ACL tricks

Discussion in 'other anti-malware software' started by Gullible Jones, May 15, 2012.

Thread Status:
Not open for further replies.
  1. Everyone knows ACLs are very powerful, but I haven't seen much here about how to actually use them. So... What are some of the best ways to make use of them? What are the most useful ACL setups that you know of, in terms of enhancing Windows desktop security?

    Also - I've heard that ACLs can be used to make Win2k/XP's infamous "Protect My Computer" sandbox actually usable, by allowing sandboxed programs to write to selected folders. How is this done?

    (NB: if possible it would be preferable to indicate command line methods using cacls.exe, since Windows XP Home doesn't come with secpol or gpedit.)
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Access controllist on integrity (high.medium.low) or user (execute write read create delete access)

    I realise that icacls.exe is not avalable on XP, but cacls.exe (http://www.techrepublic.com/article/use-caclsexe-to-view-and-manage-windows-acls/1050976) sort of does the same. On Xp you have also got xcacls.exe to set ACL based on user or usergroup http://support.microsoft.com/kb/825751

    I am on Win7 so using icacls (or better chml and regil) or right click properties (security tab for acces on user).

    In Windows 7, you can use Intergrity levels to contain applications in LOW rights and Access Permissions to block execution (traverse folder/execute file) or write access. For instance your download folder (deny execute to prevent drive byes), folder containing your e-mails and mail attachements, the media libraries of your media player or shared P2P libraries.

    Download Process Monitor and FajoXPFSE (Fajo not needed for Vista and Windows7)
    http://technet.microsoft.com/en-us/sysinternals/bb896645 and http://www.fajo.de/main/en/software/fajo-xp-fse

    Step 1: run process monitor
    Now write down which folders and registry keys a specific program need access to (only look at HKLM and Program Files).
    Allow access for build in group "Users" to those key, but remember at the same time you put a hole in your restricted/standard user setup. See pics in next post

    Regards
     
    Last edited: May 16, 2012
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Step 2: Setting access permissions to registry keys

    A. Run Regedit.exe
    B. Navigate to the key needing USER access permissions (in my example 7-zip)

    See picture
     

    Attached Files:

    • 1.png
      1.png
      File size:
      137.5 KB
      Views:
      21
    Last edited: May 16, 2012
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Step 4: Same for folders

    A. Start windows explorer, navigate to folder
    B. Change access permission through right click (in my example 7-zip), see pics (same procedure)
     

    Attached Files:

  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Off course the reverse can be done also.

    F.I. run sysinternals autoruns.

    Takeaway create/write right of users for HKCU entries mentioned in autoruns, also include the empty ones (leave the HKLM entries untouched they are protected by UAC on Vista and Windows7).

    Now only admins can add silent auto runners :D in user space

    As allways create a restore point before changing anything, have an image fallback ready.
    Do not play with this stuff without a tested and proven backup/recovery plan.
     
    Last edited: May 16, 2012
Thread Status:
Not open for further replies.