; * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ; ; File System ACL definition file ; ; Use this file to set the ACL's on files and directories to the desired ; security. The format of each entry is: ; ; [DirPath] ; Domain\Account = [Predefined Access | FileAccessString [, DirAccessString]] ; ; [FilePath] ; Domain\Account = [Predefined Access | FileAccessString] ; ; where: ; ; FilePath is the path of the file or directory to set. This is in the ; format of a file path name. The file path may contain environment ; variables (such as %systemroot%) which will be expanded on the ; system running tha application. ; ; the last item in the FilePath string may be a directory, file, ; wildcard file or an exclamation ("!"). In the case of an exclamation ; all files and sub-directories of the preceeding path will be set ; to the specified security. ; ; for example: ; ; [%systemroot%\system32\!] ; ; would assign the security description of that section ; to all files and sub-directories UNDER the ; %systemroot\system32 directory as well as to the ; %systemroot\system32 directory itself. To assign ; security to just the files in that directory , ; an entry such as the following would be needed: ; ; [%systemroot%\system32\*.*] ; ; ; Domain\Account ; specifies the account to recieve the specified access for that ; file. Account may be an account or a group. For Example to give ; permissions to all administrator accounts, the: ; ; BUILTIN\Administrators ; ; would be the correct entry. ; ; access string is defined as one of the following: ; ; a combination of access chars ; ; access ; char File Access Dir Access ; ---- ---------------- ---------------- ; R = Read Data List Directory ; W = Write Data Add File ; X = Execute File Traverse Directory ; D = Delete Delete ; P = Change Perms Change Perms ; O = Take Ownership Take Ownership ; ; e.g. SYSTEM = RWXD ; ; ; there are also some predefined combination access keys: ; ; NONE = no access ; ALL = RWXDPO ; ; Standard Directory & File access references are: ; ; Access Access Granted ; Name (Dir)(File) ; ----------- ------------------ ; FullControl = (ALL)(ALL) ; Change = (RWXD)(RWXD) ; AddRead = (RWX)(RX) ; Read = (RX)(RX) ; Add = (WX)(none specified) ; List = (RX)(none specified) ; NoAccess = (NONE)(NONE) ; ; ; * * * * * * * * * * * * N O T E * * * * * * * * * * * * * * * * * ; ; For correct application of the access control, the more restrictive ; access entries must be placed ahead of (on top of) the more permissive ; access. The correct "sort" order would be: ; ; NoAccess, List, Add, Read, AddRead, Change, FullControl ; ; ; * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ; ; NOTE: the security items are applied from the top of the file to the ; bottom. Because of that, top level directory entries with more re- ; strictive security should be at the top of the file and less restric- ; tive entries to specific users and/or specific files should be listed ; next. ; ; * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ; remove access for Everyone for whole drive [%SystemDrive%\!] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\] BUILTIN\Users = List ;Anonymous = List BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\*.*] BUILTIN\Users = R ;Anonymous = R BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\IO.SYS] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\MSDOS.SYS] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\BOOT.INI] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\NTDETECT.COM] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\NTLDR.] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\AUTOEXEC.BAT] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\CONFIG.SYS] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemDrive%\TEMP\!] BUILTIN\Users = RWX ;Anonymous = RWX CREATOR OWNER= RWXD, RWD BUILTIN\Administrators = FullControl SYSTEM = FullControl ;[%SystemDrive%\USERS\!] ;BUILTIN\Users = R ;Anonymous = R ;CREATOR OWNER= RWXD, RWD ;BUILTIN\Administrators = FullControl ;SYSTEM = FullControl ;[%SystemDrive%\USERS\DEFAULT\!] ;BUILTIN\Users = RWD, RWD ;Anonymous = RWD, RWD ;CREATOR OWNER= RWXD, RWD ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl ;[%SystemDrive%\WIN32APP\!] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl [%SystemRoot%\!] BUILTIN\Users = READ ;Anonymous = READ BUILTIN\Administrators = FullControl SYSTEM = FullControl ;cannot deny users since it breaks WIN16 apps ;[%SystemRoot%] ;BUILTIN\Administrators = FullControl ;SYSTEM = FullControl [%SystemRoot%\*.*] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\*.INI] BUILTIN\Users = READ ;Anonymous = READ BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\HELP\] BUILTIN\Users = Change ;Anonymous = Change BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\REPAIR\!] BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM\*.*] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\*.*] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\AUTOEXEC.NT] BUILTIN\Users = READ ;Anonymous = READ BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\CMOS.RAM] BUILTIN\Users = R W ;Anonymous = R W BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\CONFIG.NT] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\MIDIMAP.CFG] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\CONFIG] BUILTIN\Administrators = FullControl BUILTIN\Users = List ;Anonymous = List SYSTEM = FullControl [%SystemRoot%\SYSTEM32\CONFIG\*.*] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\DRIVERS\!] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\RAS\!] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\REPL\!] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\SPOOL\!] BUILTIN\Users = Read ;Anonymous = Read BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\WINS\!] BUILTIN\Administrators = FullControl SYSTEM = FullControl [%SystemRoot%\SYSTEM32\AT.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\ACLCONV.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\ARP.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\ATSVC.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\AUDITLOG.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\AUTOCHK.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\AUTOCONV.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\AUTOSETP.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\BOOTOK.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\BOOTVRFY.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\CACLS.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\CHKDSK.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\CONVERT.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\C2CONFIG.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\C2*.INF ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\C2*.DLL ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\CXNETDDE.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\DBGTRACE.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\DDESHARE.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\DISKPERF.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\EVENTVWR.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\EXE2BIN.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\FC.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\FINDSTR.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\FINGER.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\FORMAT.COM ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\FTP.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\IBROWSER.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\INTRO.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\IPCONFIG.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\IPXROUTE.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\KILL.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\LABEL.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\LLSMGR.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\LLSSRV.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\LMREPL.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\LOCATOR.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\LODCTR.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\LOGVIEW.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\LPQ.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\LPR.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\LSASS.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\MIGRATE.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\MPNOTIFY.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\MUSRMGR.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\NBTSTAT.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\NCADMIN.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\NDDEAGNT.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\NDDEAPIR.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\NET1.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\NETDDE.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\NTBACKUP.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\NTOSKRNL.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\NWCONV.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\NW2NT.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\NWSETUP.BAT ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\PAX.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\PENTNT.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\PERFMON.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\PID.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\PLICENSE.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\PORTUAS.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\PSERVER.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\PSXSS.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\PVIEW.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\PVIEWER.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\RASADMIN.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\RASSRV.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\RCP.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\REXEC.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\RSH.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\RDISK.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\RECOVER.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\REGINI.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\REGISTER.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\REGSVR32.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\RESET.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\ROUTE.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\RPCSS.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\RUNDLL32.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\RWINSTA.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\SAVEDUMP.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\SCM.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\SERVICES.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\SETACL.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\SETBUILD.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\SHADOW.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\SHUTDOWN.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\SRVMGR.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\TCPSVCS.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\TELNET.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\TFTP.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\TOP.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\TPROGMAN.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\TRACERT.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\UNLODCTR.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\UPEDIT.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl ;[%SystemRoot%\SYSTEM32\UPGRADE.EXE ] ;SYSTEM = FullControl ;BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\UPS.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\USRMGR.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\WINDISK.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\WINMSD.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl [%SystemRoot%\SYSTEM32\WOWDEB.EXE ] SYSTEM = FullControl BUILTIN\Administrators = FullControl