Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Saturday, December 3, 2011

Ownership in Windows 2003, Part III

Q919240 - Icacls is available for Windows Server 2003 SP2
Q834721 - Permissions on Folder are incorrectly ordered
Q943043 - Icacls.exe does not support inheritance
Q245031 - Change Registry Permissions (RegIni)
Q220167 - Understanding Container Access Inheritance Flags
Permissions explained
ACL utils: SetACL or FileACL (free)
Equivalent bash command (Linux): chmod / chown - Change file permissions/owner and group
Source SteelWerx (sw)
Bobby Flekmann: Otherwise you can use a program I've written which is an adaptation of the XCACLS.vbs.
I've even made this particular problem easier with implementing a /RESET switch. 
There are a lot of malicious software with the same  name swxcacls.exe (dangerous!)
Disable the script host in windows!

This program is all about managing user's rights to files on a computer, so before we come to an explanation about the program itself, first an historic overview of user rights management.
Every Operating System has to have a way to keep unauthorized computer users out of files. The reason for this is simple, employees have no business with the company's books. A letter from your mom is still her letter, not yours, etc.
The question is: how does Windows do this? This depends on the version of Windows you are talking about. In Windows 95, 98 and Millenium Edition, user rights are a joke. They are non-existent. Programs themselves had to keep confidential information out of your eyes. They did this by changing attributes to make files hidden, or encrypt the contents, etc.
After the Operating Systems from these Win32 platforms came the network version of Windows, Windows NT. This had user management! To be able to use Windows NT you had to login, and a new filesystem (the internal layout of the hard disc) had been devised that supported permissions management. This filesystem, called NTFS (New Technology File System), was understood and supported by all Operating Systems based on Windows NT.
In Windows 2000 and Windows XP you have to login to use the computer. This can still be as simple as clicking on a name in the Windows XP Welcome screen, but still... You are a user to the system. And this user has permissions to access files, and folders. Based on who you are certain parts of the Registry are read-only, or not visible at all. Same goes for many other parts of Windows, who you are determines whether you can stop and start a service for example.
How does Windows keep track of the permissions? Now we come to a more difficult and abstract part. Even though all the following still appeals to all user objects (Registry keys, files, folders, services, processes, etc.), I will only give examples with files and folders.
To understand how Windows keeps track of permissions, we have to clarify a few keywords in Rights management.
  • Windows created a few User groups when it got installed. These User groups are easy ways to finetune accessrights. You can make it so that Administrators have full access, and the rest can only read the file. There are many pre-defined groups, but for us these are the most interesting: Administrators, Users, Power Users and Everyone. Everyone is part of at least one Usergroup, namely Everyone. So, to take our previous example, if you are not part of the Administrators group, you can only read the file.
  • Every file is created sometime on the computer, ergo every file has a creator. The creator is the one that has ultimate access to the file. (S)He can decide who has access, and to what level. This person is known as the Owner of the object.
  • Permissions are actions you can do on an object, like read a file, stop a service, delete a Registry key. There are two types of permissions, the ones that are specific to the object, like stopping a service, or writing a file. And there are very generic rights. These generic rights are widely used, because they use simple names, like Read or Execute,to refer to specific sets of permissions to the object.
    Whether you want to delete a file, a Registry key or a service, it is still deleting, right? Another thing to understand is that these generic rights can contain different specific rights, you cannot stop a Registry key, or enumerate subkeys on a service.
  • Almost every file is in a subfolder, so it stands to reason that every file in a folder has the same permissions as the folder, which is in turn in another folder, so it stands to reason it has the same permissions at that folder, which..... You get the point. How do you do this? Beginning with Windows 2000 a new inheritance scheme was devised that automatically propagated all the rights from parents (the folder you are in) to the children (the files and folders in this folder). Before Windows 2000 though, every permission had to be copied down to every file and every folder under it. So if you changed one thing you ran the risk it would not reach the bottom of the chain, making the permissions unstable.
  • Even though you are denied certain permissions, some Usergroups still have a possiblilty to do things to an object. Just think of Backup Operators, even though no one but you have access to your files, they can still make a backup of them. These extra rights are called privileges, and are mostly a nice addition to your possible actions. There will be more on privileges later.
  • And the last thing to get to know is the Security IDentifier, also known as the SID. A SID is a thing that identifies you uniquely on a system. To Windows you are not a user, you are just a number, and this number is the reason that you can have multiple users on a system with the same name. This is not smart, but it is possible! It is also the reason why people will get locked out of files if they delete an account and make a new one with the same name. They get a different SID. Another thing to remember is that there are these predefined groups I mentioned earlier; they also have predefined SIDs. This way a user can be a part of the Users group in English countries and be a part of Gebruikers in Dutch countries!
Now that we know the basics of permissions, we get down to the how... As I said I will be focusing on files and folders, so let's roll.
In Windows NT you can rightclick on a file and choose "Properties", this will open a new Window with a few tabs, one being "Security".
Huh??? You did just that and you don't see the tab!!! No sweat, let me guess, you are running Windows XP and have Simple File Sharing on. You can check that in "Folder Options" and the tab "View". There is a checkbox checked next to "Use simple file sharing (recommended)". If you uncheck that and click on "Apply" you will see the "Security" tab. XP Pro gives you the choice of disabling this, but for Windows XP Home this is locked. By the way, you'll see this tab page when you are in Safe Mode on Windows XP.
Now that you have the tab open, you can see a list of users and groups, and the permissions belonging to them. These are the generic permissions I talked about earlier. If you click on "Advanced" you can see the specific rights on the Tab page "Permissions", the current owner on the "Owner" page and on the "Auditing" page the actions that will be logged.
You can change all that you want on these pages, even if you kick yourself out. As long as you are the Owner or have access to an account in the Administrators group you can reclaim Ownership and give yourself full control again.
Now that we know all this, we come to these computers that are still on Simple File Sharing. You are confronted with a stubborn file that you cannot do anything with, and want to change the permissions on them. You have several possibilities to do that. Windows NT comes with a program called CACLS that you can use to change the Access Control Lists with. But this program comes with a few nasty surprises. You cannot use this program to change Ownership, or give specific permissions. What is even worse is that, since it is a legacy program from Windows NT, it doesn't support the "new" inheritance possibilities since Windows 2000. See the part about inheritance earlier in this tutorial.
There is also a program called XCACLS, this is a Microsoft program you can download which will lets you change Ownership and specific permissions, but it still suffers the problem with inheritance. This program is also available as a Visual Basic script, but it is no better.
Also there is a program called SUBINACL that can do the job, but that doesn't even speak of inheritance so I wouldn't trust it not to mess up the inheritance of files and folders.

