cannot edit permission for a folder - security

I am using Windows Server 2008 x64. I login using administrator. I want to add a new user for read/write access for a folder under c:\windows\system32. I tried to select folder (right click), then select Property -> Security -> Edit under Security Tab, the Add button is greyed out. Why? Any programming based or other quick solutions?
I tried the same operation under other non-windows system folder, it is ok to add new user to permission.
thanks in advance,
George

If the folder doesn't give administrator permission to edit the folder's settings then administrator can't edit the folder's settings.
One answer that would belong on Server Fault is that if administrator can take ownership of the folder then administrator can edit the folder's settings to give administrator permission to edit the folder's settings (this part seems recursive).
Programmatically, you could write a program which would edit the folder's settings. If administrator executes the program, it will still fail. If administrator installs the program as a service, to execute under the Local System account, the program will have a better chance of success.

Related

how to block off permission to all folders but one in C Drive

I have just set up a new user for ftp connection first time. I am trying to block off all permissions on all c drive folders but their their user folder. Currently they can see files in the windows folder which I tried changing using the properties and security deny permission for user, but it didnt allow me to do it.
Whats the best way to set this up? And block all visual access to folders but their own user folder.
Any questions, let me know and I'll clarify as best as I can.
Can use bitvise to restrict users to a root directory without touching any permissions on the directory itself

get EXEDIR to show mapped path not UNC but still have admin rights, nsis

I'm creating an installer with NSIS.
It does exactly 2 things. Creates a shortcut to an executable, and puts a dll in the system32 directory.
I have to request admin elevation to achieve the copy into system32 for the dll's
However when its running with admin rights the mapped drive disappears and becomes a UNC path. I want to keep it the mapped drive path though. Some internet research shows that when elevated to admin UNC paths replace mapping which are user specific.
How can I achieve both in the same install?
Mapped drives are per logon-session (token) and UAC uses a split-token model when elevating so there are no ways around this. See this blog post for more details.
You could elevate cmd.exe and map the drive again before running setup...

Giving writing permissions for IIS user at Windows 2003 Server

I am running a website over Windows 2003 Server and IIS6 and I am having problems to write or delete files in some temporary folder obtaining this kind of warmings:
Warning: unlink(C:\Inetpub\wwwroot\cakephp\app\tmp\cache\persistent\myapp_cake_core_cake_): Permission denied in C:\Inetpub\wwwroot\cakephp\lib\Cake\Cache\Engine\FileEngine.php on line 254
I went to the tmp directory and at the properties I gave the IIS User the following permissions:
Read & Execute
List folder Contents
Read
And it still showing the same warnings.
When I am on the properties window, if I click on Advanced the IIS username appears twice.
One with Allow type and read & execute permissions and the other with Deny type and Special permissions.
My question is:
Should I give this user not only the Read & Execute permissions but also this ones?:
Create Attributes
Create Files/ Write Data
Create Folders/ Append Data
Delete Subfolders and Files
Delete
They are available to select if I Click on the edit button over the username.
Wouldn't I be opening a security hole if I do this?
Otherwise, how can I do to read and delete the files my website uses?
Thanks.
Finally what I did was giving read/write/modify permissions on app\tmp folder for the Internet Guest Account.

How do I set permissions on dynamically linked files?

I have an InstallScript installer that utilizes dynamic file links for several components. These components contain configuration files that standard users should be able to edit. We recently discovered that when these files are installed on Windows Server 08, the permissions are set to full access for the Administrators group, but only read & execute access for the Users group. The typical install location is C:\programName.
I've tried creating new files manually as an admin (right click - new text file) in the C:\programName directory, and they are generated with identical permissions. I'm assuming that this is just the standard permission setup for new files.
Is there any way, within InstallShield, to set the permissions for dynamically linked files or the directory containing them?
I've looked for permission settings in
Organization -> Components
Application Data -> Files and Folders
but I haven't found anything. The documentation on dynamic file links makes no mention of permissions.
We are using InstallShield 2010.
Generally these permissions are a good thing; they're inherited from their parent folders. Non-administrator users (including the limited access admin before accepting a UAC prompt) should be unable to modify files under Program Files or C: so I would suggest addressing this concern in your application (for instance by using each user's Documents folder). Since you don't talk about why you need it, it's hard to say with certainty if this applies to your case.
If it turns out it does make sense to address this in the installation instead of the application, you can use the SetObjectPermissions API to set permissions programmatically.
In "Files and Folders" page right-click the file or folder, select Properties and click the Permissions button. In the "Permissions" dialog you can then right-click in the Name(s) list and use the New context menu option to add a new permission.
If the option is not available for a file, you can try setting it on the parent folder.

Windows 7 Security Policy: How Do I Allow My .NET App to Write to Drive "C:"?

My application is not supposed to perform any administrative tasks, so I want a normal User account to be able to run it. Only thing is, my application reads from and writes to a database file; if the user running Windows 7 (Or Vista) installs my app in drive C, the drive's default permission set configuration doesn't allow my app to write data.
How can I allow my app to write to C:, without requiring full administrative privileges?
If the database file exists at install time you can just grant the user write access to the file as part of the installation process (ordinary users do not have this permission by default). If the file needs to be created by the program the user running the program will need modify permissions on the c drive, which is not something that I would recommend.
I'd suggest storing your db file in Documents and Settings / App data / your app / directory. It exists specifically for this purpose. Writing to C:/Program Files is not so good practice. If that's possible in your case, that is.
You need to open UAC (User Account Access) and set security slider to the bottom. Then you can access drive C: as you did in windows XP.
I decided to modify directory permissions in the setup process, so I created an .exe file that changes the permissions of its start-up path, and gives all users access to that path. I simply included that .exe file in my deployment project, and created a Custom Action that would run the file in the Commit phase of installation.
Because the setup asks the user for administrative rights when it is being installed, my .exe also enjoys administrative privileges and can modify the permissions of the installation directory.
In my .exe, I used a Process instance to run the ACL utility shipped with Windows (icacls.exe) as follows:
ICACLS.EXE [TargetDir] /T /C /grant Users:F
(Make sure that [TargetDir] doesn't end with a "\" or the call will fail.)
This gives all users full control access to the target directory.
I could also write .NET code and change directory permissions manually, but I'm a little lazy!
You may however want to inspect your environment conditions thoroughly so that what you do wouldn't become a security hole in your environment; but this was suitable for me.
I hope this helps others who faced the same issue.
The user by default should have write permissions to drive C:, if not, then you will need to change the directory you read from and write to, to the executing directory (C:/Program Files/Your App/) rather than the root of C:
You can get this by
String Path = Path.GetDirectoryName(Application.ExecutablePath);

Resources