Sign in to follow this  
Followers 0
cherdeg

Set Auditing for Files and Folders using WMI

10 posts in this topic

Hi,

I'm currently evaluating the possibilities existing to set auditing for Files and Folders using WMI.

If you can't imagine what his is about, open Windows Explorer, got to "C:\", rightclick the mouse, chose "Properties" from the context menu and select the tab "Security". Click the "Advanced" button and select the tab "Auditing" in the following window. Here you can configure so called "SACL"s ("System Access Controll Lists", German users please check "http://www.it-visions.de/glossar/alle/186/System Access Control List.aspx") to have the operating system log the access to "C:\" or any other folder or file for the user or group specified here. So you could log each attempt of user "Tom" to change the access rights to the file "C:\boot.ini" or just his attempts to open the file. You can audit the success or failure of an attempt (or both).

I would like to set a full "success" auditing policy (log every kind of successful access) for the local group "Everyone" on special files/folders.

Up to now I came so far but have no clue how to reach my goal any further:

; Set File Auditing for c:\temp
; ==================================================================================================

; Define variables
Local $s_FolderToAudit = "'c:\temp'"
Local $s_Computername = @ComputerName
Local $obj_WMIsecDes = "wmiSecurityDescriptor"
Local $obj_WMIfileSecSetting = ObjGet("winmgmts:Win32_LogicalFileSecuritySetting.Path=" & $s_FolderToAudit)

; Obtain existing security descriptor for folder 
$obj_GetVal = $obj_WMIfileSecSetting.GetSecurityDescriptor($obj_WMIsecDes)
MsgBox("", "GetSecurityDescriptor", $obj_GetVal)

$obj_varSACL = $obj_WMIsecDes.sacl

$obj_WMIprovider=ObjGet("winmgmts:\\" & $s_Computername & "\root\cimv2")
$obj_AceClass=$obj_WMIprovider.get("win32_ace")
$obj_Ace=$obj_AceClass.spawninstance_()
$obj_TrusteeClass=$obj_WMIprovider.Get("Win32_Trustee")
$obj_Trustee=$obj_TrusteeClass.spawninstance_()
 
$obj_Trustee.name="Everyone"
$obj_Trustee.sidstring="S-1-1-0"
$obj_Ace.accessmask=983551
$obj_Ace.acetype=2
$obj_Ace.aceflags=131
$obj_Ace.Trustee=$obj_Trustee

$obj_WMIsecDes.sacl=$obj_Ace

$obj_SetVal = $obj_WMIfileSecSetting.SetSecurityDescriptor($obj_WMIsecDes)
MsgBox("", "SetSecurityDescriptor", $obj_SetVal)

If $obj_SetVal = 0 Then
    MsgBox("", "pass", "pass")
else
    MsgBox("", "fail", "fail")
EndIf

I'm quite lost when it comes to setting the right values for .accessmask, .acetype and .aceflags. Also I haven't really understood the complete context. What are the values to call .SetSecurityDescriptor with and how is it called correctly? Is there anyone out there able to help me? I'm grateful for any bit of help...

Best Regards,

Chris

Share this post


Link to post
Share on other sites



Sombody has a Keepie Uppie Queen? :P

Share this post


Link to post
Share on other sites

WMI is not the best approch to use for this.

Better is GPO

@ptrex

...YES, you're definiteley right. If someone manages an office or other production network this would be the most feasible option. But here we have a situation in which we have to manage about 2500 testbed machines (used for software building, debugging and testing), partly hardware, partly virtual machines on ESX, using all of the following operating systems: 2000 (Pro / Server / Adv.Server), XP (Home / Pro 32 and 64 bits), Server 2003 (all Eds.), Vista (all Eds.), Server 2008 (all Eds.)...and only a minority of the systems belongs to a domain.

Never the less we have to comply to certain security policies setup by the CTO of our local branch; one of which is auditing. My job is to optimize the automation of management for our testbed and due to the fact that I cannot conveniently implement GPOs I need to use WMI because at least it doesn't requires me to do the same step locally on every machine.

So maybe someone has a hint for me regarding WMI and SACLs?

Best Regards,

Chris

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

Don't bother any further to help me out - if nobody want's to help (or is able to), a tech guy even today still has to walk the rocky way...and invent the wheel from scratch. At the end I simply used setACL.exe (-ace ""n:S-1-1-0;p:full;m:aud_succ;w:sacl;s:y"" sets up the logging of any successful attempt to access by the builtin group "everyone").

Never the less I would like to share my new wisdom with everybody else:

; ####################################################################################
;
; Christoph Herdeg, July 2008
; http://www.cs-it-solutions.de
;
; ####################################################################################
#include <Constants.au3>
#include <GUIConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <StaticConstants.au3>
#include <String.au3>
#include <file.au3>
#include <Array.au3>

; Define global variables
; ==================================================================================================
Global $s_IniFile = "setACLs.ini"
Global $s_ini_sections = IniReadSectionNames($s_IniFile)
Global $i_OSbits = _OSBits()
Global $i_height

; Run da shi-i-iiit!
; ==================================================================================================
_setACLs()


; Function _setACLs to harden ACLs on security relevant files and directories specified in the INI-File
; ==============================================================================================
Func _setACLs()
    ; Create an array for the objects to change the ACLs on
    ; Check how many of the 20 possible Objects are defined in the INI-File ($i_counter)
    Local $i_counter = 0
    For $i = 0 To 19
        $s_actualACLobject = "ACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_actualACLobject, "") <> '' Then
            $i_counter = $i_counter + 1
        EndIf
    Next

    ; Create the array $a_ACLobjects (dynamically in size depending on $i_counter's value)
    Local $a_ACLobjects[$i_counter]
    For $i = 0 To $i_counter
        $s_actualACLobject = "ACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_actualACLobject, "") <> '' Then
            $a_ACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_actualACLobject, "")
        EndIf
    Next
    
    ; Set a variable containing the right filename for SetACL.exe depending on the local machines bit count (x32 or x64)
    $s_ToolsShare = IniRead($s_IniFile, "Settings", "ToolsShare", "")
    If Not $i_OSbits = 32 Then 
        $s_ACLtool = "SetACL-x64.exe"
    Else
        $s_ACLtool = "SetACL-x32.exe"
    EndIf

