Bernie, Thanks muchly for the warning! JimB.
Me; I'm preparing for a weekend session updating a number of PC's that do not (normally) have internet access Last time I did this it was a case of at least 6 reboots for each. While I'd like to apply fixes from CD locally, the systems are so varied that it's safer and easier to shift the PC's to where I have access to a broadband connection and let MS Windows-Update, and Norton Live Update etc. schedule the stuff with acceptable grouping, and in the right order. ( Main reason being that the WMF thing has actually scared the management into updating the systems protection. ) And I'm staying well away from CACLS, wouldn't want to risk bird flu ----- Original Message ----- From: "Bernie Cosell" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Thursday, January 12, 2006 8:43 PM Subject: The dangers of messing with ACLs > I've been fiddling with my XP/Home system to see if i can do some/all of > the security hacks with it that I have done on my to XP/Pro systems. > I've been using the CACLS command and it seems to do OK [and is a LOT > less hassle than booting to SAFE mode]. > > I tried playing with "dropmyrights" and it didn't do much: a tiny bit of > investigation revealed that my laptop was set up with c: having an ACL of > "Everybody:F" and so even with dropped rights I could mess with C:\. Not > good. So I did what I thought would be simple: cacls of everything on > c:\ to "Everybody:R". BAD idea. > > Problem is that I have too many old Unix reflexes [and Unix has a truly > *AWFUL* protection/security] and so Administrators are actually subject > to the same ACL rules as mere mortals [who'd'a'thunk it! - on Unix, > administrators [=root] have no such restrictions]. So what I discovered > is that I could hardly do anything even from my admin account [indeed, > even from my administrator account in SAFE mode]!! > > And it was hard to fix: with everybody:R set, the ONLY account that can > change ACLs for an object is the *OWNER* of the object. So I needed to > go through all of c: and change what I could [as admin/administrator/both > of the two user accts -- amusingly, with Everybody:R even admin can't > mess with files on my limited account!]. Some of the files were owned by > a strange internal-system owner [something with {}'s] -- I think that was > stuff that Compaq pre-loaded onto the system. For those, I had to, one > by one, change the owner to administrator and THEN I could put the > protections back. > > So the conclusion of this odd morality tale is that before I try this > again, I need to remember to do a cacls /P Administrators:F *before* I > once-again change the everybody entry to R. SIGH!!! > > This little escapade has raised a questions: > > 1) how can I create a new group in XP/Home. It won't allow the mmc > snapin for local group management... is there some command-line thing I > can do to create a new group? > > 2) How can I undo the 'inherit from your parent'. Someone mentioned that > it was on the 'advanced' tab in the permissions. I'd be happy to do it > via cacls, but I don't really understand how the CI/OI/IO setting work. > > THANKS!! > /Bernie\ > > -- > Bernie Cosell Fantasy Farm Fibers > mailto:[EMAIL PROTECTED] Pearisburg, VA > --> Too many people, too few sheep <-- > > -- > ---------------------------------------- > WIN-HOME Archives: http://PEACH.EASE.LSOFT.COM/archives/WIN-HOME.html > Contact the List Owner about anything: [EMAIL PROTECTED] > Official Win-Home List Members Profiles Page > http://www.besteffort.com/winhome/Profiles.html > > -- ---------------------------------------- WIN-HOME Archives: http://PEACH.EASE.LSOFT.COM/archives/WIN-HOME.html Contact the List Owner about anything: [EMAIL PROTECTED] Official Win-Home List Members Profiles Page http://www.besteffort.com/winhome/Profiles.html
