Jump to content



Photo

Set Auditing for Files and Folders using WMI

Started by cherdeg , Aug 13 2008 12:02 PM

  • Please log in to reply
9 replies to this topic

#1 cherdeg

cherdeg

    Polymath

  • Active Members
  • PipPipPipPip
  • 246 posts

Posted 13 August 2008 - 12:02 PM

Hi,

I'm currently evaluating the possibilities existing to set auditing for Files and Folders using WMI.

If you can't imagine what his is about, open Windows Explorer, got to "C:\", rightclick the mouse, chose "Properties" from the context menu and select the tab "Security". Click the "Advanced" button and select the tab "Auditing" in the following window. Here you can configure so called "SACL"s ("System Access Controll Lists", German users please check "http://www.it-visions.de/glossar/alle/186/System Access Control List.aspx") to have the operating system log the access to "C:\" or any other folder or file for the user or group specified here. So you could log each attempt of user "Tom" to change the access rights to the file "C:\boot.ini" or just his attempts to open the file. You can audit the success or failure of an attempt (or both).

I would like to set a full "success" auditing policy (log every kind of successful access) for the local group "Everyone" on special files/folders.

Up to now I came so far but have no clue how to reach my goal any further:

AutoIt          
; Set File Auditing for c:\temp
; ==================================================================================================

; Define variables
Local $s_FolderToAudit = "'c:\temp'"
Local $s_Computername = @ComputerName
Local $obj_WMIsecDes = "wmiSecurityDescriptor"
Local $obj_WMIfileSecSetting = ObjGet("winmgmts:Win32_LogicalFileSecuritySetting.Path=" & $s_FolderToAudit)

; Obtain existing security descriptor for folder 
$obj_GetVal = $obj_WMIfileSecSetting.GetSecurityDescriptor($obj_WMIsecDes)
MsgBox("", "GetSecurityDescriptor", $obj_GetVal)

$obj_varSACL = $obj_WMIsecDes.sacl

$obj_WMIprovider=ObjGet("winmgmts:\\" & $s_Computername & "\root\cimv2")
$obj_AceClass=$obj_WMIprovider.get("win32_ace")
$obj_Ace=$obj_AceClass.spawninstance_()
$obj_TrusteeClass=$obj_WMIprovider.Get("Win32_Trustee")
$obj_Trustee=$obj_TrusteeClass.spawninstance_()
 
$obj_Trustee.name="Everyone"
$obj_Trustee.sidstring="S-1-1-0"
$obj_Ace.accessmask=983551
$obj_Ace.acetype=2
$obj_Ace.aceflags=131
$obj_Ace.Trustee=$obj_Trustee

$obj_WMIsecDes.sacl=$obj_Ace

$obj_SetVal = $obj_WMIfileSecSetting.SetSecurityDescriptor($obj_WMIsecDes)
MsgBox("", "SetSecurityDescriptor", $obj_SetVal)

If $obj_SetVal = 0 Then
    MsgBox("", "pass", "pass")
else
    MsgBox("", "fail", "fail")
EndIf

I'm quite lost when it comes to setting the right values for .accessmask, .acetype and .aceflags. Also I haven't really understood the complete context. What are the values to call .SetSecurityDescriptor with and how is it called correctly? Is there anyone out there able to help me? I'm grateful for any bit of help...

Best Regards,

Chris




#2 cherdeg

cherdeg

    Polymath

  • Active Members
  • PipPipPipPip
  • 246 posts

Posted 14 August 2008 - 07:04 AM

Sombody has a Keepie Uppie Queen? :P

#3 ptrex

ptrex

    Universalist

  • MVPs
  • 2,399 posts

Posted 14 August 2008 - 12:26 PM

@cherdeg

WMI is not the best approch to use for this.

Better is GPO

regards,

ptrex
Contributions :Firewall Log Analyzer for XP - Creating COM objects without a need of DLL's - UPnP support in AU3Crystal Reports Viewer - PDFCreator in AutoIT - Duplicate File FinderSQLite3 Database functionality - USB Monitoring - Reading Excel using SQLRun Au3 as a Windows Service - File Monitor - Embedded Flash PlayerDynamic Functions - Control Panel Applets - Digital Signing Code - Excel Grid In AutoIT - Constants for Special Folders in WindowsRead data from Any Windows Edit Control - SOAP and Web Services in AutoIT - Barcode Printing Using PS - AU3 on LightTD WebserverMS LogParser SQL Engine in AutoIT - ImageMagick Image Processing - Converter @ Dec - Hex - Bin -Email Address Encoder - MSI Editor - SNMP - MIB ProtocolFinancial Functions UDF - Set ACL Permissions - Syntax HighLighter for AU3ADOR.RecordSet approach - Real OCR - HTTP Disk - PDF Reader Personal Worldclock - MS Indexing Engine - Printing ControlsGuiListView - Navigation (break the 4000 Limit barrier) - Registration Free COM DLL Distribution - WinRM SMART Analysis - COM Object Browser - Excel PivotTable Object - VLC Media Player - Windows LogOnOff Gui -Extract Data from Outlook to Word & Excel - Analyze Event ID 4226 - DotNet Compiler Wrapper - Powershell_COM New

#4 cherdeg

cherdeg

    Polymath

  • Active Members
  • PipPipPipPip
  • 246 posts

Posted 15 August 2008 - 08:18 AM

WMI is not the best approch to use for this.

Better is GPO

@ptrex

...YES, you're definiteley right. If someone manages an office or other production network this would be the most feasible option. But here we have a situation in which we have to manage about 2500 testbed machines (used for software building, debugging and testing), partly hardware, partly virtual machines on ESX, using all of the following operating systems: 2000 (Pro / Server / Adv.Server), XP (Home / Pro 32 and 64 bits), Server 2003 (all Eds.), Vista (all Eds.), Server 2008 (all Eds.)...and only a minority of the systems belongs to a domain.

Never the less we have to comply to certain security policies setup by the CTO of our local branch; one of which is auditing. My job is to optimize the automation of management for our testbed and due to the fact that I cannot conveniently implement GPOs I need to use WMI because at least it doesn't requires me to do the same step locally on every machine.

So maybe someone has a hint for me regarding WMI and SACLs?

Best Regards,

Chris

#5 cherdeg

cherdeg

    Polymath

  • Active Members
  • PipPipPipPip
  • 246 posts

Posted 18 August 2008 - 01:20 PM

Don't bother any further to help me out - if nobody want's to help (or is able to), a tech guy even today still has to walk the rocky way...and invent the wheel from scratch. At the end I simply used setACL.exe (-ace ""n:S-1-1-0;p:full;m:aud_succ;w:sacl;s:y"" sets up the logging of any successful attempt to access by the builtin group "everyone").