    ; Set the ACLs for all objects specified in the INI-File
    For $i = 0 To UBound($a_ACLobjects) - 1
        ; revoke AllAccess for  "Everyone", "Users" and "Power Users"
        ; set FullAccess for    "Administrators" and "System" 
        ; remove inherited permissions 
        ; inherit the new ones recursivly
        $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_ACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;s:y"" -ace ""n:S-1-5-32-545;m:revoke;s:y"" -ace ""n:S-1-5-32-547;m:revoke;s:y"" -ace ""n:S-1-5-32-544;p:full;s:y"" -ace ""n:S-1-1-0;p:full;m:aud_succ;w:sacl;s:y"" -ace ""n:S-1-5-18;p:full;s:y"" -actn setprot -op ""dacl:p_nc;sacl:p_nc"" -rec cont_obj"
        $s_InfoValue = "Using """ & $s_ACLtool & """ to harden ACLs on: " & @CRLF & @CRLF & $a_ACLobjects[$i]
        _InfoGui($s_InfoValue, 35)
        RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
        GUIDelete()
    Next
EndFunc   ;==>_setACLs


; Function _OSBits to check if the host's OS is 32 or 64bits, returns "64" or "32"
; ==============================================================================================
Func _OSBits()
    Local $tOS = DllStructCreate("char[256]")
    Local $aGSWD = DllCall("Kernel32.dll", "int", "GetSystemWow64Directory", "ptr", DllStructGetPtr($tOS), "int", 256)
    If IsArray($aGSWD) And DllStructGetData($tOS, 1) Then 
        Return 64
    Else
        Return 32
    EndIf
EndFunc   ;==>_OSBits


; Function _InfoGUI to display an info about the task currently processed.
; ==============================================================================================
Func _InfoGUI($InfoValue, $i_height)
    GUICreate("", 320, 100, -1, -1, $WS_Popup, $WS_EX_TOOLWINDOW, "")
    GUICtrlCreateLabel($InfoValue, 0, $i_height, 320, -1, $SS_center)
    GUISetState(@SW_SHOW)
    Sleep(500)
EndFunc   ;==>_InfoGUI

and:

CODE
; ####################################################################################

;

; Christoph Herdeg, July 2008

; http://www.cs-it-solutions.de

;

;####################################ACL Settings#####################################

; Here up to 20 objects may be defined to set ACLs on. The DACLs of the objects defined

; here are set to to the following values:

;

; "COMPUTERNAME\System" = FullAccess

; "COMPUTERNAME\Administrators" = FullAccess

; "COMPUTERNAME\Users" = NoAccess

; "COMPUTERNAME\PowerUsers" = NoAccess

; "COMPUTERNAME\Everyone" = NoAccess

;

; As well an audit policy is applied onto the objects below. The SACLs are set to log

; any successful attempts to access them by the builtin group "everyone".

;

[settings]

ToolsShare=\\Server\Share\SetACLs\Tools

ACLobject_0=c:\AUTOEXEC.BAT

ACLobject_1=c:\boot.ini

ACLobject_2=c:\CONFIG.SYS

ACLobject_3=c:\IO.SYS

ACLobject_4=c:\MSDOS.SYS

ACLobject_5=c:\NTDETECT.COM

ACLobject_6=c:\ntldr

ACLobject_7=c:\WINDOWS\repair

ACLobject_8=c:\WINDOWS\security

ACLobject_9=c:\WINDOWS\system32\config

ACLobject_10=c:\WINDOWS\system32\dllcache

ACLobject_11=c:\WINDOWS\system32\GroupPolicy

ACLobject_12=

ACLobject_13=

ACLobject_14=

ACLobject_15=

ACLobject_16=

ACLobject_17=

ACLobject_18=

ACLobject_19=

Regards, Chris

Edited by cherdeg

Share this post


Link to post
Share on other sites

Chris,

I do mostly the same thing on several platforms using the 'secedit.exe' command I found on all the Windows machines here where I work. I use mmc /s to build the inf template. I only wonder, why did you not use secedit.exe for this?

Nice job,

Thanks


www.abox.orgAvery HowellVisit My AutoIt Websitehttp://www.abox.org

Share this post


Link to post
Share on other sites

Chris,

I do mostly the same thing on several platforms using the 'secedit.exe' command I found on all the Windows machines here where I work. I use mmc /s to build the inf template. I only wonder, why did you not use secedit.exe for this?

Nice job,

Thanks

Hi,

...until now I didn't know that there is a way to build .inf templates. Do you think I could create one and merge it with our "base" security template, so I could receive decent permission and auditing settings by just applying that policy file? Would be great - ;) - although exactly today (before reading your post) I perfectionized my version using setacl.exe (please see below).

#include <Constants.au3>
#include <GUIConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <StaticConstants.au3>
#include <String.au3>
#include <file.au3>
#include <Array.au3>

; Define global variables
; ==================================================================================================
Global $s_IniFile = "setACLs.ini"
Global $i_OSbits = _OSBits()
Global $i_height

; Check if the INI-File exists
; ==================================================================================================
$i_RVal = FileExists($s_IniFile)
If $i_RVal <> 1 Then
    MsgBox(16, "SetACLs", "Error! INI-File " & $s_IniFile & " not found!", "")
    Exit
EndIf

; Run da shi-i-iiit!
; ==================================================================================================
_setACLs()


; Function _setACLs to harden ACLs on security relevant files and directories specified in the INI-File
; ==============================================================================================
Func _setACLs()

    ; Ask for the password to access the ToolsShare
    $s_ToolsServer = IniRead($s_IniFile, "Settings", "ToolsServer", "")
    $s_AdminPassC = InputBox("SetACLs", "Please enter the password of an Administrator with access: ", "", "*", 300, 120)
    If $s_AdminPassC = '' Then
        MsgBox(16, "SetACLs", "Error! Empty credentials supplied - you are not allowed to access the share!", "")
        Exit
    Else
        Local $i_return = 0
        DriveMapDel($s_ToolsServer & "\c$")
        If DriveMapAdd("", $s_ToolsServer & "\c$", 0, "Administrator", $s_AdminPassC) = $i_return Then
            MsgBox(16, "SetACLs", "Error! Wrong credentials supplied - you are not allowed to access the share!", "")
            Exit
        EndIf
    EndIf
    
