Litetouch Folder Permissions October 26, 2009

I was looking the other day at the permissions of my MDT deployment share, wondering if I had the optimal settings for security and flexibility (typically security and flexibility to *not* go together… ). So I did some digging, and came up with a solution that works well for my Litetouch deployment, and thought I’d share.

SDDL

When dealing with Security Permissions, I had to dig down into the details of Security Descriptors and Security Descriptor Definition Language Strings.

For a good tutorial about Security Descriptor Definition Language Strings (SDDL), go here:

http://www.washington.edu/computing/support/windows/UWdomains/SDDL.html

The advantage of SDDL strings is that they provide a good portable way to define and apply settings. You can use the cacls.exe tool included in Windows, for example to apply security strings to an existing folder.

cacls c:\DeploymentShare\LogFiles /s:"D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;;0x100004;;;AU)"

1 – Share Security

\\<server>\DeploymentShare$

For the primary Distribution share, just set the folder to Everyone: Full. Unless all operations to the share are read only, then Everyone: read.

Reasoning: NTFS Security really is more robust and granular than Share level security, so it’s better to just  skip share level security.

2 – Most Read/Only Folders

\\<server>\DeploymentShare$\[Applicaitons,Packages,etc…]

For most folders under \\server\distribution$, the permissions will be like:

SDDL: D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)

• Allow “NT AUTHORITY\SYSTEM” Full Control, This folder, subfolders, and files.
• Allow “BUILTIN\Administrators” Full Control, This folder, subfolders, and files.
• Allow “NT AUTHORITY\Authenticated Users” Read & Execute, This folder, subfolders, and files.

This is basic stuff, and will allow administrators to perform basic maintenance, yet prevent normal users from accidently modifying files.

3 – Most Write Only Folders

\\<server>\DeploymentShare$\[LogFiles,MigData,Captures]

This could be things like Log files, user backups, computer backups, USMT Migration files, Bitlocker Keys?, etc… Folders where users/machines may need to write to the Distribution machine (or any other share):

SDDL: D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;;0x100004;;;AU)

• Allow “NT AUTHORITY\SYSTEM” Full Control, This folder, subfolders, and files.
• Allow “BUILTIN\Administrators” Full Control, This folder, subfolders, and files.
• Allow “CREATOR OWNER” Full Control, Subfolders, and files only.
• Allow “NT AUTHORITY\Authenticated Users” Create folders / append data, This folder only.

Again, this will Administrators the ability to perform all basic maintenance tasks.

The last entry “Allow “NT AUTHORITY\Authenticated Users” Create folders / append data, This folder only.” allows users to create subfolders freely, however it does not give anyone the right to read or write to other folders.

Once a user has created the folder they are the Creator Owner, and the 3rd entry: “Allow “CREATOR OWNER” Full Control, Subfolders, and files only.” allows users to write to the directory they created, and only that directory.

It’s a way that we can allow anyone to write to the MDT Distribution share, without allowing them any access to other users folders. This is great in scenarios like User State Migration, where we wish to save a users state to a common public location, yet don’t wish to allow other users the ability to read those possibly sensitive files.

Please let me know if you have any good ideas about securing files for your deployments.

Keith