This article details the way to retrieve the security settings of a file or folder in order to implement it in a script.
Then, this script can be added in the package using a custom action for example.
.
1. Security VBScript
To grant permissions on files or folder, the following kind of script can be used.
PackInventory="PackageName" DestinationLog = "C:\temp" DestinationFolder = "C:\temp" Set fso = CreateObject("Scripting.FileSystemObject") Set WshShell = CreateObject("wscript.shell") Set WshUsrEnv = WshShell.Environment("Process") InfFile = PackInventory & "-Security.inf" LOGFILE=chr(34) & DestinationLog & "\" & PackInventory & "-Security.log" & chr(34) EDBFILE=chr(34) & DestinationLog & "\" & PackInventory & "-Security.edb" & chr(34) 'INF file creation Set FileCreation = fso.CreateTextFile(DestinationFolder&"\"&InfFile, True) FileCreation.WriteLine("[Unicode]") FileCreation.WriteLine("Unicode=yes") FileCreation.WriteLine("[Version]") FileCreation.WriteLine("signature=" & chr(34) & "$CHICAGO$" & chr(34)) FileCreation.WriteLine("Revision=1") FileCreation.WriteLine("[File Security]") FileCreation.WriteLine(chr(34) & "%ProgramFiles%\Soft\Folder" & chr(34) & ",0," & chr(34) & "D:AR(A;OICI;0x1301bf;;;BU)" & chr(34)) FileCreation.WriteLine(chr(34) & "%SystemRoot%\system32\File" & chr(34) & ",0," & chr(34) & "D:AR(A;;0x1301bf;;;BU)" & chr(34)) FileCreation.Close 'INF file execution ExecuteInf = "secedit /configure /DB " & EDBFILE & " /CFG " & DestinationFolder & "\" & InfFile & " /areas FILESTORE /log " & LOGFILE WshShell.Run ExecuteInf, 1, True 'INF file deletion fso.DeleteFile(DestinationFolder&"\"&InfFile)
.
In this example, the “D:AR(A;OICI;0x1301bf;;;BU)” setting grant full access to all users.
The question is how to determine that setting…
.
.
2. Retrieving Security Settings
To retrieve the security settings of a file or folder, Windows Security Templates can be used.
In Windows 7, the security template INF file is the following:
“C:\Windows\inf\defltbase.inf”
- Copy defltbase.inf in a working directory (for example C:\Workdir)
- Launch the mmc console
File > Add/Remove Snap-in…
.
Select “Security Templates” and add it
.
- Right click “Security Template” > New Template Search Path… and indicate the location of the copied defltbase.inf file
- Right click “File System” > Add File…
- Select a file (it can be any file because we just want to retrieve security settings…). For example: “C:\workdir\SecurityTest.txt”
- Set security settings. For example full access for administrators and only read access for users)
Apply
OK
.
Select “Propagate inheritable permissions to all subfolders and files”
OK
.
The file appears in the list
.
Right click “defltbase” > Save as
.
Save the INF file (for example SecurityTest.inf)
- Edit the generated INF file
- In the “File Security” section, find the line corresponding to the file and retrieve the security settings.
.
- Copy then pastes the setting in the script.