    ; Logon to the ToolsServer
    $s_InfoValue = """Logging on to " & $s_ToolsServer & "..."""
    _InfoGui($s_InfoValue, 45)
    RunWait(@ComSpec & " /c " & "net use " & $s_ToolsServer & "\postinstall /username: Administrator " & $s_AdminPassC, "", @SW_HIDE)
    GUIDelete()

    ; Set a variable containing the right filename for SetACL.exe depending on the local machines bit count (x32 or x64)
    $s_ToolsShare = IniRead($s_IniFile, "Settings", "ToolsShare", "")
    If Not $i_OSbits = 32 Then 
        $s_ACLtool = "SetACL-x64.exe"
    Else
        $s_ACLtool = "SetACL-x32.exe"
    EndIf
    
    ; Check if the chosen setacl*.exe is accessible
    $i_RVal = FileExists($s_ToolsShare & "\" & $s_ACLtool)
    If $i_RVal <> 1 Then
        MsgBox(16, "D5100 SetACLs", "Error!" & @CRLF & @CRLF & $s_ToolsShare & "\" & $s_ACLtool & @CRLF & @CRLF & "...is not accessible!", "")
        Exit
    EndIf

    ; Do a first run for the file and directory permissions (DACLs)
    ; Check how many of the 20 possible Objects have dACLs defined in the INI-File ($i_Dcounter)
    Local $i_Dcounter = 0
    For $i = 0 To 19
        $s_dACLobject = "dACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then
            $i_Dcounter = $i_Dcounter + 1
        EndIf
    Next

    ; Create the array $a_dACLobjects (dynamically in size depending on $i_counter's value)
    Local $a_dACLobjects[$i_Dcounter]
    For $i = 0 To $i_Dcounter - 1
        $s_dACLobject = "dACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then
            $a_dACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_dACLobject, "")
        EndIf
    Next

    ; Set the ACLs for all objects specified in the INI-File
    Global $s_YesNo_P
    For $i = 0 To UBound($a_dACLobjects) - 1
        ; set SuccessAuditing for   "Everyone"
        ; inherit settings for "This folder and files only"
        ; do not inherit
        If $s_YesNo_P = "" Then
            $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;s:y"" -ace ""n:S-1-5-32-545;m:revoke;s:y"" -ace ""n:S-1-5-32-547;m:revoke;s:y"" -ace ""n:S-1-5-32-544;p:full;s:y"" -ace ""n:S-1-5-18;p:full;s:y"
            $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)"
            _InfoGui($s_InfoValue, 25)
            RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
            $s_YesNo_P = "No"
            GUIDelete()
        EndIf
        ; revoke AllAccess for  "Everyone", "Users" and "Power Users"
        ; set FullAccess for    "Administrators" and "System" 
        ; copy inherited permissions 
        ; inherit the new ones recursivly
        $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_dACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-545;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-547;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-544;p:full;i:sc,so;s:y"" -ace ""n:S-1-5-18;p:full;i:sc,so;s:y"" -actn clear -clr ""dacl"" -actn rstchldrn -rst ""dacl" ; -rec cont_obj"
        ConsoleWrite("Command = " & $s_cmd & @CRLF)
        $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & $a_dACLobjects[$i]
        _InfoGui($s_InfoValue, 35)
        RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
        GUIDelete()
    Next

    ; Do a second run for the file and directory auditing (SACLs)
    ; Check how many of the 20 possible Objects have sACLs defined in the INI-File ($i_Scounter)    
    Local $i_Scounter = 0
    For $i = 0 To 19
        $s_sACLobject = "sACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then
            $i_Scounter = $i_Scounter + 1
        EndIf
    Next

    ; Create the array $a_sACLobjects (dynamically in size depending on $i_counter's value)
    Local $a_sACLobjects[$i_Scounter]
    For $i = 0 To $i_Scounter - 1
        $s_sACLobject = "sACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then
            $a_sACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_sACLobject, "")
        EndIf
    Next

    ; Set auditing for C:\ once and cycle as long as there are objects within the array
    Global $s_YesNo_A
    For $i = 0 To UBound($a_sACLobjects) - 1
        ; set SuccessAuditing for   "Everyone"
        ; inherit settings for "This folder and files only"
        ; do not inherit
        If $s_YesNo_A = "" Then
            $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,np;w:sacl;s:y"
            $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)"
            _InfoGui($s_InfoValue, 25)
            RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
            $s_YesNo_A = "No"
            GUIDelete()
        EndIf
        ; set SuccessAuditing for   "Everyone"
        ; copy inherited settings
        ; inherit settings recursivly
        $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_sACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,sc;w:sacl;s:y"" -actn setprot -op ""sacl:p_c"" -actn clear -clr ""sacl"" -actn rstchldrn -rst ""sacl" ; -rec cont_obj
        $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & $a_sACLobjects[$i]
        _InfoGui($s_InfoValue, 35)
        RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
        GUIDelete()
    Next
    
EndFunc   ;==>_setACLs


; Function _OSBits to check if the host's OS is 32 or 64bits, returns "64" or "32"
; ==============================================================================================
Func _OSBits()
    Local $tOS = DllStructCreate("char[256]")
    Local $aGSWD = DllCall("Kernel32.dll", "int", "GetSystemWow64Directory", "ptr", DllStructGetPtr($tOS), "int", 256)
    If IsArray($aGSWD) And DllStructGetData($tOS, 1) Then Return 64
    Return 32
EndFunc   ;==>_OSBits


; Function _InfoGUI to display an info about the task currently processed.
; ==============================================================================================
Func _InfoGUI($InfoValue, $i_height)
    GUICreate("", 320, 100, -1, -1, $WS_Popup, $WS_EX_TOOLWINDOW, "")
    GUICtrlCreateLabel($InfoValue, 0, $i_height, 320, -1, $SS_center)
    GUISetState(@SW_SHOW)
    Sleep(500)
EndFunc   ;==>_InfoGUI
...and also the INI-File:

CODE
;#####################################################################

;#

;# Christoph Herdeg, August 2008

;# http://www.cs-it-solutions.de

;#

;#####################################################################

;#

;# Preface

;# ===================

;# "SetACLs.exe" is a utility to set drive, folder and file permissions and auditing settings of a

;# local machine to compliance with ITCS104.

