windows-nt/Source/XPSP1/NT/termsrv/admtools/c2config/inf/high/c2ntfacl.inf
2020-09-26 16:20:57 +08:00

567 lines
14 KiB
INI

; * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
;
; File System ACL definition file
;
; Use this file to set the ACL's on files and directories to the desired
; security. The format of each entry is:
;
; [DirPath]
; Domain\Account = [Predefined Access | FileAccessString [, DirAccessString]]
;
; [FilePath]
; Domain\Account = [Predefined Access | FileAccessString]
;
; where:
;
; FilePath is the path of the file or directory to set. This is in the
; format of a file path name. The file path may contain environment
; variables (such as %systemroot%) which will be expanded on the
; system running tha application.
;
; the last item in the FilePath string may be a directory, file,
; wildcard file or an exclamation ("!"). In the case of an exclamation
; all files and sub-directories of the preceeding path will be set
; to the specified security.
;
; for example:
;
; [%systemroot%\system32\!]
;
; would assign the security description of that section
; to all files and sub-directories UNDER the
; %systemroot\system32 directory as well as to the
; %systemroot\system32 directory itself. To assign
; security to just the files in that directory ,
; an entry such as the following would be needed:
;
; [%systemroot%\system32\*.*]
;
;
; Domain\Account
; specifies the account to recieve the specified access for that
; file. Account may be an account or a group. For Example to give
; permissions to all administrator accounts, the:
;
; BUILTIN\Administrators
;
; would be the correct entry.
;
; access string is defined as one of the following:
;
; a combination of access chars
;
; access
; char File Access Dir Access
; ---- ---------------- ----------------
; R = Read Data List Directory
; W = Write Data Add File
; X = Execute File Traverse Directory
; D = Delete Delete
; P = Change Perms Change Perms
; O = Take Ownership Take Ownership
;
; e.g. SYSTEM = RWXD
;
;
; there are also some predefined combination access keys:
;
; NONE = no access
; ALL = RWXDPO
;
; Standard Directory & File access references are:
;
; Access Access Granted
; Name (Dir)(File)
; ----------- ------------------
; FullControl = (ALL)(ALL)
; Change = (RWXD)(RWXD)
; AddRead = (RWX)(RX)
; Read = (RX)(RX)
; Add = (WX)(none specified)
; List = (RX)(none specified)
; NoAccess = (NONE)(NONE)
;
;
; * * * * * * * * * * * * N O T E * * * * * * * * * * * * * * * * *
;
; For correct application of the access control, the more restrictive
; access entries must be placed ahead of (on top of) the more permissive
; access. The correct "sort" order would be:
;
; NoAccess, List, Add, Read, AddRead, Change, FullControl
;
;
; * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
;
; NOTE: the security items are applied from the top of the file to the
; bottom. Because of that, top level directory entries with more re-
; strictive security should be at the top of the file and less restric-
; tive entries to specific users and/or specific files should be listed
; next.
;
; * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
; remove access for Everyone for whole drive
[%SystemDrive%\!]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemDrive%\]
BUILTIN\Users = List
;Anonymous = List
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemDrive%\*.*]
BUILTIN\Users = R
;Anonymous = R
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemDrive%\IO.SYS]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemDrive%\MSDOS.SYS]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemDrive%\BOOT.INI]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemDrive%\NTDETECT.COM]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemDrive%\NTLDR.]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemDrive%\AUTOEXEC.BAT]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemDrive%\CONFIG.SYS]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemDrive%\TEMP\!]
BUILTIN\Users = RWX
;Anonymous = RWX
CREATOR OWNER= RWXD, RWD
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
;[%SystemDrive%\USERS\!]
;BUILTIN\Users = R
;Anonymous = R
;CREATOR OWNER= RWXD, RWD
;BUILTIN\Administrators = FullControl
;SYSTEM = FullControl
;[%SystemDrive%\USERS\DEFAULT\!]
;BUILTIN\Users = RWD, RWD
;Anonymous = RWD, RWD
;CREATOR OWNER= RWXD, RWD
;SYSTEM = FullControl
;BUILTIN\Administrators = FullControl
;[%SystemDrive%\WIN32APP\!]
;SYSTEM = FullControl
;BUILTIN\Administrators = FullControl
[%SystemRoot%\!]
BUILTIN\Users = R
;Anonymous = R
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
;cannot deny users since it breaks WIN16 apps
;[%SystemRoot%]
;BUILTIN\Administrators = FullControl
;SYSTEM = FullControl
[%SystemRoot%\*.*]
BUILTIN\Users = R
;Anonymous = R
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\*.INI]
BUILTIN\Users = READ
;Anonymous = READ
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\EXPLORER.EXE]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\HELP\]
BUILTIN\Users = Change
;Anonymous = Change
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\REPAIR\!]
BUILTIN\Administrators = FullControl
[%SystemRoot%\SYSTEM\*.*]
BUILTIN\Users = R
;Anonymous = R
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
;[%SystemRoot%\SYSTEM\*.exe]
;BUILTIN\Administrators = FullControl
;SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\*.*]
BUILTIN\Users = R
;Anonymous = R
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\*.dll]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\*.drv]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\*.exe]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\AUTOEXEC.NT]
BUILTIN\Users = READ
;Anonymous = READ
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\CMOS.RAM]
BUILTIN\Users = R W
;Anonymous = R W
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\CONFIG]
BUILTIN\Administrators = FullControl
BUILTIN\Users = List
;Anonymous = List
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\CONFIG\*.*]
BUILTIN\Administrators = FullControl
SYSTEM = Fullontrol
[%SystemRoot%\SYSTEM32\DHCP\!]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\DRIVERS\!]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\OS2\!]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\RAS]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\RAS\*.*]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\REPL\!]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\REPL\EXPORT]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\REPL\EXPORT\*.*]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\REPL\EXPORT\SCRIPTS]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\REPL\EXPORT\SCRIPTS\*.*]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\REPL\IMPORT]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\REPL\IMPORT\*.*]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\REPL\IMPORT\SCRIPTS]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\REPL\IMPORT\SCRIPTS\*.*]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\SPOOL\!]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\WINS\!]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\*.exe]
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\APPEND.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\arevfix.com ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\CALC.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\CHCP.COM ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\CHGCDM.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\CLOCK.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\COMMAND.COM ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\doskbd.exe ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\DOSKEY.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\DOSX.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\FREECELL.EXE]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\GDI.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\HELP.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\KB16.COM ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
;[%SystemRoot%\SYSTEM32\KBDSEL.EXE ]
;BUILTIN\Users = Read
;Anonymous = Read
;BUILTIN\Administrators = FullControl
;SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\KEYB.COM ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\KRNL386.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\LOADFIX.COM ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\logoff.exe ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\MORE.COM ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\MSCDEXNT.EXE]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\NLSFUNC.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\NTVDM.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\NW16.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\PBRUSH.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\REDIR.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\SHARE.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\SOL.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\SORT.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\USER.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\USERINIT.EXE]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\VWIPXSPX.EXE]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\wfshell.exe ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\WIN.COM ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\winhlp32.exe]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\WINMINE.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\WOWEXEC.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl
[%SystemRoot%\SYSTEM32\SYSTRAY.EXE ]
BUILTIN\Users = Read
;Anonymous = Read
BUILTIN\Administrators = FullControl
SYSTEM = FullControl