Never the less I would like to share my new wisdom with everybody else:
AutoIt          
; ####################################################################################
;
; Christoph Herdeg, July 2008
; http://www.cs-it-solutions.de
;
; ####################################################################################
#include <Constants.au3>
#include <GUIConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <StaticConstants.au3>
#include <String.au3>
#include <file.au3>
#include <Array.au3>

; Define global variables
; ==================================================================================================
Global $s_IniFile = "setACLs.ini"
Global $s_ini_sections = IniReadSectionNames($s_IniFile)
Global $i_OSbits = _OSBits()
Global $i_height

; Run da shi-i-iiit!
; ==================================================================================================
_setACLs()


; Function _setACLs to harden ACLs on security relevant files and directories specified in the INI-File
; ==============================================================================================
Func _setACLs()
    ; Create an array for the objects to change the ACLs on
    ; Check how many of the 20 possible Objects are defined in the INI-File ($i_counter)
    Local $i_counter = 0
    For $i = 0 To 19
        $s_actualACLobject = "ACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_actualACLobject, "") <> '' Then
            $i_counter = $i_counter + 1
        EndIf
    Next

    ; Create the array $a_ACLobjects (dynamically in size depending on $i_counter's value)
    Local $a_ACLobjects[$i_counter]
    For $i = 0 To $i_counter
        $s_actualACLobject = "ACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_actualACLobject, "") <> '' Then
            $a_ACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_actualACLobject, "")
        EndIf
    Next
    
    ; Set a variable containing the right filename for SetACL.exe depending on the local machines bit count (x32 or x64)
    $s_ToolsShare = IniRead($s_IniFile, "Settings", "ToolsShare", "")
    If Not $i_OSbits = 32 Then 
        $s_ACLtool = "SetACL-x64.exe"
    Else
        $s_ACLtool = "SetACL-x32.exe"
    EndIf

    ; Set the ACLs for all objects specified in the INI-File
    For $i = 0 To UBound($a_ACLobjects) - 1
        ; revoke AllAccess for  "Everyone", "Users" and "Power Users"
        ; set FullAccess for    "Administrators" and "System" 
        ; remove inherited permissions 
        ; inherit the new ones recursivly
        $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_ACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;s:y"" -ace ""n:S-1-5-32-545;m:revoke;s:y"" -ace ""n:S-1-5-32-547;m:revoke;s:y"" -ace ""n:S-1-5-32-544;p:full;s:y"" -ace ""n:S-1-1-0;p:full;m:aud_succ;w:sacl;s:y"" -ace ""n:S-1-5-18;p:full;s:y"" -actn setprot -op ""dacl:p_nc;sacl:p_nc"" -rec cont_obj"
        $s_InfoValue = "Using """ & $s_ACLtool & """ to harden ACLs on: " & @CRLF & @CRLF & $a_ACLobjects[$i]
        _InfoGui($s_InfoValue, 35)
        RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
        GUIDelete()
    Next
EndFunc   ;==>_setACLs


; Function _OSBits to check if the host's OS is 32 or 64bits, returns "64" or "32"
; ==============================================================================================
Func _OSBits()
    Local $tOS = DllStructCreate("char[256]")
    Local $aGSWD = DllCall("Kernel32.dll", "int", "GetSystemWow64Directory", "ptr", DllStructGetPtr($tOS), "int", 256)
    If IsArray($aGSWD) And DllStructGetData($tOS, 1) Then 
        Return 64
    Else
        Return 32
    EndIf
EndFunc   ;==>_OSBits


; Function _InfoGUI to display an info about the task currently processed.
; ==============================================================================================
Func _InfoGUI($InfoValue, $i_height)
    GUICreate("", 320, 100, -1, -1, $WS_Popup, $WS_EX_TOOLWINDOW, "")
    GUICtrlCreateLabel($InfoValue, 0, $i_height, 320, -1, $SS_center)
    GUISetState(@SW_SHOW)
    Sleep(500)
EndFunc   ;==>_InfoGUI

and:
CODE
; ####################################################################################
;
; Christoph Herdeg, July 2008
; http://www.cs-it-solutions.de
;
;####################################ACL Settings#####################################
; Here up to 20 objects may be defined to set ACLs on. The DACLs of the objects defined
; here are set to to the following values:
;
; "COMPUTERNAME\System" = FullAccess
; "COMPUTERNAME\Administrators" = FullAccess
; "COMPUTERNAME\Users" = NoAccess
; "COMPUTERNAME\PowerUsers" = NoAccess
; "COMPUTERNAME\Everyone" = NoAccess
;
; As well an audit policy is applied onto the objects below. The SACLs are set to log
; any successful attempts to access them by the builtin group "everyone".
;

[Settings]

ToolsShare=\\Server\Share\SetACLs\Tools

ACLobject_0=c:\AUTOEXEC.BAT
ACLobject_1=c:\boot.ini
ACLobject_2=c:\CONFIG.SYS
ACLobject_3=c:\IO.SYS
ACLobject_4=c:\MSDOS.SYS
ACLobject_5=c:\NTDETECT.COM
ACLobject_6=c:\ntldr
ACLobject_7=c:\WINDOWS\repair
ACLobject_8=c:\WINDOWS\security
ACLobject_9=c:\WINDOWS\system32\config
ACLobject_10=c:\WINDOWS\system32\dllcache
ACLobject_11=c:\WINDOWS\system32\GroupPolicy
ACLobject_12=
ACLobject_13=
ACLobject_14=
ACLobject_15=
ACLobject_16=
ACLobject_17=
ACLobject_18=
ACLobject_19=

Regards, Chris

Edited by cherdeg, 18 August 2008 - 01:24 PM.

#6 avery

avery

    Prodigy

  • Active Members
  • PipPipPip
  • 176 posts

Posted 21 August 2008 - 08:06 PM

Chris,

I do mostly the same thing on several platforms using the 'secedit.exe' command I found on all the Windows machines here where I work. I use mmc /s to build the inf template. I only wonder, why did you not use secedit.exe for this?

Nice job,
Thanks
www.abox.orgAvery HowellVisit My AutoIt Websitehttp://www.abox.org

#7 cherdeg

cherdeg

    Polymath

  • Active Members
  • PipPipPipPip
  • 246 posts

Posted 27 August 2008 - 01:36 PM

Chris,

I do mostly the same thing on several platforms using the 'secedit.exe' command I found on all the Windows machines here where I work. I use mmc /s to build the inf template. I only wonder, why did you not use secedit.exe for this?

