cherdeg Posted August 13, 2008 Share Posted August 13, 2008 Hi, I'm currently evaluating the possibilities existing to set auditing for Files and Folders using WMI. If you can't imagine what his is about, open Windows Explorer, got to "C:\", rightclick the mouse, chose "Properties" from the context menu and select the tab "Security". Click the "Advanced" button and select the tab "Auditing" in the following window. Here you can configure so called "SACL"s ("System Access Controll Lists", German users please check "http://www.it-visions.de/glossar/alle/186/System Access Control List.aspx") to have the operating system log the access to "C:\" or any other folder or file for the user or group specified here. So you could log each attempt of user "Tom" to change the access rights to the file "C:\boot.ini" or just his attempts to open the file. You can audit the success or failure of an attempt (or both).I would like to set a full "success" auditing policy (log every kind of successful access) for the local group "Everyone" on special files/folders.Up to now I came so far but have no clue how to reach my goal any further:expandcollapse popup; Set File Auditing for c:\temp ; ================================================================================================== ; Define variables Local $s_FolderToAudit = "'c:\temp'" Local $s_Computername = @ComputerName Local $obj_WMIsecDes = "wmiSecurityDescriptor" Local $obj_WMIfileSecSetting = ObjGet("winmgmts:Win32_LogicalFileSecuritySetting.Path=" & $s_FolderToAudit) ; Obtain existing security descriptor for folder $obj_GetVal = $obj_WMIfileSecSetting.GetSecurityDescriptor($obj_WMIsecDes) MsgBox("", "GetSecurityDescriptor", $obj_GetVal) $obj_varSACL = $obj_WMIsecDes.sacl $obj_WMIprovider=ObjGet("winmgmts:\\" & $s_Computername & "\root\cimv2") $obj_AceClass=$obj_WMIprovider.get("win32_ace") $obj_Ace=$obj_AceClass.spawninstance_() $obj_TrusteeClass=$obj_WMIprovider.Get("Win32_Trustee") $obj_Trustee=$obj_TrusteeClass.spawninstance_() $obj_Trustee.name="Everyone" $obj_Trustee.sidstring="S-1-1-0" $obj_Ace.accessmask=983551 $obj_Ace.acetype=2 $obj_Ace.aceflags=131 $obj_Ace.Trustee=$obj_Trustee $obj_WMIsecDes.sacl=$obj_Ace $obj_SetVal = $obj_WMIfileSecSetting.SetSecurityDescriptor($obj_WMIsecDes) MsgBox("", "SetSecurityDescriptor", $obj_SetVal) If $obj_SetVal = 0 Then MsgBox("", "pass", "pass") else MsgBox("", "fail", "fail") EndIfI'm quite lost when it comes to setting the right values for .accessmask, .acetype and .aceflags. Also I haven't really understood the complete context. What are the values to call .SetSecurityDescriptor with and how is it called correctly? Is there anyone out there able to help me? I'm grateful for any bit of help...Best Regards,Chris Link to comment Share on other sites More sharing options...
cherdeg Posted August 14, 2008 Author Share Posted August 14, 2008 Sombody has a Keepie Uppie Queen? Link to comment Share on other sites More sharing options...
ptrex Posted August 14, 2008 Share Posted August 14, 2008 @cherdegWMI is not the best approch to use for this.Better is GPOregards,ptrex Contributions :Firewall Log Analyzer for XP - Creating COM objects without a need of DLL's - UPnP support in AU3Crystal Reports Viewer - PDFCreator in AutoIT - Duplicate File FinderSQLite3 Database functionality - USB Monitoring - Reading Excel using SQLRun Au3 as a Windows Service - File Monitor - Embedded Flash PlayerDynamic Functions - Control Panel Applets - Digital Signing Code - Excel Grid In AutoIT - Constants for Special Folders in WindowsRead data from Any Windows Edit Control - SOAP and Web Services in AutoIT - Barcode Printing Using PS - AU3 on LightTD WebserverMS LogParser SQL Engine in AutoIT - ImageMagick Image Processing - Converter @ Dec - Hex - Bin -Email Address Encoder - MSI Editor - SNMP - MIB ProtocolFinancial Functions UDF - Set ACL Permissions - Syntax HighLighter for AU3ADOR.RecordSet approach - Real OCR - HTTP Disk - PDF Reader Personal Worldclock - MS Indexing Engine - Printing ControlsGuiListView - Navigation (break the 4000 Limit barrier) - Registration Free COM DLL Distribution - Update - WinRM SMART Analysis - COM Object Browser - Excel PivotTable Object - VLC Media Player - Windows LogOnOff Gui -Extract Data from Outlook to Word & Excel - Analyze Event ID 4226 - DotNet Compiler Wrapper - Powershell_COM - New Link to comment Share on other sites More sharing options...
cherdeg Posted August 15, 2008 Author Share Posted August 15, 2008 WMI is not the best approch to use for this.Better is GPO@ptrex...YES, you're definiteley right. If someone manages an office or other production network this would be the most feasible option. But here we have a situation in which we have to manage about 2500 testbed machines (used for software building, debugging and testing), partly hardware, partly virtual machines on ESX, using all of the following operating systems: 2000 (Pro / Server / Adv.Server), XP (Home / Pro 32 and 64 bits), Server 2003 (all Eds.), Vista (all Eds.), Server 2008 (all Eds.)...and only a minority of the systems belongs to a domain.Never the less we have to comply to certain security policies setup by the CTO of our local branch; one of which is auditing. My job is to optimize the automation of management for our testbed and due to the fact that I cannot conveniently implement GPOs I need to use WMI because at least it doesn't requires me to do the same step locally on every machine.So maybe someone has a hint for me regarding WMI and SACLs?Best Regards,Chris Link to comment Share on other sites More sharing options...