Now we get to the main program, SWXCACLS. This is a recoding of the SWXCACLS Vbscript I mentioned earlier, though I added a few more options and changed some others. I will show the differences in bold.
First an explanation of the commandline:
SWXCACLS filename [/P | /E] [[/G user:GUI;Spec/Inh] [/GX:GUI;Spec/Inh] [...]]
   [[/D user:GUI;Spec/Inh] [/DX:GUI;Spec/Inh] [...]]
   [[/R user] [/RX] [...]] [/I ENABLE|COPY|REMOVE]
   [/SPEC A|B|C|D|E|F|G] [/S] [/L filename] [/Q]
filename [Required] If used alone, it displays ACLs. Otherwise the given actions will be executed on the file. If you don't give a complete path I expect the file to be in the current directory. Put the filename in double quotes if it contains spaces or special characters such as &, $, #, etc.
If filename is a directory, the given actions will be executed only on the directory, not on the files and subdirectories in the directory. Use /I or /SPEC to tell the program what to do with these.
Wildcards can be used to specify more than one file in a command.The possible wildcards are:
  • * - Any string of zero or more characters
  • ? - Any single character
Note: To use commands on all files (*.*) , set the permissions on the folder instead of all the files.
/P  Replaces permissions. New permissions will be as specified in /G and /D statements.
/E  Edits the Access Control List instead of replacing it.
/G User:GUI;Spec/Inh and /GX:GUI;Spec/Inh  These grant the specified User or Group the given access rights. Unless /P is in the command line, this will never touch the rights for other users
User If User has spaces in it, surround it in quotes.
User can be a string representing the actual SID, but MUST be lead by SID#