Nice job,
Thanks

Hi,

...until now I didn't know that there is a way to build .inf templates. Do you think I could create one and merge it with our "base" security template, so I could receive decent permission and auditing settings by just applying that policy file? Would be great - ;) - although exactly today (before reading your post) I perfectionized my version using setacl.exe (please see below).

AutoIt          
#include <Constants.au3>
#include <GUIConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <StaticConstants.au3>
#include <String.au3>
#include <file.au3>
#include <Array.au3>

; Define global variables
; ==================================================================================================
Global $s_IniFile = "setACLs.ini"
Global $i_OSbits = _OSBits()
Global $i_height

; Check if the INI-File exists
; ==================================================================================================
$i_RVal = FileExists($s_IniFile)
If $i_RVal <> 1 Then
    MsgBox(16, "SetACLs", "Error! INI-File " & $s_IniFile & " not found!", "")
    Exit
EndIf

; Run da shi-i-iiit!
; ==================================================================================================
_setACLs()


; Function _setACLs to harden ACLs on security relevant files and directories specified in the INI-File
; ==============================================================================================
Func _setACLs()

    ; Ask for the password to access the ToolsShare
    $s_ToolsServer = IniRead($s_IniFile, "Settings", "ToolsServer", "")
    $s_AdminPassC = InputBox("SetACLs", "Please enter the password of an Administrator with access: ", "", "*", 300, 120)
    If $s_AdminPassC = '' Then
        MsgBox(16, "SetACLs", "Error! Empty credentials supplied - you are not allowed to access the share!", "")
        Exit
    Else
        Local $i_return = 0
        DriveMapDel($s_ToolsServer & "\c$")
        If DriveMapAdd("", $s_ToolsServer & "\c$", 0, "Administrator", $s_AdminPassC) = $i_return Then
            MsgBox(16, "SetACLs", "Error! Wrong credentials supplied - you are not allowed to access the share!", "")
            Exit
        EndIf
    EndIf
    
    ; Logon to the ToolsServer
    $s_InfoValue = """Logging on to " & $s_ToolsServer & "..."""
    _InfoGui($s_InfoValue, 45)
    RunWait(@ComSpec & " /c " & "net use " & $s_ToolsServer & "\postinstall /username: Administrator " & $s_AdminPassC, "", @SW_HIDE)
    GUIDelete()

    ; Set a variable containing the right filename for SetACL.exe depending on the local machines bit count (x32 or x64)
    $s_ToolsShare = IniRead($s_IniFile, "Settings", "ToolsShare", "")
    If Not $i_OSbits = 32 Then 
        $s_ACLtool = "SetACL-x64.exe"
    Else
        $s_ACLtool = "SetACL-x32.exe"
    EndIf
    
    ; Check if the chosen setacl*.exe is accessible
    $i_RVal = FileExists($s_ToolsShare & "\" & $s_ACLtool)
    If $i_RVal <> 1 Then
        MsgBox(16, "D5100 SetACLs", "Error!" & @CRLF & @CRLF & $s_ToolsShare & "\" & $s_ACLtool & @CRLF & @CRLF & "...is not accessible!", "")
        Exit
    EndIf

    ; Do a first run for the file and directory permissions (DACLs)
    ; Check how many of the 20 possible Objects have dACLs defined in the INI-File ($i_Dcounter)
    Local $i_Dcounter = 0
    For $i = 0 To 19
        $s_dACLobject = "dACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then
            $i_Dcounter = $i_Dcounter + 1
        EndIf
    Next

    ; Create the array $a_dACLobjects (dynamically in size depending on $i_counter's value)
    Local $a_dACLobjects[$i_Dcounter]
    For $i = 0 To $i_Dcounter - 1
        $s_dACLobject = "dACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then
            $a_dACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_dACLobject, "")
        EndIf
    Next

    ; Set the ACLs for all objects specified in the INI-File
    Global $s_YesNo_P
    For $i = 0 To UBound($a_dACLobjects) - 1
        ; set SuccessAuditing for   "Everyone"
        ; inherit settings for "This folder and files only"
        ; do not inherit
        If $s_YesNo_P = "" Then
            $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;s:y"" -ace ""n:S-1-5-32-545;m:revoke;s:y"" -ace ""n:S-1-5-32-547;m:revoke;s:y"" -ace ""n:S-1-5-32-544;p:full;s:y"" -ace ""n:S-1-5-18;p:full;s:y"
            $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)"
            _InfoGui($s_InfoValue, 25)
            RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
            $s_YesNo_P = "No"
            GUIDelete()
        EndIf
        ; revoke AllAccess for  "Everyone", "Users" and "Power Users"
        ; set FullAccess for    "Administrators" and "System" 
        ; copy inherited permissions 
        ; inherit the new ones recursivly
        $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_dACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-545;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-547;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-544;p:full;i:sc,so;s:y"" -ace ""n:S-1-5-18;p:full;i:sc,so;s:y"" -actn clear -clr ""dacl"" -actn rstchldrn -rst ""dacl" ; -rec cont_obj"
        ConsoleWrite("Command = " & $s_cmd & @CRLF)
        $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & $a_dACLobjects[$i]
        _InfoGui($s_InfoValue, 35)
        RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
        GUIDelete()
    Next

    ; Do a second run for the file and directory auditing (SACLs)
    ; Check how many of the 20 possible Objects have sACLs defined in the INI-File ($i_Scounter)    
    Local $i_Scounter = 0
    For $i = 0 To 19
        $s_sACLobject = "sACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then
            $i_Scounter = $i_Scounter + 1
        EndIf
    Next

    ; Create the array $a_sACLobjects (dynamically in size depending on $i_counter's value)
    Local $a_sACLobjects[$i_Scounter]
    For $i = 0 To $i_Scounter - 1
        $s_sACLobject = "sACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then
            $a_sACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_sACLobject, "")
        EndIf
    Next

    ; Set auditing for C:\ once and cycle as long as there are objects within the array
    Global $s_YesNo_A
    For $i = 0 To UBound($a_sACLobjects) - 1
        ; set SuccessAuditing for   "Everyone"
        ; inherit settings for "This folder and files only"
        ; do not inherit
        If $s_YesNo_A = "" Then
            $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,np;w:sacl;s:y"
            $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)"
            _InfoGui($s_InfoValue, 25)
            RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
            $s_YesNo_A = "No"
            GUIDelete()
        EndIf
        ; set SuccessAuditing for   "Everyone"
        ; copy inherited settings
        ; inherit settings recursivly
        $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_sACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,sc;w:sacl;s:y"" -actn setprot -op ""sacl:p_c"" -actn clear -clr ""sacl"" -actn rstchldrn -rst ""sacl" ; -rec cont_obj
        $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & $a_sACLobjects[$i]
        _InfoGui($s_InfoValue, 35)
        RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
        GUIDelete()
    Next
    
