Errors in File Security settings in Windows XP Security guide security template?

[arthg]

Does anyone have any experience using the
"optional-file-permissions" security template included with the
Windows XP Security Guide?
(http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx)
Are you getting the results you expected? I'm not.

I believe I have found some errors in the template. Some are
relatively benign, others I'm not so sure about. The benign:

In the File Security section, the entry for arp.exe is repeated:

[File Security]
"%systemRoot%\System32\arp.exe",1,"DAR(A;OIIO;FA;;;BA)(A;OIIO;FA;;;SY)"
"%systemRoot%\System32\arp.exe",1,"DAR(A;OIIO;FA;;;BA)(A;OIIO;FA;;;SY)"

I believe the intention was to include instead, regedit.exe, which is
mentioned in the documentation but is not included in the
documentation. I believe the intent was:

[File Security]
"%systemRoot%\regedit.exe",1,"DAR(A;OIIO;FA;;;BA)(A;OIIO;FA;;;SY)"
"%systemRoot%\System32\arp.exe",1,"DAR(A;OIIO;FA;;;BA)(A;OIIO;FA;;;SY)"

I call this error benign because while you don't get the expected
additional security of securing the permissions on regedit, no harm is
done and the extra arp.exe entry doesn't seem to do any harm.

The next possible error is potentially more significant. Note the
"1" above. If you view the properties using the MMC Security
Templates Snap-in, you will see that this corresponds to "Do not
allow permissions on this file or folder to be replaced". I've
spent a fair amount of time trying to understand this setting, and I
must say it is poorly documented at best. But what I will report, and
I'll spare an exhaustive report of all the testing and analysis
I've done, is that if you use the template as is, it has no effect on
file security permissions. Try it with the Security Configuration and
Analysis Snap-in.

So, I modified the template, changed the setting to "Configure this
file or folder then":

[File Security]
"%systemRoot%\System32\arp.exe",0,"DAR(A;OIIO;FA;;;BA)(A;OIIO;FA;;;SY)"

Again, I'll spare you the details but configuring a computer with
that setting seems to actually do harm. Again - try it. On a test
computer or virtual machine!

I believe that the security settings that provide the functionality
described in the documentation ("they are all given the following
permissions: Administrators: Full Control, System: Full Control")
are:

[File Security]
"%SystemRoot%\system32\arp.exe",0,"DAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)"

Does anyone have any experience with this? Similar results, or am I
off track somehow?

I can provide more information if there is interest.

 

[Steven L Umbach]

It is always best to examine any security templates to see if they suit your
needs and they are meant to be more of a baseline template that can be
copied and then modified as you want. Some of the Windows 2003 Server built
in security templates disable critical services on domain controllers. While
locking down permissions on binary files in the system folder/subfolders has
merit I find that Software Restriction Policies with path and hash rules And
Group Policy restrictions such as disabling registry editing/command line
are much more effective since users can simply place files in their user
profile or on removable media to run the file. --- Steve

Does anyone have any experience using the
"optional-file-permissions" security template included with the
Windows XP Security Guide?
(http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx)
Are you getting the results you expected? I'm not.

I believe I have found some errors in the template. Some are
relatively benign, others I'm not so sure about. The benign:

In the File Security section, the entry for arp.exe is repeated:

[File Security]
"%systemRoot%\System32\arp.exe",1,"DAR(A;OIIO;FA;;;BA)(A;OIIO;FA;;;SY)"
"%systemRoot%\System32\arp.exe",1,"DAR(A;OIIO;FA;;;BA)(A;OIIO;FA;;;SY)"

I believe the intention was to include instead, regedit.exe, which is
mentioned in the documentation but is not included in the
documentation. I believe the intent was:

[File Security]
"%systemRoot%\regedit.exe",1,"DAR(A;OIIO;FA;;;BA)(A;OIIO;FA;;;SY)"
"%systemRoot%\System32\arp.exe",1,"DAR(A;OIIO;FA;;;BA)(A;OIIO;FA;;;SY)"

I call this error benign because while you don't get the expected
additional security of securing the permissions on regedit, no harm is
done and the extra arp.exe entry doesn't seem to do any harm.

The next possible error is potentially more significant. Note the
"1" above. If you view the properties using the MMC Security
Templates Snap-in, you will see that this corresponds to "Do not
allow permissions on this file or folder to be replaced". I've
spent a fair amount of time trying to understand this setting, and I
must say it is poorly documented at best. But what I will report, and
I'll spare an exhaustive report of all the testing and analysis
I've done, is that if you use the template as is, it has no effect on
file security permissions. Try it with the Security Configuration and
Analysis Snap-in.

So, I modified the template, changed the setting to "Configure this
file or folder then":

[File Security]
"%systemRoot%\System32\arp.exe",0,"DAR(A;OIIO;FA;;;BA)(A;OIIO;FA;;;SY)"

Again, I'll spare you the details but configuring a computer with
that setting seems to actually do harm. Again - try it. On a test
computer or virtual machine!

I believe that the security settings that provide the functionality
described in the documentation ("they are all given the following
permissions: Administrators: Full Control, System: Full Control")
are:

[File Security]
"%SystemRoot%\system32\arp.exe",0,"DAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)"

Does anyone have any experience with this? Similar results, or am I
off track somehow?

I can provide more information if there is interest.