Example: SID#S-1-5-21-2127521184-160...
  (SID string shown has been shortened)
  (If any user has SID# then globaly all matches must match the SID (not name), so if your intention is to apply changes to all accounts that match User then do not specify SID# as one of the users)
GUI Is for standard rights and can be:
  • F - Full control
  • M - Modify
  • X - read & eXecute
  • L - List folder contents
  • R - Read
  • W - Write
Spec Is for specific rights and can be:
  • E - Synchronize
  • D - Take Ownership
  • C - Change Permissions
  • B - Read Permissions
  • A - Delete
  • 9 - Write Attributes
  • 8 - Read Attributes
  • 7 - Delete Subfolders and Files
  • 6 - Traverse Folder / Execute File
  • 5 - Write Extended Attributes
  • 4 - Read Extended Attributes
  • 3 - Create Folders / Append Data
  • 2 - Create Files / Write Data
  • 1 - List Folder / Read Data
Inh Inheritance override. For possible choices see /SPEC switch.

This is new in comparison to the script. The original script only gave you the opportunity to state an inheritance scheme that would be applied to everyone.This way you can give someone a different inheritance scheme to the rest.
/GX:GUI;Spec/Inh  You can define permissions for predefined groups by using the X variants of the switches. The following switches have been defined:
  • A - Administrators
  • U - (Limited) Users
  • G - Guests
  • O - Owner
  • P - (Power) Users
  • S - Local System
  • E - Everyone
  • M - Current User
  The possible parameters for GUI, Spec and Inh are explained by /G.
/D User:GUI;Spec/Inh and /DX:GUI;Spec/Inh  Deny the given user access
/R User and /RX   Revoke specified user's access rights. This will remove any Allowed or Denied ACLs for user
/I Switch  Inheritance flag, if omitted default is to not touch Inherited ACLs. Switch can be:
  • ENABLE - This will turn on the Inheritance Flag if its not on already. The net result is that Inherited ACLs become active on the file/folder
  • COPY - This will turn off the Inheritance flag and copy the Inherited ACLs into Effective ACLs
  • REMOVE - This will turn off the Inheritance flag and will not copy the Inherited ACLs, this is the opposite of ENABLE
If switch is not present, /I will be ignored and Inherited ACLs will remain untouched.
/RESET [Switch]   Resets all permissions to given ones. Use this sparingly because this switch will keep everyone out if /G and /D switches are specified that way! Owner will be reset to Administrators group, so it is possible for members of that Group to re-evaluate permissions.
Owner will also receive Full Access permissions, other permissions should be specified in GRANT/DENY statements.
Switch can be the same as with /I. This switch is only used on the root folder. Default of switch is ENABLE
This command can only be used on folders. To change permissions on files use GRANT/DENY statements.
/SPEC Switch  Special permission for folder and subfolders only. If this switch is used, and the object is a folder, then one of the switches below would be used instead of the default.
  • A - This Folder Only
  • B - This Folder, Subfolders and Files (Default)
  • C - This Folder and Subfolders
  • D - This Folder and Files
  • E - Subfolders and Files Only
  • F - Subfolders Only
  • G - Files Only
/S  Execute on subfolders and files as well. This switch only works with wildcards.
/L [Filename]  Filename for logging. This can include a path name if the file isn't under the current directory. File will be appended to, or created if it doesn't exist. Must be Text file if it exists or an error will occur.
If filename is omitted the default name of SWXCACLS.log will be used.
/Q  Turn on Quiet mode, it's off by default. If it's turned on, there will be no display to the screen.
/O User  Change the Ownership to this user or group.
/OA  Change the Ownership to the Administrators group.
/OM  Change the Ownership to the Current User.
/VERBOSEDisplay everything there is to know inside the Security Descriptor. Information will be presented using symbols from the Windows Software Development Kit.
You can specify more than one user in a command.
You can combine access rights.
Updated (14 april 2007 v.: Changed the /RESET command a bit as it was possible to use this with a filename. Updated (26 november 2006): got rid of an Access Violation when for some reason the system could not open the file/folder you requested about. Now that you've read about the pitfalls and possibilities of this program. Click the download link to download the program.
Commandline utilities
   SWReg - freeware implementation of Microsoft's reg.exe
   SWSC - freeware implementation of Microsoft's sc.exe
   SWWhoAmI - Windows version of the network command
   SWCACLS.exe (download the program). - a binary implementation of XCACLS.vbs

No comments: