; * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ; ; File System ACL definition file ; ; Use this file to set the ACL's on files and directories to the desired ; security. The format of each entry is: ; ; [DirPath] ; Domain\Account = [Predefined Access | FileAccessString [, DirAccessString]] ; ; [FilePath] ; Domain\Account = [Predefined Access | FileAccessString] ; ; where: ; ; FilePath is the path of the file or directory to set. This is in the ; format of a file path name. The file path may contain environment ; variables (such as %systemroot%) which will be expanded on the ; system running tha application. ; ; the last item in the FilePath string may be a directory, file, ; wildcard file or an exclamation ("!"). In the case of an exclamation ; all files and sub-directories of the preceeding path will be set ; to the specified security. ; ; for example: ; ; [%systemroot%\system32\!] ; ; would assign the security description of that section ; to all files and sub-directories UNDER the ; %systemroot\system32 directory as well as to the ; %systemroot\system32 directory itself. To assign ; security to just the files in that directory , ; an entry such as the following would be needed: ; ; [%systemroot%\system32\*.*] ; ; ; Domain\Account ; specifies the account to recieve the specified access for that ; file. Account may be an account or a group. For Example to give ; permissions to all administrator accounts, the: ; ; BUILTIN\Administrators ; ; would be the correct entry. ; ; access string is defined as one of the following: ; ; a combination of access chars ; ; access ; char File Access Dir Access ; ---- ---------------- ---------------- ; R = Read Data List Directory ; W = Write Data Add File ; X = Execute File Traverse Directory ; D = Delete Delete ; P = Change Perms Change Perms ; O = Take Ownership Take Ownership ; ; e.g. SYSTEM = RWXD ; ; ; there are also some predefined combination access keys: ; ; NONE = no access ; ALL = RWXDPO ; ; Standard Directory & File access references are: ; ; Access Access Granted ; Name (Dir)(File) ; ----------- ------------------ ; FullControl = (ALL)(ALL) ; Change = (RWXD)(RWXD) ; AddRead = (RWX)(RX) ; Read = (RX)(RX) ; Add = (WX)(none specified) ; List = (RX)(none specified) ; NoAccess = (NONE)(NONE) ; ; ; * * * * * * * * * * * * N O T E * * * * * * * * * * * * * * * * * ; ; For correct application of the access control, the more restrictive ; access entries must be placed ahead of (on top of) the more permissive ; access. The correct "sort" order would be: ; ; NoAccess, List, Add, Read, AddRead, Change, FullControl ; ; ; * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ; ; NOTE: the security items are applied from the top of the file to the ; bottom. Because of that, top level directory entries with more re- ; strictive security should be at the top of the file and less restric- ; tive entries to specific users and/or specific files should be listed ; next. ; ; * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * [%SystemDrive%\] Everyone = RWX BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemDrive%\*.*] Everyone = RWX [%SystemDrive%\IO.SYS] Everyone = Change BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\MSDOS.SYS] Everyone = Change BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\BOOT.INI] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\NTDETECT.COM] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\NTLDR.] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\AUTOEXEC.BAT] Everyone = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\CONFIG.SYS] Everyone = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\TEMP\!] Everyone = Change BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl ;[%SystemDrive%\USERS\!] ;Everyone = List ;BUILTIN\Administrators = FullControl ;SYSTEM = FullControl ;[%SystemDrive%\USERS\DEFAULT\!] ;Everyone = RWX ;CREATOR OWNER = FullControl ;SYSTEM = FullControl ;[%SystemDrive%\WIN32APP\!] ;Everyone = Read ;BUILTIN\Administrators = FullControl ;CREATOR OWNER = FullControl ;SYSTEM = FullControl ;[%SystemDrive%\Profiles\!] ;Everyone = RWX,R ;BUILTIN\Administrators = FullControl ;CREATOR OWNER = RX,RW ;SYSTEM = FullControl [%SystemRoot%\!] Everyone = Change BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemRoot%\*.