;#

;# General Information

;# ===================

;#

;# This utility is intended to be used from whereever you want.

;#

;# [settings] contains all settings, e.g, the following:

;#

;# - The name of the Server the ToolsShare resides on

;# - The locations where the needed external tools and software reside

;# - The dACLobject_N - entries where targets can be defined to receive dACLs

;# - The sACLobject_N - entries where targets can be defined to receive sACLs

;#

;# Compatibility

;# ===================

;# A few words on compatibility: this utility has been tested and should work on:

;#

;# - Windows 2000 Workstation, Server and Advanced Server

;# - Windows XP Professional x86 and x64

;# - Windows Server 2003 Standard, Enterprise and Datacenter x86 and x64

;# - Windows Vista Enterprise and Ultimate x86 and x64

;# - Windows Server 2008 Standard, Enterprise and Datacenter x86 and x64

;#

;# Supported are all different languages of the above operating systems as long as western characters

;# are used.

;#

;# Liability/warranty

;# ===================

;# As you will have understood by now this tool comes "as is" and without any free support. If you need

;# bugfixes or enhancements of any kind, please feel free to contact me: mailto:info@cs-it-solutions.de

;#

;#####################################################################

[settings]

;#####################################################################

;#

;# General Settings Section

;#

;#####################################################################

;# UNC-Name of the server the tools used by this program reside on

;#####################################################################

ToolsServer=\\Server

;#####################################################################

;# UNC-Name of the share the tools used by this program reside on ("\\Server\Share\Directory")

;# If you move the contents of this share to another location, please keep the existing directory structure.

;#####################################################################

ToolsShare=\\Server\Share\SetACLs\Tools

;#####################################################################

;# Here up to 20 objects may be defined to set dACLs on. The dACLs of the objects defined

;# here are set to to the following ITSC104 compliant values:

;#

;# "COMPUTERNAME\System" = FullAccess

;# "COMPUTERNAME\Administrators" = FullAccess

;# "COMPUTERNAME\Users" = NoAccess

;# "COMPUTERNAME\PowerUsers" = NoAccess

;# "COMPUTERNAME\Everyone" = NoAccess

;#

;# The First Object has to be "dACLobject_0" and NOT "dACLobject_1".

;#####################################################################

dACLobject_0=c:\WINDOWS\repair

dACLobject_1=c:\WINDOWS\security

dACLobject_2=c:\WINDOWS\system32\config

dACLobject_3=c:\WINDOWS\system32\dllcache

dACLobject_4=c:\WINDOWS\system32\GroupPolicy

dACLobject_5=

dACLobject_6=

dACLobject_7=

dACLobject_8=

dACLobject_9=

dACLobject_10=

dACLobject_11=

dACLobject_12=

dACLobject_13=

dACLobject_14=

dACLobject_15=

dACLobject_16=

dACLobject_17=

dACLobject_18=

dACLobject_19=

;#####################################################################

;# Here up to 20 objects may be defined to set sACLs on. The sACLs of the objects defined

;# here are set to to the following ITSC104 compliant values:

;#

;# "COMPUTERNAME\Everyone" = Audit All Successfull access attempts

;#

;# The root folder C: and the objects within are always configured with the sACLs above;

;# if you need other objects to be audited, just enter their base folders below.

;#

;# The First Object has to be "sACLobject_0" and NOT "sACLobject_1".

;#####################################################################

sACLobject_0=c:\Windows

sACLobject_1=c:\Windows\system

sACLobject_2=

sACLobject_3=

sACLobject_4=

sACLobject_5=

sACLobject_6=

sACLobject_7=

sACLobject_8=

sACLobject_9=

sACLobject_10=

sACLobject_11=

sACLobject_12=

sACLobject_13=

sACLobject_14=

sACLobject_15=

sACLobject_16=

sACLobject_17=

sACLobject_18=

sACLobject_19=

So...if you (or anybody else) uses my code, please upgrade...I managed to implement inheritance and some cleaning and "houskeeping". There will be one more update in the next months containing the possibility of entering a free number of *ACLobjects in the INI-File. I've got such a function working within another script but have no time at all to insert it here.

Regards,

Chris

Share this post


Link to post
Share on other sites

Chris,

I do mostly the same thing on several platforms using the 'secedit.exe' command I found on all the Windows machines here where I work. I use mmc /s to build the inf template. I only wonder, why did you not use secedit.exe for this?

Nice job,

Thanks

Hi,

...until now I didn't know that there is a way to build .inf templates. Do you think I could create one and merge it with our "base" security template, so I could receive decent permission and auditing settings by just applying that policy file? Would be great - ;) - although exactly today (before reading your post) I perfectionized my version using setacl.exe (please see below).

#include <Constants.au3>
#include <GUIConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <StaticConstants.au3>
#include <String.au3>
#include <file.au3>
#include <Array.au3>

; Define global variables
; ==================================================================================================
Global $s_IniFile = "setACLs.ini"
Global $i_OSbits = _OSBits()
Global $i_height

; Check if the INI-File exists
; ==================================================================================================
$i_RVal = FileExists($s_IniFile)
If $i_RVal <> 1 Then
    MsgBox(16, "SetACLs", "Error! INI-File " & $s_IniFile & " not found!", "")
    Exit
EndIf

; Run da shi-i-iiit!
; ==================================================================================================
_setACLs()


; Function _setACLs to harden ACLs on security relevant files and directories specified in the INI-File
; ==============================================================================================
Func _setACLs()

