I have an little issue that I would like to hear your openion on:
After we twice have been infected with malware in hostingcenter - we desidet to host our Servers inhouse.
But for avoiding beeing infected again - we like to make some changes regarding permissions on local PC:
After gathering a lot of info - I found out that malware most likely install it self in these folders:
C:\Windows\Temp
%USERPROFILE%\Appdata\Local (Win 7/8/10/Vista)
%USERPROFILE%\Local Settings
Therefor I would like to remove the executeable bit from folder and subfolders - but is that wise - since most likely all programs are executed from %USERDATA%\AppData\Local - then no programs will run. I did try this - but couldn't start anything unless I changed it back
After googling a lot - I found out that this script is doing the most - but still having issues with ending up with all files are not executeable ???
# Get the ACL for an existing folder For $Users
$existingAcl = Get-Acl -Path 'C:\Windows\Temp'
# Set the permissions that you want to apply to the folder
$permissions = $env:username, 'ExecuteFile', 'ContainerInherit,ObjectInherit', 'None', 'Deny'
# Create a new FileSystemAccessRule object
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permissions
# Modify the existing ACL to include the new rule
$existingAcl.SetAccessRule($rule)
# Apply the modified access rule to the folder
$existingAcl | Set-Acl -Path 'C:\Windows\Temp'
Can someone point me the rigth way or tell me if this is no good and will destroy more than it solves
Thanks in advance
P
Related
I Writing a script to automate the deployment of my platform but i cant figure out how to set an app pool to have the permissions with the code i have below it just inserts the text below with the app pool name. I assume this is because this is a frendily name and when you click check names normally it will fetch the correct user but i cant figure out hot to do this in powershell.
function Set_iis_perms {
param (
[parameter(position=0)]
$AppPoolName,
[parameter(position=1)]
$FileName
)
$acl = Get-Acl $FileName
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(("iis apppool\$Apppool_Name"),"Modify","Allow")))
$acl | Set-Acl $FileName
}
Even if someone can point me in the right direction i would be most thankful.
Kind Regards
Dom
Setting ACL via Get/Set-ACL and icacls is a really common thing and covered in many resources. Example(s):
Setting ACL on folder or file using PowerShell
This script will set folder permission on a folder (c:\1 and C:2) and
its sub folder. If the folder does not exist, it will create the
folder, set as shared and add the groups to the folder. Group_Name
has to be replaced with Actual Group.
Application Pool Identities
Setting permissions for ASP.NET application on IIS with
PowerShell
As per this StackOverflow Q&A
How can I add ACL permissions for IIS APPPOOL* accounts via
Powershell?
Set-Acl $directory $acl $user = New-Object
System.Security.Principal.NTAccount("$domain\\$username")
UPDATE: Seems that it won't accept the "IIS APPPOOL\AppPoolName" as an
NTAccount identifier. Now, there are two ways to accomplish what you
are trying to do:
Create a new SID object with the AppPoolIdentities SID and translate
it into an NTAccount, like this:
http://iformattable.blogspot.com/2007/12/convert-sid-to-ntaccount-with.html,
and you should be able to treat it like any other NTAccount object. If
you still want to be able to pass domain/usernames for real accounts,
built in some simple logic that defaults to the AppPool SID if
username is "AweSomeAppPool" and domain is empty, just as an example.
Use PowerShell to invoke icacls.exe, and use it to grant/revoke
whatever permissions you want, like this (first normal icacls form
command prompt, then powershell, notice the difference):
icacls.exe test.txt /grant "IIS AppPool\DefaultAppPool":(OI)(CI)M
cmd /c icacls test.txt /grant "IIS AppPool\DefaultAppPool:(OI)(CI)M"
I currently have to change permissions for all local users on cmd.exe.
So far I have taken the ownership of the file and changed the permissions in the way i need it.
My problem is, that I cant figure out, how to give the ownership back to TrustedIntstaller.
Below you can see the code I worked out so far. It changes the permissions and throws no errors, but after the script ran the owner is still set to System.
Iam using the Powershell App Deployment Toolkit and the script was executed as system-user.
Any help is appreciated. If there are other (better) ways of changing permissions in Windows-Folder please let me know as well.
$acl_old = get-acl "$envSystem32Directory\cmd.exe"
$owner_old = $acl_old.Owner
Execute-Process -Path "takeown.exe" -Parameters "/f C:\windows\system32\cmd.exe"
Execute-Process -Path "icacls.exe" -Parameters "$envSystem32Directory\cmd.exe /grant:r *S-1-2-0:(RX)"
$new_permission = get-acl "$envSystem32Directory\cmd.exe"
$new_owner_object = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "$owner_old"
$new_permission.SetOwner($new_owner_object)
set-acl -Path $envSystem32Directory\cmd.exe -AclObject $new_permissions
I found a solution. Mine and boxdogs code are working. But it wasnt complete. In order to be able to restore TrustedInstaller als the owner some DLL and Privileges have to be loaded.
If anyone else is having this issue, here is a solution. After adding the DLL-Load and Privileges to my script it is working.