cherdeg Posted August 18, 2008 Author Share Posted August 18, 2008 (edited) Don't bother any further to help me out - if nobody want's to help (or is able to), a tech guy even today still has to walk the rocky way...and invent the wheel from scratch. At the end I simply used setACL.exe (-ace ""n:S-1-1-0;p:full;m:aud_succ;w:sacl;s:y"" sets up the logging of any successful attempt to access by the builtin group "everyone").Never the less I would like to share my new wisdom with everybody else:expandcollapse popup; #################################################################################### ; ; Christoph Herdeg, July 2008 ; http://www.cs-it-solutions.de ; ; #################################################################################### #include <Constants.au3> #include <GUIConstants.au3> #include <GUIConstantsEx.au3> #include <WindowsConstants.au3> #include <StaticConstants.au3> #include <String.au3> #include <file.au3> #include <Array.au3> ; Define global variables ; ================================================================================================== Global $s_IniFile = "setACLs.ini" Global $s_ini_sections = IniReadSectionNames($s_IniFile) Global $i_OSbits = _OSBits() Global $i_height ; Run da shi-i-iiit! ; ================================================================================================== _setACLs() ; Function _setACLs to harden ACLs on security relevant files and directories specified in the INI-File ; ============================================================================================== Func _setACLs() ; Create an array for the objects to change the ACLs on ; Check how many of the 20 possible Objects are defined in the INI-File ($i_counter) Local $i_counter = 0 For $i = 0 To 19 $s_actualACLobject = "ACLobject_" & $i If IniRead($s_IniFile, "Settings", $s_actualACLobject, "") <> '' Then $i_counter = $i_counter + 1 EndIf Next ; Create the array $a_ACLobjects (dynamically in size depending on $i_counter's value) Local $a_ACLobjects[$i_counter] For $i = 0 To $i_counter $s_actualACLobject = "ACLobject_" & $i If IniRead($s_IniFile, "Settings", $s_actualACLobject, "") <> '' Then $a_ACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_actualACLobject, "") EndIf Next ; Set a variable containing the right filename for SetACL.exe depending on the local machines bit count (x32 or x64) $s_ToolsShare = IniRead($s_IniFile, "Settings", "ToolsShare", "") If Not $i_OSbits = 32 Then $s_ACLtool = "SetACL-x64.exe" Else $s_ACLtool = "SetACL-x32.exe" EndIf ; Set the ACLs for all objects specified in the INI-File For $i = 0 To UBound($a_ACLobjects) - 1 ; revoke AllAccess for "Everyone", "Users" and "Power Users" ; set FullAccess for "Administrators" and "System" ; remove inherited permissions ; inherit the new ones recursivly $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_ACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;s:y"" -ace ""n:S-1-5-32-545;m:revoke;s:y"" -ace ""n:S-1-5-32-547;m:revoke;s:y"" -ace ""n:S-1-5-32-544;p:full;s:y"" -ace ""n:S-1-1-0;p:full;m:aud_succ;w:sacl;s:y"" -ace ""n:S-1-5-18;p:full;s:y"" -actn setprot -op ""dacl:p_nc;sacl:p_nc"" -rec cont_obj" $s_InfoValue = "Using """ & $s_ACLtool & """ to harden ACLs on: " & @CRLF & @CRLF & $a_ACLobjects[$i] _InfoGui($s_InfoValue, 35) RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE) GUIDelete() Next EndFunc ;==>_setACLs ; Function _OSBits to check if the host's OS is 32 or 64bits, returns "64" or "32" ; ============================================================================================== Func _OSBits() Local $tOS = DllStructCreate("char[256]") Local $aGSWD = DllCall("Kernel32.dll", "int", "GetSystemWow64Directory", "ptr", DllStructGetPtr($tOS), "int", 256) If IsArray($aGSWD) And DllStructGetData($tOS, 1) Then Return 64 Else Return 32 EndIf EndFunc ;==>_OSBits ; Function _InfoGUI to display an info about the task currently processed. ; ============================================================================================== Func _InfoGUI($InfoValue, $i_height) GUICreate("", 320, 100, -1, -1, $WS_Popup, $WS_EX_TOOLWINDOW, "") GUICtrlCreateLabel($InfoValue, 0, $i_height, 320, -1, $SS_center) GUISetState(@SW_SHOW) Sleep(500) EndFunc ;==>_InfoGUIand:CODE; ####################################################################################;; Christoph Herdeg, July 2008; http://www.cs-it-solutions.de;;####################################ACL Settings#####################################; Here up to 20 objects may be defined to set ACLs on. The DACLs of the objects defined; here are set to to the following values:;; "COMPUTERNAME\System" = FullAccess; "COMPUTERNAME\Administrators" = FullAccess; "COMPUTERNAME\Users" = NoAccess; "COMPUTERNAME\PowerUsers" = NoAccess; "COMPUTERNAME\Everyone" = NoAccess;; As well an audit policy is applied onto the objects below. The SACLs are set to log ; any successful attempts to access them by the builtin group "everyone".;[settings]ToolsShare=\\Server\Share\SetACLs\ToolsACLobject_0=c:\AUTOEXEC.BATACLobject_1=c:\boot.iniACLobject_2=c:\CONFIG.SYSACLobject_3=c:\IO.SYSACLobject_4=c:\MSDOS.SYSACLobject_5=c:\NTDETECT.COMACLobject_6=c:\ntldrACLobject_7=c:\WINDOWS\repairACLobject_8=c:\WINDOWS\securityACLobject_9=c:\WINDOWS\system32\configACLobject_10=c:\WINDOWS\system32\dllcacheACLobject_11=c:\WINDOWS\system32\GroupPolicyACLobject_12=ACLobject_13=ACLobject_14=ACLobject_15=ACLobject_16=ACLobject_17=ACLobject_18=ACLobject_19=Regards, Chris Edited August 18, 2008 by cherdeg Link to comment Share on other sites More sharing options...
avery Posted August 21, 2008 Share Posted August 21, 2008 Chris, I do mostly the same thing on several platforms using the 'secedit.exe' command I found on all the Windows machines here where I work. I use mmc /s to build the inf template. I only wonder, why did you not use secedit.exe for this? Nice job, Thanks www.abox.orgAvery HowellVisit My AutoIt Websitehttp://www.abox.org Link to comment Share on other sites More sharing options...