    ; Ask for the password to access the ToolsShare
    $s_ToolsServer = IniRead($s_IniFile, "Settings", "ToolsServer", "")
    $s_AdminPassC = InputBox("SetACLs", "Please enter the password of an Administrator with access: ", "", "*", 300, 120)
    If $s_AdminPassC = '' Then
        MsgBox(16, "SetACLs", "Error! Empty credentials supplied - you are not allowed to access the share!", "")
        Exit
    Else
        Local $i_return = 0
        DriveMapDel($s_ToolsServer & "\c$")
        If DriveMapAdd("", $s_ToolsServer & "\c$", 0, "Administrator", $s_AdminPassC) = $i_return Then
            MsgBox(16, "SetACLs", "Error! Wrong credentials supplied - you are not allowed to access the share!", "")
            Exit
        EndIf
    EndIf
    
    ; Logon to the ToolsServer
    $s_InfoValue = """Logging on to " & $s_ToolsServer & "..."""
    _InfoGui($s_InfoValue, 45)
    RunWait(@ComSpec & " /c " & "net use " & $s_ToolsServer & "\postinstall /username: Administrator " & $s_AdminPassC, "", @SW_HIDE)
    GUIDelete()

    ; Set a variable containing the right filename for SetACL.exe depending on the local machines bit count (x32 or x64)
    $s_ToolsShare = IniRead($s_IniFile, "Settings", "ToolsShare", "")
    If Not $i_OSbits = 32 Then 
        $s_ACLtool = "SetACL-x64.exe"
    Else
        $s_ACLtool = "SetACL-x32.exe"
    EndIf
    
    ; Check if the chosen setacl*.exe is accessible
    $i_RVal = FileExists($s_ToolsShare & "\" & $s_ACLtool)
    If $i_RVal <> 1 Then
        MsgBox(16, "D5100 SetACLs", "Error!" & @CRLF & @CRLF & $s_ToolsShare & "\" & $s_ACLtool & @CRLF & @CRLF & "...is not accessible!", "")
        Exit
    EndIf

    ; Do a first run for the file and directory permissions (DACLs)
    ; Check how many of the 20 possible Objects have dACLs defined in the INI-File ($i_Dcounter)
    Local $i_Dcounter = 0
    For $i = 0 To 19
        $s_dACLobject = "dACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then
            $i_Dcounter = $i_Dcounter + 1
        EndIf
    Next

    ; Create the array $a_dACLobjects (dynamically in size depending on $i_counter's value)
    Local $a_dACLobjects[$i_Dcounter]
    For $i = 0 To $i_Dcounter - 1
        $s_dACLobject = "dACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then
            $a_dACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_dACLobject, "")
        EndIf
    Next

    ; Set the ACLs for all objects specified in the INI-File
    Global $s_YesNo_P
    For $i = 0 To UBound($a_dACLobjects) - 1
        ; set SuccessAuditing for   "Everyone"
        ; inherit settings for "This folder and files only"
        ; do not inherit
        If $s_YesNo_P = "" Then
            $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;s:y"" -ace ""n:S-1-5-32-545;m:revoke;s:y"" -ace ""n:S-1-5-32-547;m:revoke;s:y"" -ace ""n:S-1-5-32-544;p:full;s:y"" -ace ""n:S-1-5-18;p:full;s:y"
            $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)"
            _InfoGui($s_InfoValue, 25)
            RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
            $s_YesNo_P = "No"
            GUIDelete()
        EndIf
        ; revoke AllAccess for  "Everyone", "Users" and "Power Users"
        ; set FullAccess for    "Administrators" and "System" 
        ; copy inherited permissions 
        ; inherit the new ones recursivly
        $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_dACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-545;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-547;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-544;p:full;i:sc,so;s:y"" -ace ""n:S-1-5-18;p:full;i:sc,so;s:y"" -actn clear -clr ""dacl"" -actn rstchldrn -rst ""dacl" ; -rec cont_obj"
        ConsoleWrite("Command = " & $s_cmd & @CRLF)
        $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & $a_dACLobjects[$i]
        _InfoGui($s_InfoValue, 35)
        RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
        GUIDelete()
    Next

    ; Do a second run for the file and directory auditing (SACLs)
    ; Check how many of the 20 possible Objects have sACLs defined in the INI-File ($i_Scounter)    
    Local $i_Scounter = 0
    For $i = 0 To 19
        $s_sACLobject = "sACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then
            $i_Scounter = $i_Scounter + 1
        EndIf
    Next

    ; Create the array $a_sACLobjects (dynamically in size depending on $i_counter's value)
    Local $a_sACLobjects[$i_Scounter]
    For $i = 0 To $i_Scounter - 1
        $s_sACLobject = "sACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then
            $a_sACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_sACLobject, "")
        EndIf
    Next

    ; Set auditing for C:\ once and cycle as long as there are objects within the array
    Global $s_YesNo_A
    For $i = 0 To UBound($a_sACLobjects) - 1
        ; set SuccessAuditing for   "Everyone"
        ; inherit settings for "This folder and files only"
        ; do not inherit
        If $s_YesNo_A = "" Then
            $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,np;w:sacl;s:y"
            $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)"
            _InfoGui($s_InfoValue, 25)
            RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
            $s_YesNo_A = "No"
            GUIDelete()
        EndIf
        ; set SuccessAuditing for   "Everyone"
        ; copy inherited settings
        ; inherit settings recursivly
        $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_sACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,sc;w:sacl;s:y"" -actn setprot -op ""sacl:p_c"" -actn clear -clr ""sacl"" -actn rstchldrn -rst ""sacl" ; -rec cont_obj
        $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & $a_sACLobjects[$i]
        _InfoGui($s_InfoValue, 35)
        RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
        GUIDelete()
    Next
    
EndFunc   ;==>_setACLs


; Function _OSBits to check if the host's OS is 32 or 64bits, returns "64" or "32"
; ==============================================================================================
Func _OSBits()
    Local $tOS = DllStructCreate("char[256]")
    Local $aGSWD = DllCall("Kernel32.dll", "int", "GetSystemWow64Directory", "ptr", DllStructGetPtr($tOS), "int", 256)
    If IsArray($aGSWD) And DllStructGetData($tOS, 1) Then Return 64
    Return 32
EndFunc   ;==>_OSBits


; Function _InfoGUI to display an info about the task currently processed.
; ==============================================================================================
Func _InfoGUI($InfoValue, $i_height)
    GUICreate("", 320, 100, -1, -1, $WS_Popup, $WS_EX_TOOLWINDOW, "")
    GUICtrlCreateLabel($InfoValue, 0, $i_height, 320, -1, $SS_center)
    GUISetState(@SW_SHOW)
    Sleep(500)
EndFunc   ;==>_InfoGUI
...and also the INI-File:

CODE
;#####################################################################

;#

;# Christoph Herdeg, August 2008

;# http://www.cs-it-solutions.de

;#

;#####################################################################

;#

;# Preface

;# ===================

;# "SetACLs.exe" is a utility to set drive, folder and file permissions and auditing settings of a

;# local machine to compliance with ITCS104.