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/87679d43-04d5-4894-b35b-f37a6f5558cb/solved-how-to-take-ownership-and-change-permissions-for-blocked-files-and-folders-in-powershell
Hey guys im trying to rename the ActionCenter.dll via our softwaredeployment software. In order to do that i have to take ownership of the file. By default its owned by TrustedInstaller
The software runs the scripts as a local user "baraInstLocal". The user seems to be deactivated when an installation is not running.
takeown.exe /F "C:\Windows\System32\ActionCenter.dll"
$Acl = Get-Acl "C:\Windows\System32\ActionCenter.dll"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("baraInstLocal","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "C:\Windows\System32\ActionCenter.dll" $Acl
Rename-Item "C:\Windows\System32\ActionCenter.dll" "C:\Windows\System32\ActionCenter.dll.backup"
When i run this i either get permission denied or file not found. Seems to be a problem because it is in the Windows Folder. Running the powershell ad admin didnt help.
Is there a way to do it?
i have been searching for quite some time and i cant seem to find anything close.
i am working on automating our VM for our DEV & QA dept using VCAC.
i have reached the point that during VM creation a folder with the project's name is created under the dept (for exaple DEV\Upgrade1)
the problem starts when the DEV guys decides to delete t the whole project and start over.
i am left with a lot of empty folders throughout the VC server and i was wondering if there is a powercli script i can run daily to check if there are any empty folders (with no vms) inside and delete them if they exist.
its a tricky issue because i found i can use remove-folder but only if i give its name which i dont know.
and i dont want to delete folders with VMS inside.
anyone can help me?
thanks
If your already connected to your server and in powercli run this.
$folders = get-folder
Foreach ($folder in $folders)
{
if((get-folder $folder|get-vm).count -eq 0)
{
remove-folder -folder $folder -confirm $false
}
}
Drop a -location $datacenter onto the first get-folder if you want to isolate.
I'm playing with some PowerShell code to dynamically generate AD security groups and then apply them to folders on a network share, but having issues with resolving the newly created group.
Consider this:
import-module activedirectory
for ($i = 0; $i -lt 10; $i++) {
$group = New-ADGroup -Path "OU=Groups,OU=Department,DC=Domain,DC=Network" -Name "z-test-group-$i" -GroupScope DomainLocal -GroupCategory Security -PassThru
$acl = Get-Acl C:\Temp
$permission = $group.SID,"FullControl","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl C:\Temp
}
Which works fine.
However, if I change the folder to a network folder, such as G:\Temp, or \\domain.network\DFS\GroupShare\Temp, I get a 'Method failed with unexpected error code 1337'.
I tired using SetACL.exe and received a similar error:
C:\Temp\SetACL.exe -on "\\domani.network\dfs\GroupShare\Temp" -ot file -actn ace -ace "n:$GroupSID;p:full;s:y"
SetACL finished with error(s):
SetACL error message: The call to SetNamedSecurityInfo () failed
Operating system error message: The security ID structure is invalid.
INFORMATION: Processing ACL of: <\\?\UNC\domain.network\dfs\GroupShare\Temp>
If I wait say 10 to 20 seconds, and run the Set-ACL (or SetACL.exe) portion of the code again, it completes successfully.
At first I thought this was related directly to the domain controllers (4 of them which are a mix of 2003 and 2008 R2), but the fact that it worked fine on local folders was intriguing (and annoying).
I did a Wireshark trace during the execution of the code on a local folder and then a network folder. The main difference is when trying to apply the ACLs to the network folder I see LDAP lookups and (amongst other things) the following SMB response:
NT Trans Response, FID: 0x0040, NT SET SECURITY DESC, Error: STATUS_INVALID_SID
Which I assume is what causes my Set-ACL command to fail.
The underlying network filesystem is EMC Celerra 6.0.xx. I am very unfamiliar with this technology, however from what I understand it holds some kind of SID cache which would explain the above error (it doesn't yet know of the new group even though AD does).
So I guess there are two questions:
Is there any way around this (PowerShell/C# ect) that doesn't
involve sleeping/waiting? IE, set the ACL even though the SID is
invalid?
If EMC Celerra is the issue (I assume it is), is there any
way I can force it to update its 'SID cache' or whatever it may be?
I have read various articles about this issue, but none seem to have an effective resolution (or work for me).
Thanks for your help.
Rhys.
If the issue is just the delay involved in waiting for the cache to update blocking other work the script needs to be doing you could ship that off to a background job and let your main script go on to other things.
Figured it out!
Modified the acl.mappingErrorAction on our EMC Celerra NAS.
Was set to 0, updated it to 1.
server_param server_2 -facility cifs -modify acl.mappingErrorAction -value 1
Now we have no issues in setting the newly created security group into the ACLs for the folder on a network share (no delays).
Info: acl.mappingErrorAction
Defines the rules for unknown mapping between security, user, and group identifiers (SID/UID/GID) on ACL settings.
Two kinds of errors might occur:
The SID set in the ACL is unknown to the domain controllers being used.
The username is not yet mapped to a UID/GID.
The bit list consists of four binary bits (bits 0 through 3, right to left). Each bit is 1 when set; otherwise 0.
Bit 0 (0001 or +1): Store unknown SID.
Bit 1 (0010 or +2): Store SID with no UNIX mapping.
Bit 2 (0100 or +4): Enable debug traces.
Bit 3 (1000 or +8): Do lookup only in cache (secmap or global SID cache or per connection SID cache).
Values: 0 – 15
Default: 0
Seems obvious enough now that I understand more about the underlying CIFS/ACL settings on the NAS then I ever wanted to know.
Rhys.