p_nc"" -rec cont_obj" RunWait(@ComSpec & " /c " & $cmd, "", @SW_SHOW) GUIDelete() Next EndFunc ;==>_setACLs ; Function _OSBits to check if the host's OS is 32 or 64bits, returns "64" or "32" ; ============================================================================================== Func _OSBits() Local $tOS = DllStructCreate("char[256]") Local $aGSWD = DllCall("Kernel32.dll", "int", "GetSystemWow64Directory", "ptr", DllStructGetPtr($tOS), "int", 256) If IsArray($aGSWD) And DllStructGetData($tOS, 1) Then Return 64 Return 32 EndFunc ;==>_OSBits ; Function _InfoGUI to display an info about the task currently processed. ; ============================================================================================== Func _InfoGUI($InfoValue) GUICreate("", 300, 100, -1, -1, $WS_Popup, $WS_EX_TOOLWINDOW, "") GUICtrlCreateLabel($InfoValue, 0, 45, 300, -1, $SS_Center) GUISetState(@SW_SHOW) Sleep(500) EndFunc ;==>_InfoGUI
Also you would need an INI-file looking like this:
CODE
;####################################ACL Settings####################################
; Here up to 20 objects may be defined to set ACLs on. The ACLs of the objects defined
; here are set to to the following ITSC104 compliant values:
;
; "COMPUTERNAME\System" = FullAccess
; "COMPUTERNAME\Administrators" = FullAccess
; "COMPUTERNAME\Users" = NoAccess
; "COMPUTERNAME\PowerUsers" = NoAccess
; "COMPUTERNAME\Everyone" = NoAccess
;
[Settings]
ACLobject_0=c:\AUTOEXEC.BAT
ACLobject_1=c:\boot.ini
ACLobject_2=c:\CONFIG.SYS
ACLobject_3=c:\IO.SYS
ACLobject_4=c:\MSDOS.SYS
ACLobject_5=c:\NTDETECT.COM
ACLobject_6=c:\ntldr
ACLobject_7=c:\WINDOWS\repair
ACLobject_8=c:\WINDOWS\security
ACLobject_9=c:\WINDOWS\system32\config
ACLobject_10=c:\WINDOWS\system32\dllcache
ACLobject_11=c:\WINDOWS\system32\GroupPolicy
ACLobject_12=
ACLobject_13=
ACLobject_14=
ACLobject_15=
ACLobject_16=
ACLobject_17=
ACLobject_18=
ACLobject_19=
;
; The "ToolsShare" item shouldn't end with a \ or your would have to change the $cmd = [...] line accordingly!
;
ToolsShare=\\server\share\directory
; Here up to 20 objects may be defined to set ACLs on. The ACLs of the objects defined
; here are set to to the following ITSC104 compliant values:
;
; "COMPUTERNAME\System" = FullAccess
; "COMPUTERNAME\Administrators" = FullAccess
; "COMPUTERNAME\Users" = NoAccess
; "COMPUTERNAME\PowerUsers" = NoAccess
; "COMPUTERNAME\Everyone" = NoAccess
;
[Settings]
ACLobject_0=c:\AUTOEXEC.BAT
ACLobject_1=c:\boot.ini
ACLobject_2=c:\CONFIG.SYS
ACLobject_3=c:\IO.SYS
ACLobject_4=c:\MSDOS.SYS
ACLobject_5=c:\NTDETECT.COM
ACLobject_6=c:\ntldr
ACLobject_7=c:\WINDOWS\repair
ACLobject_8=c:\WINDOWS\security
ACLobject_9=c:\WINDOWS\system32\config
ACLobject_10=c:\WINDOWS\system32\dllcache
ACLobject_11=c:\WINDOWS\system32\GroupPolicy
ACLobject_12=
ACLobject_13=
ACLobject_14=
ACLobject_15=
ACLobject_16=
ACLobject_17=
ACLobject_18=
ACLobject_19=
;
; The "ToolsShare" item shouldn't end with a \ or your would have to change the $cmd = [...] line accordingly!
;
ToolsShare=\\server\share\directory
Best Regards,
Chris
Edited by cherdeg, 26 June 2008 - 08:38 AM.
