; * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ; ; File System ACL definition file ; ; Use this file to set the ACL's on files and directories to the desired ; security. The format of each entry is: ; ; [DirPath] ; Domain\Account = [Predefined Access | FileAccessString [, DirAccessString]] ; ; [FilePath] ; Domain\Account = [Predefined Access | FileAccessString] ; ; where: ; ; FilePath is the path of the file or directory to set. This is in the ; format of a file path name. The file path may contain environment ; variables (such as %systemroot%) which will be expanded on the ; system running tha application. ; ; the last item in the FilePath string may be a directory, file, ; wildcard file or an exclamation ("!"). In the case of an exclamation ; all files and sub-directories of the preceeding path will be set ; to the specified security. ; ; for example: ; ; [%systemroot%\system32\!] ; ; would assign the security description of that section ; to all files and sub-directories UNDER the ; %systemroot\system32 directory as well as to the ; %systemroot\system32 directory itself. To assign ; security to just the files in that directory , ; an entry such as the following would be needed: ; ; [%systemroot%\system32\*.*] ; ; ; Domain\Account ; specifies the account to recieve the specified access for that ; file. Account may be an account or a group. For Example to give ; permissions to all administrator accounts, the: ; ; BUILTIN\Administrators ; ; would be the correct entry. ; ; access string is defined as one of the following: ; ; a combination of access chars ; ; access ; char File Access Dir Access ; ---- ---------------- ---------------- ; R = Read Data List Directory ; W = Write Data Add File ; X = Execute File Traverse Directory ; D = Delete Delete ; P = Change Perms Change Perms ; O = Take Ownership Take Ownership ; ; e.g. SYSTEM = RWXD ; ; ; there are also some predefined combination access keys: ; ; NONE = no access ; ALL = RWXDPO ; ; Standard Directory & File access references are: ; ; Access Access Granted ; Name (Dir)(File) ; ----------- ------------------ ; FullControl = (ALL)(ALL) ; Change = (RWXD)(RWXD) ; AddRead = (RWX)(RX) ; Read = (RX)(RX) ; Add = (WX)(none specified) ; List = (RX)(none specified) ; NoAccess = (NONE)(NONE) ; ; ; * * * * * * * * * * * * N O T E * * * * * * * * * * * * * * * * * ; ; For correct application of the access control, the more restrictive ; access entries must be placed ahead of (on top of) the more permissive ; access. The correct "sort" order would be: ; ; NoAccess, List, Add, Read, AddRead, Change, FullControl ; ; ; * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ; ; NOTE: the security items are applied from the top of the file to the ; bottom. Because of that, top level directory entries with more re- ; strictive security should be at the top of the file and less restric- ; tive entries to specific users and/or specific files should be listed ; next. ; ; * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ; remove access for Everyone for whole drive [%SystemDrive%\!] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\] BUILTIN\Users = List ;Anonymous = List BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\*.*] BUILTIN\Users = R ;Anonymous = R BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\IO.SYS] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\MSDOS.SYS] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\BOOT.INI] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\NTDETECT.COM] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\NTLDR.] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\AUTOEXEC.BAT] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\CONFIG.SYS] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\TEMP\!] BUILTIN\Users = RWX ;Anonymous = RWX CREATOR OWNER= RWXD, RWD BUILTIN\Administrators = FullControl SYSTEM = FullControl ;[%SystemDrive%\USERS\!] ;BUILTIN\Users = R ;Anonymous = R ;CREATOR OWNER= RWXD, RWD ;BUILTIN\Administrators = FullControl ;SYSTEM = FullControl ;[%SystemDrive%\USERS\DEFAULT\!] ;BUILTIN\Users = RWD, RWD ;Anonymous = RWD, RWD ;CREATOR OWNER= RWXD, RWD ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl ;[%SystemDrive%\WIN32APP\!] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl [%SystemRoot%\!] BUILTIN\Users = R ;Anonymous = R BUILTIN\Administrators = FullControl SYSTEM = FullControl ;cannot deny users since it breaks WIN16 apps ;[%SystemRoot%] ;BUILTIN\Administrators = FullControl ;SYSTEM = FullControl [%SystemRoot%\*.*] BUILTIN\Users = R ;Anonymous = R BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\*.INI] BUILTIN\Users = READ ;Anonymous = READ BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\EXPLORER.EXE] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\HELP\] BUILTIN\Users = Change ;Anonymous = Change BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\REPAIR\!] BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM\*.*] BUILTIN\Users = R ;Anonymous = R BUILTIN\Administrators = FullControl SYSTEM = FullControl ;[%SystemRoot%\SYSTEM\*.exe] ;BUILTIN\Administrators = FullControl ;SYSTEM = FullControl [%SystemRoot%\SYSTEM32\*.*] BUILTIN\Users = R ;Anonymous = R BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\*.dll] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\*.drv] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\*.exe] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\AUTOEXEC.NT] BUILTIN\Users = READ ;Anonymous = READ BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\CMOS.RAM] BUILTIN\Users = R W ;Anonymous = R W BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\CONFIG] BUILTIN\Administrators = FullControl BUILTIN\Users = List ;Anonymous = List SYSTEM = FullControl [%SystemRoot%\SYSTEM32\CONFIG\*.*] BUILTIN\Administrators = FullControl SYSTEM = Fullontrol [%SystemRoot%\SYSTEM32\DHCP\!] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\DRIVERS\!] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\OS2\!] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\RAS] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\RAS\*.*] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\!] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\EXPORT] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\EXPORT\*.*] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\EXPORT\SCRIPTS] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\EXPORT\SCRIPTS\*.*] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\IMPORT] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\IMPORT\*.*] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\IMPORT\SCRIPTS] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\IMPORT\SCRIPTS\*.*] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\SPOOL\!] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\WINS\!] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\*.exe] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\APPEND.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\arevfix.com ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\CALC.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\CHCP.COM ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\CHGCDM.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\CLOCK.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\COMMAND.COM ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\doskbd.exe ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\DOSKEY.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\DOSX.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\FREECELL.EXE] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\GDI.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\HELP.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\KB16.COM ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl ;[%SystemRoot%\SYSTEM32\KBDSEL.EXE ] ;BUILTIN\Users = Read ;Anonymous = Read ;BUILTIN\Administrators = FullControl ;SYSTEM = FullControl [%SystemRoot%\SYSTEM32\KEYB.COM ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\KRNL386.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\LOADFIX.COM ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\logoff.exe ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\MORE.COM ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\MSCDEXNT.EXE] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\NLSFUNC.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\NTVDM.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\NW16.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\PBRUSH.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REDIR.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\SHARE.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\SOL.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\SORT.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\USER.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\USERINIT.EXE] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\VWIPXSPX.EXE] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\wfshell.exe ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\WIN.COM ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\winhlp32.exe] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\WINMINE.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\WOWEXEC.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\SYSTRAY.EXE ] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl