switchport Security

70-648, NAP, DHCP, IPNG, IPv4, IPV6, DNS, Global Names, WDS, Server Core, WAS, Server Manager, OCSP, WBAdmin, Group Policy, BitLocker, Active Directory, switch module, route module, firewall module, auto secure, network, router ospf, authentication, drupal.org

Monday, December 24, 2007

Server Management in Windows.Server.2008 ServerCore - Part 4

Hmm, ever knew a tool you can use to play around with the permissions on files and folders in ServerCore?

What's in here?
-Discretionary Access Control: using iCacls

Discretionary Access Control: Using iCacls


Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\>icacls

ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
store the the acls for the all matching names into aclfile for
later use with /restore.
.
.
.
/setintegritylevel [(CI)(OI)]Level explicitly adds an integrity
ACE to all matching files. The level is to be specified as one
of:
L[ow]
M[edium]
H[igh]
Inheritance options for the integrity ACE may precede the level
and are applied only to directories.

/inheritance:e|d|r
e - enables inheritance
d - disables inheritance and copy the ACEs
r - remove all inherited ACEs

Note: Mark Minasi created a tool that can change the integrity level of files. Pretty cool, huh?

[Side_Note]
What's this Low Integrity Level?
Low integrity level works only on Windows Vista and Server 2008. You'll quickly notice this if you look at IE7's Security Tab for the Internet Zone - you'll see a checkbox referring to enabling Protected mode.

So what?

Any process or program that runs in the Internet Zone is under Low integrity level.

Ever heard of systems implemented with Bell-Lapadula? Microsoft decided a different route for Vista and Server 2008.

All lower-level entities in the newer Windows OS have read-up and write-down permissions, including their owned items. This means they can't write or "take control" of items owned by entities in the upper level.
[/Side_Note]

Example: Save the permission entries in the folder Users and all it's files and subdirectories to a file in the root of the drive named myAcl.txt

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\>icacls c:\Users\* /save C:\myAcl.txt /T

Note: The output file ain't that friendly to read.

Example: Grant the Administrator Full Control over the folder
con found in the root drive.

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\>icacls .\con\ /grant Administrator:(F)
processed file: .\con\
Successfully processed 1 files; Failed processing 0 files

Pretty neat, won't you say?

I'll write more on this one next time. Woohoo!


-Jaeson
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)