cherdeg Posted August 27, 2008 Author Share Posted August 27, 2008 Chris, I do mostly the same thing on several platforms using the 'secedit.exe' command I found on all the Windows machines here where I work. I use mmc /s to build the inf template. I only wonder, why did you not use secedit.exe for this? Nice job, Thanks Hi, ...until now I didn't know that there is a way to build .inf templates. Do you think I could create one and merge it with our "base" security template, so I could receive decent permission and auditing settings by just applying that policy file? Would be great - - although exactly today (before reading your post) I perfectionized my version using setacl.exe (please see below). expandcollapse popup#include <Constants.au3> #include <GUIConstants.au3> #include <GUIConstantsEx.au3> #include <WindowsConstants.au3> #include <StaticConstants.au3> #include <String.au3> #include <file.au3> #include <Array.au3> ; Define global variables ; ================================================================================================== Global $s_IniFile = "setACLs.ini" Global $i_OSbits = _OSBits() Global $i_height ; Check if the INI-File exists ; ================================================================================================== $i_RVal = FileExists($s_IniFile) If $i_RVal <> 1 Then MsgBox(16, "SetACLs", "Error! INI-File " & $s_IniFile & " not found!", "") Exit EndIf ; Run da shi-i-iiit! ; ================================================================================================== _setACLs() ; Function _setACLs to harden ACLs on security relevant files and directories specified in the INI-File ; ============================================================================================== Func _setACLs() ; Ask for the password to access the ToolsShare $s_ToolsServer = IniRead($s_IniFile, "Settings", "ToolsServer", "") $s_AdminPassC = InputBox("SetACLs", "Please enter the password of an Administrator with access: ", "", "*", 300, 120) If $s_AdminPassC = '' Then MsgBox(16, "SetACLs", "Error! Empty credentials supplied - you are not allowed to access the share!", "") Exit Else Local $i_return = 0 DriveMapDel($s_ToolsServer & "\c$") If DriveMapAdd("", $s_ToolsServer & "\c$", 0, "Administrator", $s_AdminPassC) = $i_return Then MsgBox(16, "SetACLs", "Error! Wrong credentials supplied - you are not allowed to access the share!", "") Exit EndIf EndIf ; Logon to the ToolsServer $s_InfoValue = """Logging on to " & $s_ToolsServer & "...""" _InfoGui($s_InfoValue, 45) RunWait(@ComSpec & " /c " & "net use " & $s_ToolsServer & "\postinstall /username: Administrator " & $s_AdminPassC, "", @SW_HIDE) GUIDelete() ; Set a variable containing the right filename for SetACL.exe depending on the local machines bit count (x32 or x64) $s_ToolsShare = IniRead($s_IniFile, "Settings", "ToolsShare", "") If Not $i_OSbits = 32 Then $s_ACLtool = "SetACL-x64.exe" Else $s_ACLtool = "SetACL-x32.exe" EndIf ; Check if the chosen setacl*.exe is accessible $i_RVal = FileExists($s_ToolsShare & "\" & $s_ACLtool) If $i_RVal <> 1 Then MsgBox(16, "D5100 SetACLs", "Error!" & @CRLF & @CRLF & $s_ToolsShare & "\" & $s_ACLtool & @CRLF & @CRLF & "...is not accessible!", "") Exit EndIf ; Do a first run for the file and directory permissions (DACLs) ; Check how many of the 20 possible Objects have dACLs defined in the INI-File ($i_Dcounter) Local $i_Dcounter = 0 For $i = 0 To 19 $s_dACLobject = "dACLobject_" & $i If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then $i_Dcounter = $i_Dcounter + 1 EndIf Next ; Create the array $a_dACLobjects (dynamically in size depending on $i_counter's value) Local $a_dACLobjects[$i_Dcounter] For $i = 0 To $i_Dcounter - 1 $s_dACLobject = "dACLobject_" & $i If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then $a_dACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_dACLobject, "") EndIf Next ; Set the ACLs for all objects specified in the INI-File Global $s_YesNo_P For $i = 0 To UBound($a_dACLobjects) - 1 ; set SuccessAuditing for "Everyone" ; inherit settings for "This folder and files only" ; do not inherit If $s_YesNo_P = "" Then $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;s:y"" -ace ""n:S-1-5-32-545;m:revoke;s:y"" -ace ""n:S-1-5-32-547;m:revoke;s:y"" -ace ""n:S-1-5-32-544;p:full;s:y"" -ace ""n:S-1-5-18;p:full;s:y" $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)" _InfoGui($s_InfoValue, 25) RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE) $s_YesNo_P = "No" GUIDelete() EndIf ; revoke AllAccess for "Everyone", "Users" and "Power Users" ; set FullAccess for "Administrators" and "System" ; copy inherited permissions ; inherit the new ones recursivly $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_dACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-545;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-547;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-544;p:full;i:sc,so;s:y"" -ace ""n:S-1-5-18;p:full;i:sc,so;s:y"" -actn clear -clr ""dacl"" -actn rstchldrn -rst ""dacl" ; -rec cont_obj" ConsoleWrite("Command = " & $s_cmd & @CRLF) $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & $a_dACLobjects[$i] _InfoGui($s_InfoValue, 35) RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE) GUIDelete() Next ; Do a second run for the file and directory auditing (SACLs) ; Check how many of the 20 possible Objects have sACLs defined in the INI-File ($i_Scounter) Local $i_Scounter = 0 For $i = 0 To 19 $s_sACLobject = "sACLobject_" & $i If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then $i_Scounter = $i_Scounter + 1 EndIf Next ; Create the array $a_sACLobjects (dynamically in size depending on $i_counter's value) Local $a_sACLobjects[$i_Scounter] For $i = 0 To $i_Scounter - 1 $s_sACLobject = "sACLobject_" & $i If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then $a_sACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_sACLobject, "") EndIf Next ; Set auditing for C:\ once and cycle as long as there are objects within the array Global $s_YesNo_A For $i = 0 To UBound($a_sACLobjects) - 1 ; set SuccessAuditing for "Everyone" ; inherit settings for "This folder and files only" ; do not inherit If $s_YesNo_A = "" Then $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,np;w:sacl;s:y" $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)" _InfoGui($s_InfoValue, 25) RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE) $s_YesNo_A = "No" GUIDelete() EndIf ; set SuccessAuditing for "Everyone" ; copy inherited settings ; inherit settings recursivly $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_sACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,sc;w:sacl;s:y"" -actn setprot -op ""sacl:p_c"" -actn clear -clr ""sacl"" -actn rstchldrn -rst ""sacl" ; -rec cont_obj $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & $a_sACLobjects[$i] _InfoGui($s_InfoValue, 35) RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE) GUIDelete() Next EndFunc ;==>_setACLs ; Function _OSBits to check if the host's OS is 32 or 64bits, returns "64" or "32" ; ============================================================================================== Func _OSBits() Local $tOS = DllStructCreate("char[256]") Local $aGSWD = DllCall("Kernel32.dll", "int", "GetSystemWow64Directory", "ptr", DllStructGetPtr($tOS), "int", 256) If IsArray($aGSWD) And DllStructGetData($tOS, 1) Then Return 64 Return 32 EndFunc ;==>_OSBits ; Function _InfoGUI to display an info about the task currently processed. ; ============================================================================================== Func _InfoGUI($InfoValue, $i_height) GUICreate("", 320, 100, -1, -1, $WS_Popup, $WS_EX_TOOLWINDOW, "") GUICtrlCreateLabel($InfoValue, 0, $i_height, 320, -1, $SS_center) GUISetState(@SW_SHOW) Sleep(500) EndFunc ;==>_InfoGUI...and also the INI-File: CODE;##################################################################### ;# ;# Christoph Herdeg, August 2008 ;# http://www.cs-it-solutions.de ;# ;##################################################################### ;# ;# Preface ;# =================== ;# "SetACLs.exe" is a utility to set drive, folder and file permissions and auditing settings of a ;# local machine to compliance with ITCS104. ;# ;# General Information ;# =================== ;# ;# This utility is intended to be used from whereever you want. ;# ;# [settings] contains all settings, e.g, the following: ;# ;# - The name of the Server the ToolsShare resides on ;# - The locations where the needed external tools and software reside ;# - The dACLobject_N - entries where targets can be defined to receive dACLs ;# - The sACLobject_N - entries where targets can be defined to receive sACLs ;# ;# Compatibility ;# =================== ;# A few words on compatibility: this utility has been tested and should work on: ;# ;# - Windows 2000 Workstation, Server and Advanced Server ;# - Windows XP Professional x86 and x64 ;# - Windows Server 2003 Standard, Enterprise and Datacenter x86 and x64 ;# - Windows Vista Enterprise and Ultimate x86 and x64 ;# - Windows Server 2008 Standard, Enterprise and Datacenter x86 and x64 ;# ;# Supported are all different languages of the above operating systems as long as western characters ;# are used. ;# ;# Liability/warranty ;# =================== ;# As you will have understood by now this tool comes "as is" and without any free support. If you need ;# bugfixes or enhancements of any kind, please feel free to contact me: mailto:info@cs-it-solutions.de ;# ;##################################################################### [settings] ;##################################################################### ;# ;# General Settings Section ;# ;##################################################################### ;# UNC-Name of the server the tools used by this program reside on ;##################################################################### ToolsServer=\\Server ;##################################################################### ;# UNC-Name of the share the tools used by this program reside on ("\\Server\Share\Directory") ;# If you move the contents of this share to another location, please keep the existing directory structure. ;##################################################################### ToolsShare=\\Server\Share\SetACLs\Tools ;##################################################################### ;# Here up to 20 objects may be defined to set dACLs on. The dACLs of the objects defined ;# here are set to to the following ITSC104 compliant values: ;# ;# "COMPUTERNAME\System" = FullAccess ;# "COMPUTERNAME\Administrators" = FullAccess ;# "COMPUTERNAME\Users" = NoAccess ;# "COMPUTERNAME\PowerUsers" = NoAccess ;# "COMPUTERNAME\Everyone" = NoAccess ;# ;# The First Object has to be "dACLobject_0" and NOT "dACLobject_1". ;##################################################################### dACLobject_0=c:\WINDOWS\repair dACLobject_1=c:\WINDOWS\security dACLobject_2=c:\WINDOWS\system32\config dACLobject_3=c:\WINDOWS\system32\dllcache dACLobject_4=c:\WINDOWS\system32\GroupPolicy dACLobject_5= dACLobject_6= dACLobject_7= dACLobject_8= dACLobject_9= dACLobject_10= dACLobject_11= dACLobject_12= dACLobject_13= dACLobject_14= dACLobject_15= dACLobject_16= dACLobject_17= dACLobject_18= dACLobject_19= ;##################################################################### ;# Here up to 20 objects may be defined to set sACLs on. The sACLs of the objects defined ;# here are set to to the following ITSC104 compliant values: ;# ;# "COMPUTERNAME\Everyone" = Audit All Successfull access attempts ;# ;# The root folder C: and the objects within are always configured with the sACLs above; ;# if you need other objects to be audited, just enter their base folders below. ;# ;# The First Object has to be "sACLobject_0" and NOT "sACLobject_1". ;##################################################################### sACLobject_0=c:\Windows sACLobject_1=c:\Windows\system sACLobject_2= sACLobject_3= sACLobject_4= sACLobject_5= sACLobject_6= sACLobject_7= sACLobject_8= sACLobject_9= sACLobject_10= sACLobject_11= sACLobject_12= sACLobject_13= sACLobject_14= sACLobject_15= sACLobject_16= sACLobject_17= sACLobject_18= sACLobject_19= So...if you (or anybody else) uses my code, please upgrade...I managed to implement inheritance and some cleaning and "houskeeping". There will be one more update in the next months containing the possibility of entering a free number of *ACLobjects in the INI-File. I've got such a function working within another script but have no time at all to insert it here. Regards, Chris Link to comment Share on other sites More sharing options...