EndFunc   ;==>_setACLs


; Function _OSBits to check if the host's OS is 32 or 64bits, returns "64" or "32"
; ==============================================================================================
Func _OSBits()
    Local $tOS = DllStructCreate("char[256]")
    Local $aGSWD = DllCall("Kernel32.dll", "int", "GetSystemWow64Directory", "ptr", DllStructGetPtr($tOS), "int", 256)
    If IsArray($aGSWD) And DllStructGetData($tOS, 1) Then Return 64
    Return 32
EndFunc   ;==>_OSBits


; Function _InfoGUI to display an info about the task currently processed.
; ==============================================================================================
Func _InfoGUI($InfoValue, $i_height)
    GUICreate("", 320, 100, -1, -1, $WS_Popup, $WS_EX_TOOLWINDOW, "")
    GUICtrlCreateLabel($InfoValue, 0, $i_height, 320, -1, $SS_center)
    GUISetState(@SW_SHOW)
    Sleep(500)
EndFunc   ;==>_InfoGUI
...and also the INI-File:
CODE
;#####################################################################
;#
;# Christoph Herdeg, August 2008
;# http://www.cs-it-solutions.de
;#
;#####################################################################
;#
;# Preface
;# ===================
;# "SetACLs.exe" is a utility to set drive, folder and file permissions and auditing settings of a
;# local machine to compliance with ITCS104.
;#
;# General Information
;# ===================
;#
;# This utility is intended to be used from whereever you want.
;#
;# [Settings] contains all settings, e.g, the following:
;#
;# - The name of the Server the ToolsShare resides on
;# - The locations where the needed external tools and software reside
;# - The dACLobject_N - entries where targets can be defined to receive dACLs
;# - The sACLobject_N - entries where targets can be defined to receive sACLs
;#
;# Compatibility
;# ===================
;# A few words on compatibility: this utility has been tested and should work on:
;#
;# - Windows 2000 Workstation, Server and Advanced Server
;# - Windows XP Professional x86 and x64
;# - Windows Server 2003 Standard, Enterprise and Datacenter x86 and x64
;# - Windows Vista Enterprise and Ultimate x86 and x64
;# - Windows Server 2008 Standard, Enterprise and Datacenter x86 and x64
;#
;# Supported are all different languages of the above operating systems as long as western characters
;# are used.
;#
;# Liability/warranty
;# ===================
;# As you will have understood by now this tool comes "as is" and without any free support. If you need
;# bugfixes or enhancements of any kind, please feel free to contact me: mailto:info@cs-it-solutions.de
;#
;#####################################################################

[Settings]
;#####################################################################
;#
;# General Settings Section
;#
;#####################################################################
;# UNC-Name of the server the tools used by this program reside on
;#####################################################################
ToolsServer=\\Server

;#####################################################################
;# UNC-Name of the share the tools used by this program reside on ("\\Server\Share\Directory")
;# If you move the contents of this share to another location, please keep the existing directory structure.
;#####################################################################
ToolsShare=\\Server\Share\SetACLs\Tools

;#####################################################################
;# Here up to 20 objects may be defined to set dACLs on. The dACLs of the objects defined
;# here are set to to the following ITSC104 compliant values:
;#
;# "COMPUTERNAME\System" = FullAccess
;# "COMPUTERNAME\Administrators" = FullAccess
;# "COMPUTERNAME\Users" = NoAccess
;# "COMPUTERNAME\PowerUsers" = NoAccess
;# "COMPUTERNAME\Everyone" = NoAccess
;#
;# The First Object has to be "dACLobject_0" and NOT "dACLobject_1".
;#####################################################################
dACLobject_0=c:\WINDOWS\repair
dACLobject_1=c:\WINDOWS\security
dACLobject_2=c:\WINDOWS\system32\config
dACLobject_3=c:\WINDOWS\system32\dllcache
dACLobject_4=c:\WINDOWS\system32\GroupPolicy
dACLobject_5=
dACLobject_6=
dACLobject_7=
dACLobject_8=
dACLobject_9=
dACLobject_10=
dACLobject_11=
dACLobject_12=
dACLobject_13=
dACLobject_14=
dACLobject_15=
dACLobject_16=
dACLobject_17=
dACLobject_18=
dACLobject_19=

;#####################################################################
;# Here up to 20 objects may be defined to set sACLs on. The sACLs of the objects defined
;# here are set to to the following ITSC104 compliant values:
;#
;# "COMPUTERNAME\Everyone" = Audit All Successfull access attempts
;#
;# The root folder C: and the objects within are always configured with the sACLs above;
;# if you need other objects to be audited, just enter their base folders below.
;#
;# The First Object has to be "sACLobject_0" and NOT "sACLobject_1".
;#####################################################################
sACLobject_0=c:\Windows
sACLobject_1=c:\Windows\system
sACLobject_2=
sACLobject_3=
sACLobject_4=
sACLobject_5=
sACLobject_6=
sACLobject_7=
sACLobject_8=
sACLobject_9=
sACLobject_10=
sACLobject_11=
sACLobject_12=
sACLobject_13=
sACLobject_14=
sACLobject_15=
sACLobject_16=
sACLobject_17=
sACLobject_18=
sACLobject_19=
So...if you (or anybody else) uses my code, please upgrade...I managed to implement inheritance and some cleaning and "houskeeping". There will be one more update in the next months containing the possibility of entering a free number of *ACLobjects in the INI-File. I've got such a function working within another script but have no time at all to insert it here.

Regards,

Chris

#8 cherdeg

cherdeg

    Polymath

  • Active Members
  • PipPipPipPip
  • 246 posts

Posted 27 August 2008 - 01:38 PM

Chris,

I do mostly the same thing on several platforms using the 'secedit.exe' command I found on all the Windows machines here where I work. I use mmc /s to build the inf template. I only wonder, why did you not use secedit.exe for this?

Nice job,
Thanks

Hi,

...until now I didn't know that there is a way to build .inf templates. Do you think I could create one and merge it with our "base" security template, so I could receive decent permission and auditing settings by just applying that policy file? Would be great - ;) - although exactly today (before reading your post) I perfectionized my version using setacl.exe (please see below).

AutoIt          
#include <Constants.au3>
#include <GUIConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <StaticConstants.au3>
#include <String.au3>
#include <file.au3>
#include <Array.au3>

; Define global variables
; ==================================================================================================
Global $s_IniFile = "setACLs.ini"
Global $i_OSbits = _OSBits()
Global $i_height

; Check if the INI-File exists
; ==================================================================================================
$i_RVal = FileExists($s_IniFile)
If $i_RVal <> 1 Then
    MsgBox(16, "SetACLs", "Error! INI-File " & $s_IniFile & " not found!", "")
    Exit
EndIf

; Run da shi-i-iiit!
; ==================================================================================================
_setACLs()


; Function _setACLs to harden ACLs on security relevant files and directories specified in the INI-File
; ==============================================================================================
Func _setACLs()

    ; Ask for the password to access the ToolsShare
    $s_ToolsServer = IniRead($s_IniFile, "Settings", "ToolsServer", "")
    $s_AdminPassC = InputBox("SetACLs", "Please enter the password of an Administrator with access: ", "", "*", 300, 120)
    If $s_AdminPassC = '' Then
        MsgBox(16, "SetACLs", "Error! Empty credentials supplied - you are not allowed to access the share!", "")
        Exit
    Else
        Local $i_return = 0
        DriveMapDel($s_ToolsServer & "\c$")
        If DriveMapAdd("", $s_ToolsServer & "\c$", 0, "Administrator", $s_AdminPassC) = $i_return Then
            MsgBox(16, "SetACLs", "Error! Wrong credentials supplied - you are not allowed to access the share!", "")
            Exit
        EndIf
    EndIf
    
    ; Logon to the ToolsServer
    $s_InfoValue = """Logging on to " & $s_ToolsServer & "..."""
    _InfoGui($s_InfoValue, 45)
    RunWait(@ComSpec & " /c " & "net use " & $s_ToolsServer & "\postinstall /username: Administrator " & $s_AdminPassC, "", @SW_HIDE)
    GUIDelete()

    ; Set a variable containing the right filename for SetACL.exe depending on the local machines bit count (x32 or x64)
    $s_ToolsShare = IniRead($s_IniFile, "Settings", "ToolsShare", "")
    If Not $i_OSbits = 32 Then 
        $s_ACLtool = "SetACL-x64.exe"
    Else
        $s_ACLtool = "SetACL-x32.exe"
    EndIf
    
    ; Check if the chosen setacl*.exe is accessible
    $i_RVal = FileExists($s_ToolsShare & "\" & $s_ACLtool)
    If $i_RVal <> 1 Then
        MsgBox(16, "D5100 SetACLs", "Error!" & @CRLF & @CRLF & $s_ToolsShare & "\" & $s_ACLtool & @CRLF & @CRLF & "...is not accessible!", "")
        Exit
    EndIf

    ; Do a first run for the file and directory permissions (DACLs)
    ; Check how many of the 20 possible Objects have dACLs defined in the INI-File ($i_Dcounter)
    Local $i_Dcounter = 0
    For $i = 0 To 19
        $s_dACLobject = "dACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then
            $i_Dcounter = $i_Dcounter + 1
        EndIf
    Next

    ; Create the array $a_dACLobjects (dynamically in size depending on $i_counter's value)
    Local $a_dACLobjects[$i_Dcounter]
    For $i = 0 To $i_Dcounter - 1
        $s_dACLobject = "dACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then
            $a_dACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_dACLobject, "")
        EndIf
    Next

    ; Set the ACLs for all objects specified in the INI-File
    Global $s_YesNo_P
    For $i = 0 To UBound($a_dACLobjects) - 1
        ; set SuccessAuditing for   "Everyone"
        ; inherit settings for "This folder and files only"
        ; do not inherit
        If $s_YesNo_P = "" Then
            $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;s:y"" -ace ""n:S-1-5-32-545;m:revoke;s:y"" -ace ""n:S-1-5-32-547;m:revoke;s:y"" -ace ""n:S-1-5-32-544;p:full;s:y"" -ace ""n:S-1-5-18;p:full;s:y"
            $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)"
            _InfoGui($s_InfoValue, 25)
            RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
            $s_YesNo_P = "No"
            GUIDelete()
        EndIf
        ; revoke AllAccess for  "Everyone", "Users" and "Power Users"
        ; set FullAccess for    "Administrators" and "System" 
        ; copy inherited permissions 
        ; inherit the new ones recursivly
        $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_dACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-545;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-547;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-544;p:full;i:sc,so;s:y"" -ace ""n:S-1-5-18;p:full;i:sc,so;s:y"" -actn clear -clr ""dacl"" -actn rstchldrn -rst ""dacl" ; -rec cont_obj"
        ConsoleWrite("Command = " & $s_cmd & @CRLF)
        $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & $a_dACLobjects[$i]
        _InfoGui($s_InfoValue, 35)
        RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
        GUIDelete()
    Next

    ; Do a second run for the file and directory auditing (SACLs)
    ; Check how many of the 20 possible Objects have sACLs defined in the INI-File ($i_Scounter)    
    Local $i_Scounter = 0
    For $i = 0 To 19
        $s_sACLobject = "sACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then
            $i_Scounter = $i_Scounter + 1
        EndIf
    Next

    ; Create the array $a_sACLobjects (dynamically in size depending on $i_counter's value)
    Local $a_sACLobjects[$i_Scounter]
    For $i = 0 To $i_Scounter - 1
        $s_sACLobject = "sACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then
            $a_sACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_sACLobject, "")
        EndIf
    Next

    ; Set auditing for C:\ once and cycle as long as there are objects within the array
    Global $s_YesNo_A
    For $i = 0 To UBound($a_sACLobjects) - 1
        ; set SuccessAuditing for   "Everyone"
        ; inherit settings for "This folder and files only"
        ; do not inherit
        If $s_YesNo_A = "" Then
            $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,np;w:sacl;s:y"
            $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)"
            _InfoGui($s_InfoValue, 25)
            RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
            $s_YesNo_A = "No"
            GUIDelete()
        EndIf
        ; set SuccessAuditing for   "Everyone"
        ; copy inherited settings
        ; inherit settings recursivly
        $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_sACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,sc;w:sacl;s:y"" -actn setprot -op ""sacl:p_c"" -actn clear -clr ""sacl"" -actn rstchldrn -rst ""sacl" ; -rec cont_obj
        $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & $a_sACLobjects[$i]
        _InfoGui($s_InfoValue, 35)
        RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
        GUIDelete()
    Next
    
