Security Configuration

using MMC/Security Templates & SeCEdit

In this page I'll try to explain how to set the security on files, folders and even on registry keys using batch files.
I recently learned this technique from Adriaan Westra, who has used this technique successfully on Windows 2000, XP and Server 2003.

Until recently I would use CACLS (or XCACLS from the Resource Kits) to set file system security.
For example, the following command grants write access to a folder and subfolders without revoking existing permissions:

CACLS.EXE /E /T d:\myfolder /G mydomain\somegroup:C

This can be a slow process, because it will "touch" each and every file, but it works.

Permissions on registry keys, on the other hand, were impossible to set by batch files, or so I thought.

With the following technique you can set permissions on files, folders and registry keys, change ownership, set registry values, and more.
The preparations require a lot of clicking in GUIs, but aftyer that you'll have a configuration file that can be used to "silently" set permissions using batch files.

So let's start with the preparations in the GUI.
As an example we'll grant the builtin group "Authenticated Users" write access to the folder C:\Program Files\MyProgram and its content, and to the registry key HKEY_LOCAL_MACHINE\Software\MyProgram.

 

Open a new Microsoft Management Console by issuing the command MMC.

 

In the "File" menu, click "Add/Remove Snap-in...".

 

Click "Add...".

 

Select "Security Templates" and click "Close".

 

Click "OK" to close the "Add/Remove Snap-in" dialog.

 

Expand the "Console Root" and navigate to "setup security".

 

Select "File System" and right-click it; select "Add File...".

 

Navigate to and select "C:\Program Files\MyProgram".

 

Set the required access permissions.

Note: We will overwrite existing permissions, so make sure all permissions are set correctly.

Click "OK" to close the dialog.

 

Set the inheritance.
Note that "C:\Program Files" is subtituted with "%ProgramFiles%".
Click "OK" to close the dialog.

 

"%ProgramFile%\MyProgram" is now listed in File System Objects.

 

Select "Registry" and right-click it; select "Add Key...".

 

Navigate to and select "MACHINE\Software\MyProgram".

 

Unless we want to grant "Authenticated Users" "Full Control", we need to use the "Advanced" settings.

Note: We will overwrite existing permissions, so make sure all permissions are set correctly.

 

Select "Authenticated Users" again and click "Edit".

 

Select and then deselect "Full Control", then deselect "Change Permissions" and "Take Ownership".
Click "OK" to close the dialog.

 

Note that "Permissions" changed from "Read" to "Special".
Click "OK" to close the dialog.

 

Set the inheritance.
Note that "HKEY_LOCAL_MACHINE" is subtituted with "MACHINE".
Click "OK" to close the dialog.

 

Now select "setup security" and right-click it; select "Save As...".

 

By default the existing security template file and location appear; do not save yet, we want to save our configuration file with a different name in a different location.

 

Navigate to the desired location and change the file name into whatever you like.

Note: If you use spaces in the file name, you'll have to use the short file name (8.3 notation) in the batch file we will be creating later.
Doublequotes are not allowed in SeCEdit commands.

Click "Save" to save your configuration.

 

Your new configuration will be listed in the console.

 

In the "File" menu, click "Save As..." to save your MMC console window.

 

Choose a location and file name and click "Save".
You may want to create a shortcut to this new console settings file.

 

Now locate your configuration file (myprog.inf in the example) and open it in Notepad or any other Unicode enabled text editor.
Carefully delete everything except the changes you just made and except the "Version" and "Profile Description" sections. You may also want to change the description.
This is what the result will look like:

[Registry Keys]
"MACHINE\SOFTWARE\MyProgram",0,"D:PAR(A;CI;KA;;;BA)(A;CI;CCDCLCSWRPWPSDRC;;;AU)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)"
[File Security]
"%ProgramFiles%\MyProgram",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;0x1301bf;;;AU)(A;OICI;FA;;;SY)"
[Version]
signature="$CHICAGO$"
Revision=1
[Profile Description]
Description=Security settings for MyProgram with Write Access for Authenticated Users

And finally, write a batch file to apply the settings from the newly created security configuration file:

ECHO y| SECEDIT.EXE /CONFIGURE /CFG myprog.inf /DB dummy.sdb /OVERWRITE /AREAS REGKEYS FILESTORE /LOG myprog.log /QUIET

 

Notes: (1) There should be no space between the "y" and the pipe symbol.
  (2) Though /DB dummy.sdb is mandatory, you can use any name you like for the .sdb file.
The .sdb file doesn't have to exist if the /CFG switch is used, in that case it will be created.
You do have to supply a valid path (or no path, in which case the current directory will be used).
  (3) If you used spaces in any of these file names, you'll have to use the short file name and path (8.3 notation) in the command line.
Doublequotes are not allowed in SeCEdit commands.
  (4) If you don't need to change registry permissions, you can remove the REGKEYS parameter for the /AREAS switch.
Likewise, if you don't need to change file permissions, you can remove the FILESTORE parameter.
  (5) During testing you may want to use the /VERBOSE switch instead of /QUIET.

To test the command, first write down the current permissions on the folder and the registry key. Then run the batch file, and check if the permission were changed as planned.

Did I mention you need to have a verified full backup available before testing?
If you insist on taking unnecessary risks, the bare minimum is a SystsemState backup.

Related Stuff

Use OpenDNS

page last uploaded: 4 October 2012, 10:37