cherdeg Posted August 27, 2008 Author Share Posted August 27, 2008 Chris, I do mostly the same thing on several platforms using the 'secedit.exe' command I found on all the Windows machines here where I work. I use mmc /s to build the inf template. I only wonder, why did you not use secedit.exe for this? Nice job, Thanks Hi, ...until now I didn't know that there is a way to build .inf templates. Do you think I could create one and merge it with our "base" security template, so I could receive decent permission and auditing settings by just applying that policy file? Would be great - - although exactly today (before reading your post) I perfectionized my version using setacl.exe (please see below). expandcollapse popup#include <Constants.au3> #include <GUIConstants.au3> #include <GUIConstantsEx.au3> #include <WindowsConstants.au3> #include <StaticConstants.au3> #include <String.au3> #include <file.au3> #include <Array.au3> ; Define global variables ; ================================================================================================== Global $s_IniFile = "setACLs.ini" Global $i_OSbits = _OSBits() Global $i_height ; Check if the INI-File exists ; ================================================================================================== $i_RVal = FileExists($s_IniFile) If $i_RVal <> 1 Then MsgBox(16, "SetACLs", "Error! INI-File " & $s_IniFile & " not found!", "") Exit EndIf ; Run da shi-i-iiit! ; ================================================================================================== _setACLs() ; Function _setACLs to harden ACLs on security relevant files and directories specified in the INI-File ; ============================================================================================== Func _setACLs() ; Ask for the password to access the ToolsShare $s_ToolsServer = IniRead($s_IniFile, "Settings", "ToolsServer", "") $s_AdminPassC = InputBox("SetACLs", "Please enter the password of an Administrator with access: ", "", "*", 300, 120) If $s_AdminPassC = '' Then MsgBox(16, "SetACLs", "Error! Empty credentials supplied - you are not allowed to access the share!", "") Exit Else Local $i_return = 0 DriveMapDel($s_ToolsServer & "\c$") If DriveMapAdd("", $s_ToolsServer & "\c$", 0, "Administrator", $s_AdminPassC) = $i_return Then MsgBox(16, "SetACLs", "Error! Wrong credentials supplied - you are not allowed to access the share!", "") Exit EndIf EndIf ; Logon to the ToolsServer $s_InfoValue = """Logging on to " & $s_ToolsServer & "...""" _InfoGui($s_InfoValue, 45) RunWait(@ComSpec & " /c " & "net use " & $s_ToolsServer & "\postinstall /username: Administrator " & $s_AdminPassC, "", @SW_HIDE) GUIDelete() ; Set a variable containing the right filename for SetACL.exe depending on the local machines bit count (x32 or x64) $s_ToolsShare = IniRead($s_IniFile, "Settings", "ToolsShare", "") If Not $i_OSbits = 32 Then $s_ACLtool = "SetACL-x64.exe" Else $s_ACLtool = "SetACL-x32.exe" EndIf ; Check if the chosen setacl*.exe is accessible $i_RVal = FileExists($s_ToolsShare & "\" & $s_ACLtool) If $i_RVal <> 1 Then MsgBox(16, "D5100 SetACLs", "Error!" & @CRLF & @CRLF & $s_ToolsShare & "\" & $s_ACLtool & @CRLF & @CRLF & "...is not accessible!", "") Exit EndIf ; Do a first run for the file and directory permissions (DACLs) ; Check how many of the 20 possible Objects have dACLs defined in the INI-File ($i_Dcounter) Local $i_Dcounter = 0 For $i = 0 To 19 $s_dACLobject = "dACLobject_" & $i If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then $i_Dcounter = $i_Dcounter + 1 EndIf Next ; Create the array $a_dACLobjects (dynamically in size depending on $i_counter's value) Local $a_dACLobjects[$i_Dcounter] For $i = 0 To $i_Dcounter - 1 $s_dACLobject = "dACLobject_" & $i If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then $a_dACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_dACLobject, "") EndIf Next ; Set the ACLs for all objects specified in the INI-File Global $s_YesNo_P For $i = 0 To UBound($a_dACLobjects) - 1 ; set SuccessAuditing for "Everyone" ; inherit settings for "This folder and files only" ; do not inherit If $s_YesNo_P = "" Then $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;s:y"" -ace ""n:S-1-5-32-545;m:revoke;s:y"" -ace ""n:S-1-5-32-547;m:revoke;s:y"" -ace ""n:S-1-5-32-544;p:full;s:y"" -ace ""n:S-1-5-18;p:full;s:y" $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)" _InfoGui($s_InfoValue, 25) RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE) $s_YesNo_P = "No" GUIDelete() EndIf ; revoke AllAccess for "Everyone", "Users" and "Power Users" ; set FullAccess for "Administrators" and "System" ; copy inherited permissions ; inherit the new ones recursivly $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_dACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-545;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-547;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-544;p:full;i:sc,so;s:y"" -ace ""n:S-1-5-18;p:full;i:sc,so;s:y"" -actn clear -clr ""dacl"" -actn rstchldrn -rst ""dacl" ; -rec cont_obj" ConsoleWrite("Command = " & $s_cmd & @CRLF) $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & $a_dACLobjects[$i] _InfoGui($s_InfoValue, 35) RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE) GUIDelete() Next ; Do a second run for the file and directory auditing (SACLs) ; Check how many of the 20 possible Objects have sACLs defined in the INI-File ($i_Scounter) Local $i_Scounter = 0 For $i = 0 To 19 $s_sACLobject = "sACLobject_" & $i If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then $i_Scounter = $i_Scounter + 1 EndIf Next ; Create the array $a_sACLobjects (dynamically in size depending on $i_counter's value) Local $a_sACLobjects[$i_Scounter] For $i = 0 To $i_Scounter - 1 $s_sACLobject = "sACLobject_" & $i If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then $a_sACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_sACLobject, "") EndIf Next ; Set auditing for C:\ once and cycle as long as there are objects within the array Global $s_YesNo_A For $i = 0 To UBound($a_sACLobjects) - 1 ; set SuccessAuditing for "Everyone" ; inherit settings for "This folder and files only" ; do not inherit If $s_YesNo_A = "" Then $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,np;w:sacl;s:y" $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)" _InfoGui($s_InfoValue, 25) RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE) $s_YesNo_A = "No" GUIDelete() EndIf ; set SuccessAuditing for "Everyone" ; copy inherited settings ; inherit settings recursivly $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_sACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,sc;w:sacl;s:y"" -actn setprot -op ""sacl:p_c"" -actn clear -clr ""sacl"" -actn rstchldrn -rst ""sacl" ; -rec cont_obj $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & $a_sACLobjects[$i] _InfoGui($s_InfoValue, 35) RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE) GUIDelete() Next EndFunc ;==>_setACLs ; Function _OSBits to check if the host's OS is 32 or 64bits, returns "64" or "32" ; ============================================================================================== Func _OSBits() Local $tOS = DllStructCreate("char[256]") Local $aGSWD = DllCall("Kernel32.dll", "int", "GetSystemWow64Directory", "ptr", DllStructGetPtr($tOS), "int", 256) If IsArray($aGSWD) And DllStructGetData($tOS, 1) Then Return 64 Return 32 EndFunc ;==>_OSBits ; Function _InfoGUI to display an info about the task currently processed. ; ============================================================================================== Func _InfoGUI($InfoValue, $i_height) GUICreate("", 320, 100, -1, -1, $WS_Popup, $WS_EX_TOOLWINDOW, "") GUICtrlCreateLabel($InfoValue, 0, $i_height, 320, -1, $SS_center) GUISetState(@SW_SHOW) Sleep(500) EndFunc ;==>_InfoGUI...and also the INI-File: CODE;##################################################################### ;# ;# Christoph Herdeg, August 2008 ;# http://www.cs-it-solutions.de ;# ;##################################################################### ;# ;# Preface ;# =================== ;# "SetACLs.exe" is a utility to set drive, folder and file permissions and auditing settings of a ;# local machine to compliance with ITCS104. ;# ;# General Information ;# =================== ;# ;# This utility is intended to be used from whereever you want. ;# ;# [settings] contains all settings, e.g, the following: ;# ;# - The name of the Server the ToolsShare resides on ;# - The locations where the needed external tools and software reside ;# - The dACLobject_N - entries where targets can be defined to receive dACLs ;# - The sACLobject_N - entries where targets can be defined to receive sACLs ;# ;# Compatibility ;# =================== ;# A few words on compatibility: this utility has been tested and should work on: ;# ;# - Windows 2000 Workstation, Server and Advanced Server ;# - Windows XP Professional x86 and x64 ;# - Windows Server 2003 Standard, Enterprise and Datacenter x86 and x64 ;# - Windows Vista Enterprise and Ultimate x86 and x64 ;# - Windows Server 2008 Standard, Enterprise and Datacenter x86 and x64 ;# ;# Supported are all different languages of the above operating systems as long as western characters ;# are used. ;# ;# Liability/warranty ;# =================== ;# As you will have understood by now this tool comes "as is" and without any free support. If you need ;# bugfixes or enhancements of any kind, please feel free to contact me: mailto:info@cs-it-solutions.de ;# ;##################################################################### [settings] ;##################################################################### ;# ;# General Settings Section ;# ;##################################################################### ;# UNC-Name of the server the tools used by this program reside on ;##################################################################### ToolsServer=\\Server ;##################################################################### ;# UNC-Name of the share the tools used by this program reside on ("\\Server\Share\Directory") ;# If you move the contents of this share to another location, please keep the existing directory structure. ;##################################################################### ToolsShare=\\Server\Share\SetACLs\Tools ;##################################################################### ;# Here up to 20 objects may be defined to set dACLs on. The dACLs of the objects defined ;# here are set to to the following ITSC104 compliant values: ;# ;# "COMPUTERNAME\System" = FullAccess ;# "COMPUTERNAME\Administrators" = FullAccess ;# "COMPUTERNAME\Users" = NoAccess ;# "COMPUTERNAME\PowerUsers" = NoAccess ;# "COMPUTERNAME\Everyone" = NoAccess ;# ;# The First Object has to be "dACLobject_0" and NOT "dACLobject_1". ;##################################################################### dACLobject_0=c:\WINDOWS\repair dACLobject_1=c:\WINDOWS\security dACLobject_2=c:\WINDOWS\system32\config dACLobject_3=c:\WINDOWS\system32\dllcache dACLobject_4=c:\WINDOWS\system32\GroupPolicy dACLobject_5= dACLobject_6= dACLobject_7= dACLobject_8= dACLobject_9= dACLobject_10= dACLobject_11= dACLobject_12= dACLobject_13= dACLobject_14= dACLobject_15= dACLobject_16= dACLobject_17= dACLobject_18= dACLobject_19= ;##################################################################### ;# Here up to 20 objects may be defined to set sACLs on. The sACLs of the objects defined ;# here are set to to the following ITSC104 compliant values: ;# ;# "COMPUTERNAME\Everyone" = Audit All Successfull access attempts ;# ;# The root folder C: and the objects within are always configured with the sACLs above; ;# if you need other objects to be audited, just enter their base folders below. ;# ;# The First Object has to be "sACLobject_0" and NOT "sACLobject_1". ;##################################################################### sACLobject_0=c:\Windows sACLobject_1=c:\Windows\system sACLobject_2= sACLobject_3= sACLobject_4= sACLobject_5= sACLobject_6= sACLobject_7= sACLobject_8= sACLobject_9= sACLobject_10= sACLobject_11= sACLobject_12= sACLobject_13= sACLobject_14= sACLobject_15= sACLobject_16= sACLobject_17= sACLobject_18= sACLobject_19= So...if you (or anybody else) uses my code, please upgrade...I managed to implement inheritance and some cleaning and "houskeeping". There will be one more update in the next months containing the possibility of entering a free number of *ACLobjects in the INI-File. I've got such a function working within another script but have no time at all to insert it here. Regards, Chris Link to comment Share on other sites More sharing options...
