Conundrum
- From: John John <audetweld@xxxxxxxxxxx>
- Date: Wed, 06 Sep 2006 01:18:24 -0300
From:
http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/default.aspx
[quote]
Security Settings
Myth: You Can Always Roll Back Configuration Errors with Setup security.inf
The setup security.inf template is a security template created at setup that contains the security settings configured when the OS was installed. It is commonly believed that this template can be used to roll back security settings should you make a mistake. This myth is so pervasive that there is even Microsoft documentation that makes this claim. Unfortunately, it’s not true.
Setup security.inf is just a log file. The installer does apply a template during setup: defltwk.inf on workstations and defltsvr.inf on servers. Setup security.inf never gets read at all. The installer simply writes to it when a component calls particular APIs during setup to configure security. Components that do not call those APIs do not have their settings logged. Neither do any components that are installed after setup or any settings that are configured after setup. An example may help illustrate this point.
During Windows XP setup, the installer does not create any user profiles under %systemdrive%\Documents and Settings. The installer only creates the Default User directory. You only get a profile directory when a user logs on the first time. Furthermore, that profile directory does not inherit its access control list (ACL) from the parent directory. Instead, the operating system programmatically sets the ACL when the directory is created. Since these directories are created after setup has finished, the setup security.inf file does not contain a record of the ACL. Therefore, you cannot use setup security.inf to roll back those ACLs should you happen to destroy them. And since defltwk.inf only sees use during setup, it also lacks any record of what these ACLs are supposed to be and cannot be used to roll them back.
The fact is it’s nearly impossible to roll back security settings, particularly ACLs. Theoretically, a third-party program can shim the operating system and create a record of all security changes made on it, but unless it is also written to shim object creation and deletion, such a program will be unable to fully restore security configurations. It would need all that information to calculate what settings should be made if an object were created or deleted after the last time its security was modified. This is a very difficult problem to solve and currently Windows does not support the ability to roll back security. If you accidentally make security changes that break something, the only fully supported way to undo the changes is to format and reinstall.
[end quote]
Now, we know that we can use defltwk.inf on workstations and defltsvr.inf on servers to restore Security Permissions:
http://support.microsoft.com/?kbid=266118
Or do we?
John
.
- Prev by Date: Re: Windows 2000 Lockup during boot
- Next by Date: Re: Error - Windows Cannot Connect
- Previous by thread: Installer W2000
- Next by thread: How to use robocopy to create and maintain an exact copy of a directory
- Index(es):
Relevant Pages
|