;#

;# General Information

;# ===================

;#

;# This utility is intended to be used from whereever you want.

;#

;# [settings] contains all settings, e.g, the following:

;#

;# - The name of the Server the ToolsShare resides on

;# - The locations where the needed external tools and software reside

;# - The dACLobject_N - entries where targets can be defined to receive dACLs

;# - The sACLobject_N - entries where targets can be defined to receive sACLs

;#

;# Compatibility

;# ===================

;# A few words on compatibility: this utility has been tested and should work on:

;#

;# - Windows 2000 Workstation, Server and Advanced Server

;# - Windows XP Professional x86 and x64

;# - Windows Server 2003 Standard, Enterprise and Datacenter x86 and x64

;# - Windows Vista Enterprise and Ultimate x86 and x64

;# - Windows Server 2008 Standard, Enterprise and Datacenter x86 and x64

;#

;# Supported are all different languages of the above operating systems as long as western characters

;# are used.

;#

;# Liability/warranty

;# ===================

;# As you will have understood by now this tool comes "as is" and without any free support. If you need

;# bugfixes or enhancements of any kind, please feel free to contact me: mailto:info@cs-it-solutions.de

;#

;#####################################################################

[settings]

;#####################################################################

;#

;# General Settings Section

;#

;#####################################################################

;# UNC-Name of the server the tools used by this program reside on

;#####################################################################

ToolsServer=\\Server

;#####################################################################

;# UNC-Name of the share the tools used by this program reside on ("\\Server\Share\Directory")

;# If you move the contents of this share to another location, please keep the existing directory structure.

;#####################################################################

ToolsShare=\\Server\Share\SetACLs\Tools

;#####################################################################

;# Here up to 20 objects may be defined to set dACLs on. The dACLs of the objects defined

;# here are set to to the following ITSC104 compliant values:

;#

;# "COMPUTERNAME\System" = FullAccess

;# "COMPUTERNAME\Administrators" = FullAccess

;# "COMPUTERNAME\Users" = NoAccess

;# "COMPUTERNAME\PowerUsers" = NoAccess

;# "COMPUTERNAME\Everyone" = NoAccess

;#

;# The First Object has to be "dACLobject_0" and NOT "dACLobject_1".

;#####################################################################

dACLobject_0=c:\WINDOWS\repair

dACLobject_1=c:\WINDOWS\security

dACLobject_2=c:\WINDOWS\system32\config

dACLobject_3=c:\WINDOWS\system32\dllcache

dACLobject_4=c:\WINDOWS\system32\GroupPolicy

dACLobject_5=

dACLobject_6=

dACLobject_7=

dACLobject_8=

dACLobject_9=

dACLobject_10=

dACLobject_11=

dACLobject_12=

dACLobject_13=

dACLobject_14=

dACLobject_15=

dACLobject_16=

dACLobject_17=

dACLobject_18=

dACLobject_19=

;#####################################################################

;# Here up to 20 objects may be defined to set sACLs on. The sACLs of the objects defined

;# here are set to to the following ITSC104 compliant values:

;#

;# "COMPUTERNAME\Everyone" = Audit All Successfull access attempts

;#

;# The root folder C: and the objects within are always configured with the sACLs above;

;# if you need other objects to be audited, just enter their base folders below.

;#

;# The First Object has to be "sACLobject_0" and NOT "sACLobject_1".

;#####################################################################

sACLobject_0=c:\Windows

sACLobject_1=c:\Windows\system

sACLobject_2=

sACLobject_3=

sACLobject_4=

sACLobject_5=

sACLobject_6=

sACLobject_7=

sACLobject_8=

sACLobject_9=

sACLobject_10=

sACLobject_11=

sACLobject_12=

sACLobject_13=

sACLobject_14=

sACLobject_15=

sACLobject_16=

sACLobject_17=

sACLobject_18=

sACLobject_19=

So...if you (or anybody else) uses my code, please upgrade...I managed to implement inheritance and some cleaning and "houskeeping". There will be one more update in the next months containing the possibility of entering a free number of *ACLobjects in the INI-File. I've got such a function working within another script but have no time at all to insert it here.

Regards,

Chris

Share this post


Link to post
Share on other sites

Chris,

I do mostly the same thing on several platforms using the 'secedit.exe' command I found on all the Windows machines here where I work. I use mmc /s to build the inf template. I only wonder, why did you not use secedit.exe for this?

Nice job,

Thanks

Hi,

...until now I didn't know that there is a way to build .inf templates. Do you think I could create one and merge it with our "base" security template, so I could receive decent permission and auditing settings by just applying that policy file? Would be great - ;) - although exactly today (before reading your post) I perfectionized my version using setacl.exe (please see below).