cherdeg Posted August 27, 2008 Author Share Posted August 27, 2008 Chris, I do mostly the same thing on several platforms using the 'secedit.exe' command I found on all the Windows machines here where I work. I use mmc /s to build the inf template. I only wonder, why did you not use secedit.exe for this? Nice job, Thanks Hi, ...until now I didn't know that there is a way to build .inf templates. Do you think I could create one and merge it with our "base" security template, so I could receive decent permission and auditing settings by just applying that policy file? Would be great - - although exactly today (before reading your post) I perfectionized my version using setacl.exe (please see below). expandcollapse popup#include <Constants.au3> #include <GUIConstants.au3> #include <GUIConstantsEx.au3> #include <WindowsConstants.au3> #include <StaticConstants.au3> #include <String.au3> #include <file.au3> #include <Array.au3> ; Define global variables ; ================================================================================================== Global $s_IniFile = "setACLs.ini" Global $i_OSbits = _OSBits() Global $i_height ; Check if the INI-File exists ; ================================================================================================== $i_RVal = FileExists($s_IniFile) If $i_RVal <> 1 Then MsgBox(16, "SetACLs", "Error! INI-File " & $s_IniFile & " not found!", "") Exit EndIf ; Run da shi-i-iiit! ; ================================================================================================== _setACLs() ; Function _setACLs to harden ACLs on security relevant files and directories specified in the INI-File ; ============================================================================================== Func _setACLs() ; Ask for the password to access the ToolsShare $s_ToolsServer = IniRead($s_IniFile, "Settings", "ToolsServer", "") $s_AdminPassC = InputBox("SetACLs", "Please enter the password of an Administrator with access: ", "", "*", 300, 120) If $s_AdminPassC = '' Then MsgBox(16, "SetACLs", "Error! Empty credentials supplied - you are not allowed to access the share!", "") Exit Else Local $i_return = 0 DriveMapDel($s_ToolsServer & "\c$") If DriveMapAdd("", $s_ToolsServer & "\c$", 0, "Administrator", $s_AdminPassC) = $i_return Then MsgBox(16, "SetACLs", "Error! Wrong credentials supplied - you are not allowed to access the share!", "") Exit EndIf EndIf ; Logon to the ToolsServer $s_InfoValue = """Logging on to " & $s_ToolsServer & "...""" _InfoGui($s_InfoValue, 45) RunWait(@ComSpec & " /c " & "net use " & $s_ToolsServer & "\postinstall /username: Administrator " & $s_AdminPassC, "", @SW_HIDE) GUIDelete() ; Set a variable containing the right filename for SetACL.exe depending on the local machines bit count (x32 or x64) $s_ToolsShare = IniRead($s_IniFile, "Settings", "ToolsShare", "") If Not $i_OSbits = 32 Then $s_ACLtool = "SetACL-x64.exe" Else $s_ACLtool = "SetACL-x32.exe" EndIf ; Check if the chosen setacl*.exe is accessible $i_RVal = FileExists($s_ToolsShare & "\" & $s_ACLtool) If $i_RVal <> 1 Then MsgBox(16, "D5100 SetACLs", "Error!" & @CRLF & @CRLF & $s_ToolsShare & "\" & $s_ACLtool & @CRLF & @CRLF & "...is not accessible!", "") Exit EndIf ; Do a first run for the file and directory permissions (DACLs) ; Check how many of the 20 possible Objects have dACLs defined in the INI-File ($i_Dcounter) Local $i_Dcounter = 0 For $i = 0 To 19 $s_dACLobject = "dACLobject_" & $i If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then $i_Dcounter = $i_Dcounter + 1 EndIf Next ; Create the array $a_dACLobjects (dynamically in size depending on $i_counter's value) Local $a_dACLobjects[$i_Dcounter] For $i = 0 To $i_Dcounter - 1 $s_dACLobject = "dACLobject_" & $i If IniRead($s_IniFile, "Settings", $s_dACLobject, "") <> "" Then $a_dACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_dACLobject, "") EndIf Next ; Set the ACLs for all objects specified in the INI-File Global $s_YesNo_P For $i = 0 To UBound($a_dACLobjects) - 1 ; set SuccessAuditing for "Everyone" ; inherit settings for "This folder and files only" ; do not inherit If $s_YesNo_P = "" Then $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;s:y"" -ace ""n:S-1-5-32-545;m:revoke;s:y"" -ace ""n:S-1-5-32-547;m:revoke;s:y"" -ace ""n:S-1-5-32-544;p:full;s:y"" -ace ""n:S-1-5-18;p:full;s:y" $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)" _InfoGui($s_InfoValue, 25) RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE) $s_YesNo_P = "No" GUIDelete() EndIf ; revoke AllAccess for "Everyone", "Users" and "Power Users" ; set FullAccess for "Administrators" and "System" ; copy inherited permissions ; inherit the new ones recursivly $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_dACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-545;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-547;m:revoke;i:sc,so;s:y"" -ace ""n:S-1-5-32-544;p:full;i:sc,so;s:y"" -ace ""n:S-1-5-18;p:full;i:sc,so;s:y"" -actn clear -clr ""dacl"" -actn rstchldrn -rst ""dacl" ; -rec cont_obj" ConsoleWrite("Command = " & $s_cmd & @CRLF) $s_InfoValue = "Using """ & $s_ACLtool & """ to set dACLS (Permissions) on: " & @CRLF & @CRLF & $a_dACLobjects[$i] _InfoGui($s_InfoValue, 35) RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE) GUIDelete() Next ; Do a second run for the file and directory auditing (SACLs) ; Check how many of the 20 possible Objects have sACLs defined in the INI-File ($i_Scounter) Local $i_Scounter = 0 For $i = 0 To 19 $s_sACLobject = "sACLobject_" & $i If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then $i_Scounter = $i_Scounter + 1 EndIf Next ; Create the array $a_sACLobjects (dynamically in size depending on $i_counter's value) Local $a_sACLobjects[$i_Scounter] For $i = 0 To $i_Scounter - 1 $s_sACLobject = "sACLobject_" & $i If IniRead($s_IniFile, "Settings", $s_sACLobject, "") <> "" Then $a_sACLobjects[$i] = IniRead($s_IniFile, "Settings", $s_sACLobject, "") EndIf Next ; Set auditing for C:\ once and cycle as long as there are objects within the array Global $s_YesNo_A For $i = 0 To UBound($a_sACLobjects) - 1 ; set SuccessAuditing for "Everyone" ; inherit settings for "This folder and files only" ; do not inherit If $s_YesNo_A = "" Then $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on ""c:\\"" -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,np;w:sacl;s:y" $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & "C:" & @CRLF & "(This folder and files only)" _InfoGui($s_InfoValue, 25) RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE) $s_YesNo_A = "No" GUIDelete() EndIf ; set SuccessAuditing for "Everyone" ; copy inherited settings ; inherit settings recursivly $s_cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $a_sACLobjects[$i] & """ -ot file -actn ace -ace ""n:S-1-1-0;p:full;m:aud_succ;i:so,sc;w:sacl;s:y"" -actn setprot -op ""sacl:p_c"" -actn clear -clr ""sacl"" -actn rstchldrn -rst ""sacl" ; -rec cont_obj $s_InfoValue = "Using """ & $s_ACLtool & """ to set sACLS (Auditing) on: " & @CRLF & @CRLF & $a_sACLobjects[$i] _InfoGui($s_InfoValue, 35) RunWait(@ComSpec & " /c " & $s_cmd, "", @SW_HIDE) GUIDelete() Next EndFunc ;==>_setACLs ; Function _OSBits to check if the host's OS is 32 or 64bits, returns "64" or "32" ; ============================================================================================== Func _OSBits() Local $tOS = DllStructCreate("char[256]") Local $aGSWD = DllCall("Kernel32.dll", "int", "GetSystemWow64Directory", "ptr", DllStructGetPtr($tOS), "int", 256) If IsArray($aGSWD) And DllStructGetData($tOS, 1) Then Return 64 Return 32 EndFunc ;==>_OSBits ; Function _InfoGUI to display an info about the task currently processed. ; ============================================================================================== Func _InfoGUI($InfoValue, $i_height) GUICreate("", 320, 100, -1, -1, $WS_Popup, $WS_EX_TOOLWINDOW, "") GUICtrlCreateLabel($InfoValue, 0, $i_height, 320, -1, $SS_center) GUISetState(@SW_SHOW) Sleep(500) EndFunc ;==>_InfoGUI...and also the INI-File: CODE;##################################################################### ;# ;# Christoph Herdeg, August 2008 ;# http://www.cs-it-solutions.de ;# ;##################################################################### ;# ;# Preface ;# =================== ;# "SetACLs.exe" is a utility to set drive, folder and file permissions and auditing settings of a ;# local machine to compliance with ITCS104. ;# ;# General Information ;# =================== ;# ;# This utility is intended to be used from whereever you want. ;# ;# [settings] contains all settings, e.g, the following: ;# ;# - The name of the Server the ToolsShare resides on ;# - The locations where the needed external tools and software reside ;# - The dACLobject_N - entries where targets can be defined to receive dACLs ;# - The sACLobject_N - entries where targets can be defined to receive sACLs ;# ;# Compatibility ;# =================== ;# A few words on compatibility: this utility has been tested and should work on: ;# ;# - Windows 2000 Workstation, Server and Advanced Server ;# - Windows XP Professional x86 and x64 ;# - Windows Server 2003 Standard, Enterprise and Datacenter x86 and x64 ;# - Windows Vista Enterprise and Ultimate x86 and x64 ;# - Windows Server 2008 Standard, Enterprise and Datacenter x86 and x64 ;# ;# Supported are all different languages of the above operating systems as long as western characters ;# are used. ;# ;# Liability/warranty ;# =================== ;# As you will have understood by now this tool comes "as is" and without any free support. If you need ;# bugfixes or enhancements of any kind, please feel free to contact me: mailto:info@cs-it-solutions.de ;# ;##################################################################### [settings] ;##################################################################### ;# ;# General Settings Section ;# ;##################################################################### ;# UNC-Name of the server the tools used by this program reside on ;##################################################################### ToolsServer=\\Server ;##################################################################### ;# UNC-Name of the share the tools used by this program reside on ("\\Server\Share\Directory") ;# If you move the contents of this share to another location, please keep the existing directory structure. ;##################################################################### ToolsShare=\\Server\Share\SetACLs\Tools ;##################################################################### ;# Here up to 20 objects may be defined to set dACLs on. The dACLs of the objects defined ;# here are set to to the following ITSC104 compliant values: ;# ;# "COMPUTERNAME\System" = FullAccess ;# "COMPUTERNAME\Administrators" = FullAccess ;# "COMPUTERNAME\Users" = NoAccess ;# "COMPUTERNAME\PowerUsers" = NoAccess ;# "COMPUTERNAME\Everyone" = NoAccess ;# ;# The First Object has to be "dACLobject_0" and NOT "dACLobject_1". ;##################################################################### dACLobject_0=c:\WINDOWS\repair dACLobject_1=c:\WINDOWS\security dACLobject_2=c:\WINDOWS\system32\config dACLobject_3=c:\WINDOWS\system32\dllcache dACLobject_4=c:\WINDOWS\system32\GroupPolicy dACLobject_5= dACLobject_6= dACLobject_7= dACLobject_8= dACLobject_9= dACLobject_10= dACLobject_11= dACLobject_12= dACLobject_13= dACLobject_14= dACLobject_15= dACLobject_16= dACLobject_17= dACLobject_18= dACLobject_19= ;##################################################################### ;# Here up to 20 objects may be defined to set sACLs on. The sACLs of the objects defined ;# here are set to to the following ITSC104 compliant values: ;# ;# "COMPUTERNAME\Everyone" = Audit All Successfull access attempts ;# ;# The root folder C: and the objects within are always configured with the sACLs above; ;# if you need other objects to be audited, just enter their base folders below. ;# ;# The First Object has to be "sACLobject_0" and NOT "sACLobject_1". ;##################################################################### sACLobject_0=c:\Windows sACLobject_1=c:\Windows\system sACLobject_2= sACLobject_3= sACLobject_4= sACLobject_5= sACLobject_6= sACLobject_7= sACLobject_8= sACLobject_9= sACLobject_10= sACLobject_11= sACLobject_12= sACLobject_13= sACLobject_14= sACLobject_15= sACLobject_16= sACLobject_17= sACLobject_18= sACLobject_19= So...if you (or anybody else) uses my code, please upgrade...I managed to implement inheritance and some cleaning and "houskeeping". There will be one more update in the next months containing the possibility of entering a free number of *ACLobjects in the INI-File. I've got such a function working within another script but have no time at all to insert it here. Regards, Chris Link to comment Share on other sites More sharing options...
avery Posted August 27, 2008 Share Posted August 27, 2008 Hi,...until now I didn't know that there is a way to build .inf templates. Do you think I could create one and merge it with our "base" security template, so I could receive decent permission and auditing settings by just applying that policy file? Would be great - - although exactly today (before reading your post) I perfectionized my version using setacl.exe (please see below).Yes you can merge templates. Windows uses this during install with one of the templates in @WindowsDir\Security\Templates\. As far as security for files go you get the same options you get when you right click a file and go to properties, security, advanced.Or if you ever mess up your permission settings, reg settings or services you can load the default inf template or build your own.Anything that can be set in a GPO or Local policy + more can be seen in mmc /s then add the Security Template snap-in. I also use this tool to validate template and compare them. You can build a template and compare it against a local or network machine to see if they are in compliance, generates a decent report on things that don't match.I've been playing with your program as it lets the users have a few more options on settings. Nice job,Thanks www.abox.orgAvery HowellVisit My AutoIt Websitehttp://www.abox.org Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now