EndFunc   ;==>_setACLs


; Function _OSBits to check if the host's OS is 32 or 64bits, returns "64" or "32"
; ==============================================================================================
Func _OSBits()
    Local $tOS = DllStructCreate("char[256]")
    Local $aGSWD = DllCall("Kernel32.dll", "int", "GetSystemWow64Directory", "ptr", DllStructGetPtr($tOS), "int", 256)
    If IsArray($aGSWD) And DllStructGetData($tOS, 1) Then Return 64
    Return 32
EndFunc   ;==>_OSBits


; Function _InfoGUI to display an info about the task currently processed.
; ==============================================================================================
Func _InfoGUI($InfoValue, $i_height)
    GUICreate("", 320, 100, -1, -1, $WS_Popup, $WS_EX_TOOLWINDOW, "")
    GUICtrlCreateLabel($InfoValue, 0, $i_height, 320, -1, $SS_center)
    GUISetState(@SW_SHOW)
    Sleep(500)
EndFunc   ;==>_InfoGUI
...and also the INI-File:
CODE
;#####################################################################
;#
;# Christoph Herdeg, August 2008
;# http://www.cs-it-solutions.de
;#
;#####################################################################
;#
;# Preface
;# ===================
;# "SetACLs.exe" is a utility to set drive, folder and file permissions and auditing settings of a
;# local machine to compliance with ITCS104.
;#
;# General Information
;# ===================
;#
;# This utility is intended to be used from whereever you want.
;#
;# [Settings] contains all settings, e.g, the following:
;#
;# - The name of the Server the ToolsShare resides on
;# - The locations where the needed external tools and software reside
;# - The dACLobject_N - entries where targets can be defined to receive dACLs
;# - The sACLobject_N - entries where targets can be defined to receive sACLs
;#
;# Compatibility
;# ===================
;# A few words on compatibility: this utility has been tested and should work on:
;#
;# - Windows 2000 Workstation, Server and Advanced Server
;# - Windows XP Professional x86 and x64
;# - Windows Server 2003 Standard, Enterprise and Datacenter x86 and x64
;# - Windows Vista Enterprise and Ultimate x86 and x64
;# - Windows Server 2008 Standard, Enterprise and Datacenter x86 and x64
;#
;# Supported are all different languages of the above operating systems as long as western characters
;# are used.
;#
;# Liability/warranty
;# ===================
;# As you will have understood by now this tool comes "as is" and without any free support. If you need
;# bugfixes or enhancements of any kind, please feel free to contact me: mailto:info@cs-it-solutions.de
;#
;#####################################################################

[Settings]
;#####################################################################
;#
;# General Settings Section
;#
;#####################################################################
;# UNC-Name of the server the tools used by this program reside on
;#####################################################################
ToolsServer=\\Server

;#####################################################################
;# UNC-Name of the share the tools used by this program reside on ("\\Server\Share\Directory")
;# If you move the contents of this share to another location, please keep the existing directory structure.
;#####################################################################
ToolsShare=\\Server\Share\SetACLs\Tools

;#####################################################################
;# Here up to 20 objects may be defined to set dACLs on. The dACLs of the objects defined
;# here are set to to the following ITSC104 compliant values:
;#
;# "COMPUTERNAME\System" = FullAccess
;# "COMPUTERNAME\Administrators" = FullAccess
;# "COMPUTERNAME\Users" = NoAccess
;# "COMPUTERNAME\PowerUsers" = NoAccess
;# "COMPUTERNAME\Everyone" = NoAccess
;#
;# The First Object has to be "dACLobject_0" and NOT "dACLobject_1".
;#####################################################################
dACLobject_0=c:\WINDOWS\repair
dACLobject_1=c:\WINDOWS\security
dACLobject_2=c:\WINDOWS\system32\config
dACLobject_3=c:\WINDOWS\system32\dllcache
dACLobject_4=c:\WINDOWS\system32\GroupPolicy
dACLobject_5=
dACLobject_6=
dACLobject_7=
dACLobject_8=
dACLobject_9=
dACLobject_10=
dACLobject_11=
dACLobject_12=
dACLobject_13=
dACLobject_14=
dACLobject_15=
dACLobject_16=
dACLobject_17=
dACLobject_18=
dACLobject_19=

;#####################################################################
;# Here up to 20 objects may be defined to set sACLs on. The sACLs of the objects defined
;# here are set to to the following ITSC104 compliant values:
;#
;# "COMPUTERNAME\Everyone" = Audit All Successfull access attempts
;#
;# The root folder C: and the objects within are always configured with the sACLs above;
;# if you need other objects to be audited, just enter their base folders below.
;#
;# The First Object has to be "sACLobject_0" and NOT "sACLobject_1".
;#####################################################################
sACLobject_0=c:\Windows
sACLobject_1=c:\Windows\system
sACLobject_2=
sACLobject_3=
sACLobject_4=
sACLobject_5=
sACLobject_6=
sACLobject_7=
sACLobject_8=
sACLobject_9=
sACLobject_10=
sACLobject_11=
sACLobject_12=
sACLobject_13=
sACLobject_14=
sACLobject_15=
sACLobject_16=
sACLobject_17=
sACLobject_18=
sACLobject_19=
So...if you (or anybody else) uses my code, please upgrade...I managed to implement inheritance and some cleaning and "houskeeping". There will be one more update in the next months containing the possibility of entering a free number of *ACLobjects in the INI-File. I've got such a function working within another script but have no time at all to insert it here.

Regards,

Chris

#9 cherdeg

cherdeg

    Polymath

  • Active Members
  • PipPipPipPip
  • 246 posts

Posted 27 August 2008 - 01:38 PM

Chris,

I do mostly the same thing on several platforms using the 'secedit.exe' command I found on all the Windows machines here where I work. I use mmc /s to build the inf template. I only wonder, why did you not use secedit.exe for this?

Nice job,
Thanks

Hi,

...until now I didn't know that there is a way to build .inf templates. Do you think I could create one and merge it with our "base" security template, so I could receive decent permission and auditing settings by just applying that policy file? Would be great - ;) - although exactly today (before reading your post) I perfectionized my version using setacl.exe (please see below).