#include <Constants.au3>
#include <GUIConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <StaticConstants.au3>
#include <String.au3>
#include <file.au3>
#include <Array.au3>

; Define global variables
; ==================================================================================================
Global $s_IniFile = "setACLs.ini"
Global $i_OSbits = _OSBits()
Global $i_height

; Check if the INI-File exists
; ==================================================================================================
$i_RVal = FileExists($s_IniFile)
If $i_RVal <> 1 Then
    MsgBox(16, "SetACLs", "Error! INI-File " & $s_IniFile & " not found!", "")
    Exit
EndIf

; Run da shi-i-iiit!
; ==================================================================================================
_setACLs()


; Function _setACLs to harden ACLs on security relevant files and directories specified in the INI-File
; ==============================================================================================
Func _setACLs()

    ; Ask for the password to access the ToolsShare
    $s_ToolsServer = IniRead($s_IniFile, "Settings", "ToolsServer", "")
    $s_AdminPassC = InputBox("SetACLs", "Please enter the password of an Administrator with access: ", "", "*", 300, 120)
    If $s_AdminPassC = '' Then
        MsgBox(16, "SetACLs", "Error! Empty credentials supplied - you are not allowed to access the share!", "")
        Exit
    Else
        Local $i_return = 0
        DriveMapDel($s_ToolsServer & "\c$")
        If DriveMapAdd("", $s_ToolsServer & "\c$", 0, "Administrator", $s_AdminPassC) = $i_return Then
            MsgBox(16, "SetACLs", "Error! Wrong credentials supplied - you are not allowed to access the share!", "")
            Exit
        EndIf
    EndIf
    
    ; Logon to the ToolsServer
    $s_InfoValue = """Logging on to " & $s_ToolsServer & "..."""
    _InfoGui($s_InfoValue, 45)
    RunWait(@ComSpec & " /c " & "net use " & $s_ToolsServer & "\postinstall /username: Administrator " & $s_AdminPassC, "", @SW_HIDE)
    GUIDelete()

    ; Set a variable containing the right filename for SetACL.exe depending on the local machines bit count (x32 or x64)
    $s_ToolsShare = IniRead($s_IniFile, "Settings", "ToolsShare", "")
    If Not $i_OSbits = 32 Then 
        $s_ACLtool = "SetACL-x64.exe"
    Else
        $s_ACLtool = "SetACL-x32.exe"
    EndIf
    
    ; Check if the chosen setacl*.exe is accessible
    $i_RVal = FileExists($s_ToolsShare & "\" & $s_ACLtool)
    If $i_RVal <> 1 Then
        MsgBox(16, "D5100 SetACLs", "Error!" & @CRLF & @CRLF & $s_ToolsShare & "\" & $s_ACLtool & @CRLF & @CRLF & "...is not accessible!", "")
        Exit
    EndIf

    ; Do a first run for the file and directory permissions (DACLs)
    ; Check how many of the 20 possible Objects have dACLs defined in the INI-File ($i_Dcounter)
    Local $i_Dcounter = 0
    For $i = 0 To 19
        $s_dACLobject = "dACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then
            $i_Dcounter = $i_Dcounter + 1
        EndIf
    Next

    ; Create the array $a_dACLobjects (dynamically in size depending on $i_counter's value)
    Local $a_dACLobjects[$i_Dcounter]
    For $i = 0 To $i_Dcounter - 1
        $s_dACLobject = "dACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then
            $a_dACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_dACLobject, "")
        EndIf
    Next

    ; Set the ACLs for all objects specified in the INI-File
    Global $s_YesNo_P
    For $i = 0 To UBound($a_dACLobjects) - 1
        ; set SuccessAuditing for   "Everyone"
        ; inherit settings for "This folder and files only"
        ; do not inherit
        If $s_YesNo_P = "" Then
            $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;s:y"" -ace ""n:S-1-5-32-545;m:revoke;s:y"" -ace ""n:S-1-5-32-547;m:revoke;s:y"" -ace ""n:S-1-5-32-544;p:full;s:y"" -ace ""n:S-1-5-18;p:full;s:y"
            $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)"
            _InfoGui($s_InfoValue, 25)
            RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
            $s_YesNo_P = "No"
            GUIDelete()
        EndIf
        ; revoke AllAccess for  "Everyone", "Users" and "Power Users"
        ; set FullAccess for    "Administrators" and "System" 
        ; copy inherited permissions 
        ; inherit the new ones recursivly
        $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_dACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-545;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-547;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-544;p:full;i:sc,so;s:y"" -ace ""n:S-1-5-18;p:full;i:sc,so;s:y"" -actn clear -clr ""dacl"" -actn rstchldrn -rst ""dacl" ; -rec cont_obj"
        ConsoleWrite("Command = " & $s_cmd & @CRLF)
        $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & $a_dACLobjects[$i]
        _InfoGui($s_InfoValue, 35)
        RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
        GUIDelete()
    Next

    ; Do a second run for the file and directory auditing (SACLs)
    ; Check how many of the 20 possible Objects have sACLs defined in the INI-File ($i_Scounter)    
    Local $i_Scounter = 0
    For $i = 0 To 19
        $s_sACLobject = "sACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then
            $i_Scounter = $i_Scounter + 1
        EndIf
    Next

    ; Create the array $a_sACLobjects (dynamically in size depending on $i_counter's value)
    Local $a_sACLobjects[$i_Scounter]
    For $i = 0 To $i_Scounter - 1
        $s_sACLobject = "sACLobject_" & $i
        If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then
            $a_sACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_sACLobject, "")
        EndIf
    Next

    ; Set auditing for C:\ once and cycle as long as there are objects within the array
    Global $s_YesNo_A
    For $i = 0 To UBound($a_sACLobjects) - 1
        ; set SuccessAuditing for   "Everyone"
        ; inherit settings for "This folder and files only"
        ; do not inherit
        If $s_YesNo_A = "" Then
            $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,np;w:sacl;s:y"
            $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)"
            _InfoGui($s_InfoValue, 25)
            RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
            $s_YesNo_A = "No"
            GUIDelete()
        EndIf
        ; set SuccessAuditing for   "Everyone"
        ; copy inherited settings
        ; inherit settings recursivly
        $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_sACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,sc;w:sacl;s:y"" -actn setprot -op ""sacl:p_c"" -actn clear -clr ""sacl"" -actn rstchldrn -rst ""sacl" ; -rec cont_obj
        $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & $a_sACLobjects[$i]
        _InfoGui($s_InfoValue, 35)
        RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE)
        GUIDelete()
    Next
    
EndFunc   ;==>_setACLs


; Function _OSBits to check if the host's OS is 32 or 64bits, returns "64" or "32"
; ==============================================================================================
Func _OSBits()
    Local $tOS = DllStructCreate("char[256]")
    Local $aGSWD = DllCall("Kernel32.dll", "int", "GetSystemWow64Directory", "ptr", DllStructGetPtr($tOS), "int", 256)
    If IsArray($aGSWD) And DllStructGetData($tOS, 1) Then Return 64
    Return 32
EndFunc   ;==>_OSBits


