jump to navigation

Litetouch Folder Permissions October 26, 2009

Posted by keithga in MDT 2010.
Tags: , ,
trackback

I was looking the other day at the permissions of my MDT deployment share, wondering if I had the optimal settings for security and flexibility (typically security and flexibility to *not* go together… ). So I did some digging, and came up with a solution that works well for my Litetouch deployment, and thought I’d share.

SDDL

When dealing with Security Permissions, I had to dig down into the details of Security Descriptors and Security Descriptor Definition Language Strings.

For a good tutorial about Security Descriptor Definition Language Strings (SDDL), go here:

http://www.washington.edu/computing/support/windows/UWdomains/SDDL.html

The advantage of SDDL strings is that they provide a good portable way to define and apply settings. You can use the cacls.exe tool included in Windows, for example to apply security strings to an existing folder.

cacls c:\DeploymentShare\LogFiles /s:"D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;;0x100004;;;AU)"

1 – Share Security

\\<server>\DeploymentShare$

For the primary Distribution share, just set the folder to Everyone: Full. Unless all operations to the share are read only, then Everyone: read.

Reasoning: NTFS Security really is more robust and granular than Share level security, so it’s better to just  skip share level security.

2 – Most Read/Only Folders

\\<server>\DeploymentShare$\[Applicaitons,Packages,etc…]

For most folders under \\server\distribution$, the permissions will be like:

SDDL: D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)

  • Allow “NT AUTHORITY\SYSTEM” Full Control, This folder, subfolders, and files.
  • Allow “BUILTIN\Administrators” Full Control, This folder, subfolders, and files.
  • Allow “NT AUTHORITY\Authenticated Users” Read & Execute, This folder, subfolders, and files.

This is basic stuff, and will allow administrators to perform basic maintenance, yet prevent normal users from accidently modifying files.

3 – Most Write Only Folders

\\<server>\DeploymentShare$\[LogFiles,MigData,Captures]

This could be things like Log files, user backups, computer backups, USMT Migration files, Bitlocker Keys?, etc… Folders where users/machines may need to write to the Distribution machine (or any other share):

SDDL: D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;;0x100004;;;AU)

  • Allow “NT AUTHORITY\SYSTEM” Full Control, This folder, subfolders, and files.
  • Allow “BUILTIN\Administrators” Full Control, This folder, subfolders, and files.
  • Allow “CREATOR OWNER” Full Control, Subfolders, and files only.
  • Allow “NT AUTHORITY\Authenticated Users” Create folders / append data, This folder only.

Again, this will Administrators the ability to perform all basic maintenance tasks.

The last entry “Allow “NT AUTHORITY\Authenticated Users” Create folders / append data, This folder only.” allows users to create subfolders freely, however it does not give anyone the right to read or write to other folders.

Once a user has created the folder they are the Creator Owner, and the 3rd entry: “Allow “CREATOR OWNER” Full Control, Subfolders, and files only.” allows users to write to the directory they created, and only that directory.

It’s a way that we can allow anyone to write to the MDT Distribution share, without allowing them any access to other users folders. This is great in scenarios like User State Migration, where we wish to save a users state to a common public location, yet don’t wish to allow other users the ability to read those possibly sensitive files.

Please let me know if you have any good ideas about securing files for your deployments.

Keith

Keith Garner is a Deployment Specialist with Xtreme Consulting Group
Advertisements

Comments»

1. William BORIES - April 4, 2010

Great post ! I like the method Read/only folder & Write only folder

I have just a question about the Authenticated Users group. Why do you choose to use this group instead of a dedicated service account ?

And to be a psychopath, we could use a service account for Read/only folders and an another for Write/only folders. Why do you think about that ?

Patrick, nice idea for the script !

2. Patrick Firestone - October 28, 2009

Great post Keith. For those who choose to implement this through a script, it should be noted that “cacls” will ask for confirmation before applying the SDDL. For full automation in a script, you can add “echo y|” before “cacls” in the command line.

cmd /Cecho y|cacls c:\DeploymentShare\LogFiles /s…


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: