ACL tricks

Everyone knows ACLs are very powerful, but I haven't seen much here about how to actually use them. So... What are some of the best ways to make use of them? What are the most useful ACL setups that you know of, in terms of enhancing Windows desktop security?

Also - I've heard that ACLs can be used to make Win2k/XP's infamous "Protect My Computer" sandbox actually usable, by allowing sandboxed programs to write to selected folders. How is this done?

(NB: if possible it would be preferable to indicate command line methods using cacls.exe, since Windows XP Home doesn't come with secpol or gpedit.)

 

Access controllist on integrity (high.medium.low) or user (execute write read create delete access)

I realise that icacls.exe is not avalable on XP, but cacls.exe (http://www.techrepublic.com/article/use-caclsexe-to-view-and-manage-windows-acls/1050976) sort of does the same. On Xp you have also got xcacls.exe to set ACL based on user or usergroup http://support.microsoft.com/kb/825751

I am on Win7 so using icacls (or better chml and regil) or right click properties (security tab for acces on user).

In Windows 7, you can use Intergrity levels to contain applications in LOW rights and Access Permissions to block execution (traverse folder/execute file) or write access. For instance your download folder (deny execute to prevent drive byes), folder containing your e-mails and mail attachements, the media libraries of your media player or shared P2P libraries.

Download Process Monitor and FajoXPFSE (Fajo not needed for Vista and Windows7)
http://technet.microsoft.com/en-us/sysinternals/bb896645 and http://www.fajo.de/main/en/software/fajo-xp-fse

Step 1: run process monitor
Now write down which folders and registry keys a specific program need access to (only look at HKLM and Program Files).
Allow access for build in group "Users" to those key, but remember at the same time you put a hole in your restricted/standard user setup. See pics in next post

Regards

 

Step 2: Setting access permissions to registry keys

A. Run Regedit.exe
B. Navigate to the key needing USER access permissions (in my example 7-zip)

See picture

 

Step 4: Same for folders

A. Start windows explorer, navigate to folder
B. Change access permission through right click (in my example 7-zip), see pics (same procedure)

 

Off course the reverse can be done also.

F.I. run sysinternals autoruns.

Takeaway create/write right of users for HKCU entries mentioned in autoruns, also include the empty ones (leave the HKLM entries untouched they are protected by UAC on Vista and Windows7).

Now only admins can add silent auto runners in user space

As allways create a restore point before changing anything, have an image fallback ready.
Do not play with this stuff without a tested and proven backup/recovery plan.