; Function _InfoGUI to display an info about the task currently processed.
; ==============================================================================================
Func _InfoGUI($InfoValue, $i_height)
    GUICreate("", 320, 100, -1, -1, $WS_Popup, $WS_EX_TOOLWINDOW, "")
    GUICtrlCreateLabel($InfoValue, 0, $i_height, 320, -1, $SS_center)
    GUISetState(@SW_SHOW)
    Sleep(500)
EndFunc   ;==>_InfoGUI
...and also the INI-File:

CODE
;#####################################################################

;#

;# Christoph Herdeg, August 2008

;# http://www.cs-it-solutions.de

;#

;#####################################################################

;#

;# Preface

;# ===================

;# "SetACLs.exe" is a utility to set drive, folder and file permissions and auditing settings of a

;# local machine to compliance with ITCS104.

;#

;# General Information

;# ===================

;#

;# This utility is intended to be used from whereever you want.

;#

;# [settings] contains all settings, e.g, the following:

;#

;# - The name of the Server the ToolsShare resides on

;# - The locations where the needed external tools and software reside

;# - The dACLobject_N - entries where targets can be defined to receive dACLs

;# - The sACLobject_N - entries where targets can be defined to receive sACLs

;#

;# Compatibility

;# ===================

;# A few words on compatibility: this utility has been tested and should work on:

;#

;# - Windows 2000 Workstation, Server and Advanced Server

;# - Windows XP Professional x86 and x64

;# - Windows Server 2003 Standard, Enterprise and Datacenter x86 and x64

;# - Windows Vista Enterprise and Ultimate x86 and x64

;# - Windows Server 2008 Standard, Enterprise and Datacenter x86 and x64

;#

;# Supported are all different languages of the above operating systems as long as western characters

;# are used.

;#

;# Liability/warranty

;# ===================

;# As you will have understood by now this tool comes "as is" and without any free support. If you need

;# bugfixes or enhancements of any kind, please feel free to contact me: mailto:info@cs-it-solutions.de

;#

;#####################################################################

[settings]

;#####################################################################

;#

;# General Settings Section

;#

;#####################################################################

;# UNC-Name of the server the tools used by this program reside on

;#####################################################################

ToolsServer=\\Server

;#####################################################################

;# UNC-Name of the share the tools used by this program reside on ("\\Server\Share\Directory")

;# If you move the contents of this share to another location, please keep the existing directory structure.

;#####################################################################

ToolsShare=\\Server\Share\SetACLs\Tools

;#####################################################################

;# Here up to 20 objects may be defined to set dACLs on. The dACLs of the objects defined

;# here are set to to the following ITSC104 compliant values:

;#

;# "COMPUTERNAME\System" = FullAccess

;# "COMPUTERNAME\Administrators" = FullAccess

;# "COMPUTERNAME\Users" = NoAccess

;# "COMPUTERNAME\PowerUsers" = NoAccess

;# "COMPUTERNAME\Everyone" = NoAccess

;#

;# The First Object has to be "dACLobject_0" and NOT "dACLobject_1".

;#####################################################################

dACLobject_0=c:\WINDOWS\repair

dACLobject_1=c:\WINDOWS\security

dACLobject_2=c:\WINDOWS\system32\config

dACLobject_3=c:\WINDOWS\system32\dllcache

dACLobject_4=c:\WINDOWS\system32\GroupPolicy

dACLobject_5=

dACLobject_6=

dACLobject_7=

dACLobject_8=

dACLobject_9=

dACLobject_10=

dACLobject_11=

dACLobject_12=

dACLobject_13=

dACLobject_14=

dACLobject_15=

dACLobject_16=

dACLobject_17=

dACLobject_18=

dACLobject_19=

;#####################################################################

;# Here up to 20 objects may be defined to set sACLs on. The sACLs of the objects defined

;# here are set to to the following ITSC104 compliant values:

;#

;# "COMPUTERNAME\Everyone" = Audit All Successfull access attempts

;#

;# The root folder C: and the objects within are always configured with the sACLs above;

;# if you need other objects to be audited, just enter their base folders below.

;#

;# The First Object has to be "sACLobject_0" and NOT "sACLobject_1".

;#####################################################################

sACLobject_0=c:\Windows

sACLobject_1=c:\Windows\system

sACLobject_2=

sACLobject_3=

sACLobject_4=

sACLobject_5=

sACLobject_6=

sACLobject_7=

sACLobject_8=

sACLobject_9=

sACLobject_10=

sACLobject_11=

sACLobject_12=

sACLobject_13=

sACLobject_14=

sACLobject_15=

sACLobject_16=

sACLobject_17=

sACLobject_18=

sACLobject_19=

So...if you (or anybody else) uses my code, please upgrade...I managed to implement inheritance and some cleaning and "houskeeping". There will be one more update in the next months containing the possibility of entering a free number of *ACLobjects in the INI-File. I've got such a function working within another script but have no time at all to insert it here.

Regards,

Chris

Share this post


Link to post
Share on other sites

Hi,

...until now I didn't know that there is a way to build .inf templates. Do you think I could create one and merge it with our "base" security template, so I could receive decent permission and auditing settings by just applying that policy file? Would be great - ;) - although exactly today (before reading your post) I perfectionized my version using setacl.exe (please see below).

Yes you can merge templates. Windows uses this during install with one of the templates in @WindowsDir\Security\Templates\. As far as security for files go you get the same options you get when you right click a file and go to properties, security, advanced.

Or if you ever mess up your permission settings, reg settings or services you can load the default inf template or build your own.

Anything that can be set in a GPO or Local policy + more can be seen in mmc /s then add the Security Template snap-in. I also use this tool to validate template and compare them. You can build a template and compare it against a local or network machine to see if they are in compliance, generates a decent report on things that don't match.

I've been playing with your program as it lets the users have a few more options on settings.

Nice job,

Thanks


www.abox.orgAvery HowellVisit My AutoIt Websitehttp://www.abox.org

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0