*] Everyone = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\*.INI] Everyone = Change BUILTIN\Administrators = FullControl SYSTEM = FullControl ;[%SystemRoot%\LOCALMON.DLL] ;Everyone = Read ;BUILTIN\Power Users = Change ;BUILTIN\Administrators = FullControl ;SYSTEM = FullControl ;[%SystemRoot%\PRINTMAN.HLP] ;Everyone = Read ;BUILTIN\Power Users = Change ;BUILTIN\Administrators = FullControl ;SYSTEM = FullControl [%SystemRoot%\REPAIR\!] BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM\*.*] Everyone = Read BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\*.*] Everyone = Read BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\AUTOEXEC.NT] Everyone = Change BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\CMOS.RAM] Everyone = Change BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\CONFIG.NT] Everyone = Change BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\MIDIMAP.CFG] Everyone = Change BUILTIN\Administrators = FullControl SYSTEM = FullControl ;[%SystemRoot%\SYSTEM32\PASSPORT.MID] ;Everyone = FullControl [%SystemRoot%\SYSTEM32\CONFIG] BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl Everyone = List SYSTEM = FullControl [%SystemRoot%\SYSTEM32\CONFIG\*.*] Everyone = List BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = Fullontrol [%SystemRoot%\SYSTEM32\CONFIG\DEFAULT.LOG] Everyone = FullControl [%SystemRoot%\SYSTEM32\CONFIG\SAM.] Everyone = FullControl [%SystemRoot%\SYSTEM32\CONFIG\SAM.LOG] Everyone = FullControl [%SystemRoot%\SYSTEM32\CONFIG\SECURITY.] Everyone = FullControl [%SystemRoot%\SYSTEM32\CONFIG\SECURITY.LOG] Everyone = FullControl [%SystemRoot%\SYSTEM32\CONFIG\SYSTEM.] Everyone = FullControl [%SystemRoot%\SYSTEM32\CONFIG\SYSTEM.ALT] Everyone = FullControl [%SystemRoot%\SYSTEM32\CONFIG\SYSTEM.LOG] Everyone = FullControl ;[%SystemRoot%\SYSTEM32\CONFIG\USERDEF.] ;Everyone = Read ;SYSTEM = Change ;BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\DHCP\!] Everyone = Read BUILTIN\Power Users = Change BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\DRIVERS\!] Everyone = Read BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\OS2\OSO001.009] Everyone = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\OS2\DLL\DOSCALLS.DLL] Everyone = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\OS2\DLL\NETAPI.DLL] Everyone = FullControl [%SystemRoot%\SYSTEM32\RAS] Everyone = Read BUILTIN\Power Users = Change BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\RAS\*.*] Everyone = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\!] Everyone = Read BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\EXPORT] Everyone = Change BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\EXPORT\*.*] CREATOR OWNER = FullControl BUILTIN\Administrators = FullControl Everyone = Change SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\EXPORT\SCRIPTS] Everyone = Read BUILTIN\Replicator = Change BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\EXPORT\SCRIPTS\*.*] Everyone = Read BUILTIN\Replicator = Change BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\IMPORT] Everyone = Change BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\IMPORT\*.*] Everyone = Change BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\IMPORT\SCRIPTS] Everyone = Read BUILTIN\Replicator = Change BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\IMPORT\SCRIPTS\*.*] Everyone = Read BUILTIN\Replicator = Change BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\SPOOL\!] Everyone = Read BUILTIN\Power Users = Change BUILTIN\Administrators = FullControl CREATOR OWNER = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\SPOOL\DRIVERS\W32X86\1] Everyone = FullControl [%SystemRoot%\SYSTEM32\SPOOL\PRTPROCS\W32X86\WINPRINT.DLL] Everyone = Read BUILTIN\Power Users = Change BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\WINS\!] Everyone = FullControl