AutoIt          
#include <Constants.au3>
#include <GUIConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <StaticConstants.au3>
#include <String.au3>
#include <file.au3>
#include <Array.au3>

; Define global variables
; ==================================================================================================
Global $s_IniFile = "setACLs.ini"
Global $i_OSbits = _OSBits()
Global $i_height

; Check if the INI-File exists
; ==================================================================================================
$i_RVal = FileExists($s_IniFile)
If $i_RVal <> 1 Then
    MsgBox(16, "SetACLs", "Error! INI-File " & $s_IniFile & " not found!", "")
    Exit
EndIf

; Run da shi-i-iiit!
; ==================================================================================================
_setACLs()


; Function _setACLs to harden ACLs on security relevant files and directories specified in the INI-File
; ==============================================================================================
Func _setACLs()

    ; Ask for the password to access the ToolsShare
    $s_ToolsServer = IniRead($s_IniFile, "Settings", "ToolsServer", "")
    $s_AdminPassC = InputBox("SetACLs", "Please enter the password of an Administrator with access: ", "", "*", 300, 120)
    If $s_AdminPassC = '' Then
        MsgBox(16, "SetACLs", "Error! Empty credentials supplied - you are not allowed to access the share!", "")
        Exit
    Else
        Local $i_return = 0
        DriveMapDel($s_ToolsServer & "\c$")
        If DriveMapAdd("", $s_ToolsServer & "\c$", 0, "Administrator", $s_AdminPassC) = $i_return Then
            MsgBox(16, "SetACLs", "Error! Wrong credentials supplied - you are not allowed to access the share!", "")
            Exit
        EndIf
    EndIf
    
    ; Logon to the ToolsServer
    $s_InfoValue = """Logging on to " & $s_ToolsServer & "..."""
    _InfoGui($s_InfoValue, 45)
    RunWait(@ComSpec & " /c " & "net use " & $s_ToolsServer & "\postinstall /username: Administrator " & $s_AdminPassC, "", @SW_HIDE)
    GUIDelete()

    ; Set a variable containing the right filename for SetACL.exe depending on the local machines bit count (x32 or x64)
    $s_ToolsShare = IniRead($s_IniFile, "Settings", "ToolsShare", "")
    If Not $i_OSbits = 32 Then 
        $s_ACLtool = "SetACL-x64.exe"
    Else
        $s_ACLtool = "SetACL-x32.exe"
    EndIf
    
    ; Check if the chosen setacl*.exe is accessible
    $i_RVal = FileExists($s_ToolsShare & "\" & $s_ACLtool)
    If $i_RVal <> 1 Then
        MsgBox(16, "D5100 SetACLs", "Error!" & @CRLF & @CRLF & $s_ToolsShare & "\" & $s_ACLtool & @CRLF & @CRLF & "...is not accessible!", "")
        Exit
    EndIf

    ; Do a first run for the file and directory permissions (DACLs)
    ; Check how many of the 20 possible Objects have dACLs defined in the INI-File ($i_Dcounter)
    Local $i_Dcounter = 0
    For $i = 0 To 19
        $s_dACLobject = "dACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then
            $i_Dcounter = $i_Dcounter + 1
        EndIf
    Next

    ; Create the array $a_dACLobjects (dynamically in size depending on $i_counter's value)
    Local $a_dACLobjects[$i_Dcounter]
    For $i = 0 To $i_Dcounter - 1
        $s_dACLobject = "dACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then
            $a_dACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_dACLobject, "")
        EndIf
    Next

    ; Set the ACLs for all objects specified in the INI-File
    Global $s_YesNo_P
    For $i = 0 To UBound($a_dACLobjects) - 1
        ; set SuccessAuditing for   "Everyone"
        ; inherit settings for "This folder and files only"
        ; do not inherit
        If $s_YesNo_P = "" Then
            $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;s:y"" -ace ""n:S-1-5-32-545;m:revoke;s:y"" -ace ""n:S-1-5-32-547;m:revoke;s:y"" -ace ""n:S-1-5-32-544;p:full;s:y"" -ace ""n:S-1-5-18;p:full;s:y"
            $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)"
            _InfoGui($s_InfoValue, 25)
            RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
            $s_YesNo_P = "No"
            GUIDelete()
        EndIf
        ; revoke AllAccess for  "Everyone", "Users" and "Power Users"
        ; set FullAccess for    "Administrators" and "System" 
        ; copy inherited permissions 
        ; inherit the new ones recursivly
        $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_dACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-545;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-547;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-544;p:full;i:sc,so;s:y"" -ace ""n:S-1-5-18;p:full;i:sc,so;s:y"" -actn clear -clr ""dacl"" -actn rstchldrn -rst ""dacl" ; -rec cont_obj"
        ConsoleWrite("Command = " & $s_cmd & @CRLF)
        $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & $a_dACLobjects[$i]
        _InfoGui($s_InfoValue, 35)
        RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
        GUIDelete()
    Next

    ; Do a second run for the file and directory auditing (SACLs)
    ; Check how many of the 20 possible Objects have sACLs defined in the INI-File ($i_Scounter)    
    Local $i_Scounter = 0
    For $i = 0 To 19
        $s_sACLobject = "sACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then
            $i_Scounter = $i_Scounter + 1
        EndIf
    Next

    ; Create the array $a_sACLobjects (dynamically in size depending on $i_counter's value)
    Local $a_sACLobjects[$i_Scounter]
    For $i = 0 To $i_Scounter - 1
        $s_sACLobject = "sACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then
            $a_sACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_sACLobject, "")
        EndIf
    Next

    ; Set auditing for C:\ once and cycle as long as there are objects within the array
    Global $s_YesNo_A
    For $i = 0 To UBound($a_sACLobjects) - 1
        ; set SuccessAuditing for   "Everyone"
        ; inherit settings for "This folder and files only"
        ; do not inherit
        If $s_YesNo_A = "" Then
            $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,np;w:sacl;s:y"
            $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)"
            _InfoGui($s_InfoValue, 25)
            RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
            $s_YesNo_A = "No"
            GUIDelete()
        EndIf
        ; set SuccessAuditing for   "Everyone"
        ; copy inherited settings
        ; inherit settings recursivly
        $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_sACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,sc;w:sacl;s:y"" -actn setprot -op ""sacl:p_c"" -actn clear -clr ""sacl"" -actn rstchldrn -rst ""sacl" ; -rec cont_obj
        $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & $a_sACLobjects[$i]
        _InfoGui($s_InfoValue, 35)
        RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
        GUIDelete()
    Next
    
EndFunc   ;==>_setACLs


; Function _OSBits to check if the host's OS is 32 or 64bits, returns "64" or "32"
; ==============================================================================================
Func _OSBits()
    Local $tOS = DllStructCreate("char[256]")
    Local $aGSWD = DllCall("Kernel32.dll", "int", "GetSystemWow64Directory", "ptr", DllStructGetPtr($tOS), "int", 256)
    If IsArray($aGSWD) And DllStructGetData($tOS, 1) Then Return 64
    Return 32
EndFunc   ;==>_OSBits


; Function _InfoGUI to display an info about the task currently processed.
; ==============================================================================================
Func _InfoGUI($InfoValue, $i_height)
    GUICreate("", 320, 100, -1, -1, $WS_Popup, $WS_EX_TOOLWINDOW, "")
    GUICtrlCreateLabel($InfoValue, 0, $i_height, 320, -1, $SS_center)
    GUISetState(@SW_SHOW)
    Sleep(500)
EndFunc   ;==>_InfoGUI
...and also the INI-File:
CODE
;#####################################################################
;#
;# Christoph Herdeg, August 2008
;# http://www.cs-it-solutions.de
;#
;#####################################################################
;#
;# Preface
;# ===================
;# "SetACLs.exe" is a utility to set drive, folder and file permissions and auditing settings of a
;# local machine to compliance with ITCS104.
;#
;# General Information
;# ===================
;#
;# This utility is intended to be used from whereever you want.
;#
;# [Settings] contains all settings, e.g, the following:
;#
;# - The name of the Server the ToolsShare resides on
;# - The locations where the needed external tools and software reside
;# - The dACLobject_N - entries where targets can be defined to receive dACLs
;# - The sACLobject_N - entries where targets can be defined to receive sACLs
;#
;# Compatibility
;# ===================
;# A few words on compatibility: this utility has been tested and should work on:
;#
;# - Windows 2000 Workstation, Server and Advanced Server
;# - Windows XP Professional x86 and x64
;# - Windows Server 2003 Standard, Enterprise and Datacenter x86 and x64
;# - Windows Vista Enterprise and Ultimate x86 and x64
;# - Windows Server 2008 Standard, Enterprise and Datacenter x86 and x64
;#
;# Supported are all different languages of the above operating systems as long as western characters
;# are used.
;#
;# Liability/warranty
;# ===================
;# As you will have understood by now this tool comes "as is" and without any free support. If you need
;# bugfixes or enhancements of any kind, please feel free to contact me: mailto:info@cs-it-solutions.de
;#
;#####################################################################

[Settings]
;#####################################################################
;#
;# General Settings Section
;#
;#####################################################################
;# UNC-Name of the server the tools used by this program reside on
;#####################################################################
ToolsServer=\\Server

;#####################################################################
;# UNC-Name of the share the tools used by this program reside on ("\\Server\Share\Directory")
;# If you move the contents of this share to another location, please keep the existing directory structure.
;#####################################################################
ToolsShare=\\Server\Share\SetACLs\Tools

;#####################################################################
;# Here up to 20 objects may be defined to set dACLs on. The dACLs of the objects defined
;# here are set to to the following ITSC104 compliant values:
;#
;# "COMPUTERNAME\System" = FullAccess
;# "COMPUTERNAME\Administrators" = FullAccess
;# "COMPUTERNAME\Users" = NoAccess
;# "COMPUTERNAME\PowerUsers" = NoAccess
;# "COMPUTERNAME\Everyone" = NoAccess
;#
;# The First Object has to be "dACLobject_0" and NOT "dACLobject_1".
;#####################################################################
dACLobject_0=c:\WINDOWS\repair
dACLobject_1=c:\WINDOWS\security
dACLobject_2=c:\WINDOWS\system32\config
dACLobject_3=c:\WINDOWS\system32\dllcache
dACLobject_4=c:\WINDOWS\system32\GroupPolicy
dACLobject_5=
dACLobject_6=
dACLobject_7=
dACLobject_8=
dACLobject_9=
dACLobject_10=
dACLobject_11=
dACLobject_12=
dACLobject_13=
dACLobject_14=
dACLobject_15=
dACLobject_16=
dACLobject_17=
dACLobject_18=
dACLobject_19=

;#####################################################################
;# Here up to 20 objects may be defined to set sACLs on. The sACLs of the objects defined
;# here are set to to the following ITSC104 compliant values:
;#
;# "COMPUTERNAME\Everyone" = Audit All Successfull access attempts
;#
;# The root folder C: and the objects within are always configured with the sACLs above;
;# if you need other objects to be audited, just enter their base folders below.
;#
;# The First Object has to be "sACLobject_0" and NOT "sACLobject_1".
;#####################################################################
sACLobject_0=c:\Windows
sACLobject_1=c:\Windows\system
sACLobject_2=
sACLobject_3=
sACLobject_4=
sACLobject_5=
sACLobject_6=
sACLobject_7=
sACLobject_8=
sACLobject_9=
sACLobject_10=
sACLobject_11=
sACLobject_12=
sACLobject_13=
sACLobject_14=
sACLobject_15=
sACLobject_16=
sACLobject_17=
sACLobject_18=
sACLobject_19=
So...if you (or anybody else) uses my code, please upgrade...I managed to implement inheritance and some cleaning and "houskeeping". There will be one more update in the next months containing the possibility of entering a free number of *ACLobjects in the INI-File. I've got such a function working within another script but have no time at all to insert it here.

Regards,

Chris

#10 avery

avery

    Prodigy

  • Active Members
  • PipPipPip
  • 176 posts

Posted 27 August 2008 - 02:26 PM

Hi,

...until now I didn't know that there is a way to build .inf templates. Do you think I could create one and merge it with our "base" security template, so I could receive decent permission and auditing settings by just applying that policy file? Would be great - ;) - although exactly today (before reading your post) I perfectionized my version using setacl.exe (please see below).


Yes you can merge templates. Windows uses this during install with one of the templates in @WindowsDir\Security\Templates\. As far as security for files go you get the same options you get when you right click a file and go to properties, security, advanced.

Or if you ever mess up your permission settings, reg settings or services you can load the default inf template or build your own.

Anything that can be set in a GPO or Local policy + more can be seen in mmc /s then add the Security Template snap-in. I also use this tool to validate template and compare them. You can build a template and compare it against a local or network machine to see if they are in compliance, generates a decent report on things that don't match.

I've been playing with your program as it lets the users have a few more options on settings.

Nice job,
Thanks
www.abox.orgAvery HowellVisit My AutoIt Websitehttp://www.abox.org
Back to General Help and Support · Next Unread Topic →


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users




  1. AutoIt Forums
  2. AutoIt v3
  3. General Help and Support
  4. Privacy and Cookie Policy
  5. Forum Rules ·