none
GPO to assign explicit NTFS permissions to cmd.exe

    Question

  • Hello!  

    We have a Windows 2012R2 AD DS domain.  

    For security compliance reasons, on about 20 web servers, we need to set particular NTFS level permissions to: 

    "C:\Windows\System32\cmd.exe"

    So I decided, why not apply this via GPO.  

    but I'm quickly realizing that I'm unable to set "<hostname>\Administrators" group (which is inherited by default btw) when going through the "Add File" process in: 

    Computer Configuration - Policies - Windows Settings - Security Settings - File System

    I'm running GPMC from a member server and of course the only option I have is to add the local admins account for this paritcular host.  We don't want that on 20+ web servers that I'll apply this GPO to!  

    Anyone know how to add this?  Is it possible?  

    Please don't ask question to the 'why'.  I just want to explicitly define a few permissions (remove inheritance) and push this out to all web servers.  

    thanks!

    Wednesday, December 14, 2016 12:29 AM

Answers

  • > but I'm quickly realizing that I'm unable to set "<hostname>\Administrators" group (which is inherited by default btw) when going through the "Add File" process in:
     
    Assign any group of your choice. Then simply edit the gpttmpl.inf file in the GPO sysvol folder and replace the SID there with S-1-5-32-544...
     
    • Marked as answer by AndyG-Admin Wednesday, December 14, 2016 9:57 PM
    Wednesday, December 14, 2016 7:33 AM

All replies

  • Hi,
    In this case, I would use script to assign the explicit NTFS permissions to cmd.exe based on different host server, instead of using built-in template policy, and you could also use group policy to deploy this script to all servers: https://technet.microsoft.com/en-us/library/ee431705(v=ws.10).aspx
    Regarding the script, it may need to involve the scripting guy for help, alternatively you could post the question about scripting in the scripting forum:
    https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, December 14, 2016 6:37 AM
    Moderator
  • > but I'm quickly realizing that I'm unable to set "<hostname>\Administrators" group (which is inherited by default btw) when going through the "Add File" process in:
     
    Assign any group of your choice. Then simply edit the gpttmpl.inf file in the GPO sysvol folder and replace the SID there with S-1-5-32-544...
     
    • Marked as answer by AndyG-Admin Wednesday, December 14, 2016 9:57 PM
    Wednesday, December 14, 2016 7:33 AM
  • Hi Martin,

    I was hoping that was an option. :)  

    But doesn't each local administrators group have it's own unique SID? Or do local Windows groups have Windows common SIDs?  

    Thanks. 

    Wednesday, December 14, 2016 5:06 PM
  • Awesome!  S-1-5-32-544 is a well-known SID for the BuiltIn\Administrators group.  

    I see that now.  So far so good.  

    That takes care of what I need.

    Only gotchya is that when I remove BuiltIn\Users read/execute access, it prevents execution of cmd.exe.  Even though I'm a local admin.  Very interesting.  Perhaps you guys may have some insight on this.  Maybe this is a system requirement for cmd.exe?  

    The reason why I'm doing this is because of Federal requirements.  To certify the configuration on these systems, we are required to lock down cmd.exe (and some other files) to only allow access to 'System' & 'Local Administrators'.  Seems like this configured access breaks cmd.exe entirely; not just limiting access to local admins.

    Thoughts? 

    Thanks!


    • Edited by AndyG-Admin Wednesday, December 14, 2016 5:55 PM re-word
    Wednesday, December 14, 2016 5:54 PM
  • > we are required to lock down cmd.exe (and some other files) to only allow access to 'System' & 'Local Administrators'.
     
    Still doing "security by obscurity"??? There are tons of other file explorers.
     
    BTW: If you have high security requirements, I'd really advise to use AppLocker instead of ACLs... Much easier to handle :)
     
    Thursday, December 15, 2016 11:37 AM
  • The IRS seems to be pretty specific to the ACLs if you check out: 

    https://www.irs.gov/pub/irs-utl/safeguards-scsem-web-server.xls

    Click the "Test Cases" tab

    Search for "cmd.exe"

    and you'll land on Test ID "WEB-05" - "Test Procedures" column.  
    Very short read. 

    Unless this is one of those things were alternative methods such as AppLocker are accepted.  But again, they seem pretty specific to verifying the ACLs.

    Thoughts? 


    Wednesday, January 04, 2017 12:11 AM
  • Hi,

    AppLocker allows you to specify which users or groups can run particular applications in your organization based on unique identities of files. If you use AppLocker, you can create rules to allow or deny applications from running. Please see: https://technet.microsoft.com/en-us/library/dd759117(v=ws.11).aspx

    So if you need to lock down some system application, applocker could be working. But if you also need to restrict access for some files, you might need to set ACLs via group policy, please refer to:

    https://mcpmag.com/articles/2008/10/13/file-permissions-thru-group-policy.aspx

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 06, 2017 1:21 AM
    Moderator