Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Setting Access Control Rights for Users on Files/Folders/Registry Using Secedit & Wise Package Studio

Created: 29 Dec 2008 • Updated: 29 Dec 2008 | 5 comments
Language Translations
Sidd's picture
+12 12 Votes
Login to vote

User permissions (Access control rights) on files, folders and registry keys can be set in different ways. This article is a step by step guide to set Access Control Rights for users on files, folders and registry keys using Secedit. And also contains information regarding implementation of Access Control Rights for Users using Wise Package Studio(WPS).

Introduction

The Secedit.exe tool is useful when you need to configure security on multiple computers. You can call the Secedit.exe tool at a command prompt, from a batch file/VBScript, or from the automatic task scheduler to automatically create and apply templates. You can also run it dynamically from a command prompt. The scripts that are provided with this guide use the Secedit.exe tool to merge and apply local policy to client computers.

  • Secedit.exe. Secedit.exe is a command-line version of the Security Configuration and Analysis snap-in. It allows security configuration and analysis to be performed without a graphical user interface (GUI).
  • Security Templates snap-in. The Security Templates snap-in is a stand-alone Microsoft Management Console (MMC) snap-in that allows the creation of a text-based template file that contains security settings for all security areas.
  • Security Configuration and Analysis snap-in. The Security Configuration and Analysis snap-in is a stand-alone MMC snap-in that can configure or analyze Windows 2000 operating system security. Its operation is based on the contents of a security template that was created using the Security Templates snap-in.

Creating Custom Templates

You can use the MMC Security Templates snap-in to define security settings in the templates, which you can then apply to a local computer. The following steps were performed to create the Standalone-EC-Account.inf and Standalone-SSLF-Account.inf templates by using the policy settings from the Account Policy tables.

On the Start menu, click Run, type mmc, and then click OK.

On the File menu, click New to create a new console.

On the File menu, click Add/Remove Snap-in.

Then click the Stand-alone tab in the Add/Remove snap-in properties dialog box and click Add.

Click Security Templates, click Add

Select Security Configuration and Analysis, click Add.

Click Close.

Click OK.

Open Security Templates.

Click the + next to Security Templates in the left pane to expand it.

Click the + next to C:\WINDOWS\security\templates to expand it.

Right Click on C:\WINDOWS\security\templates and then click New Template.

In the Template name text box, type the name for your new security template.

It is better to give Template name the same as application name that is being packaged.

Note: Application Name is the application that being packaged using Wise Package Studio.

Template name: Application Name.inf

In the Description text box, type a description of your new security template, and then click OK.

In the console tree, double-click the new security template to display the security areas and then navigate until the policy setting you want to configure displays in the details pane.

Right Click on File System and click Add File (For file/folder permissions.)

Select Folder/File to set Permissions and then click OK.

Here I want to give Modify access to User on installation directory so I am selecting "C:\Program Files\ Application Name".

Select Group or Users Name for whom you want set the required access permissions.

Set the required access permissions by checking the check box.

I want to give Modify access to User on installation directory "C:\Program Files\ Application Name".

Click OK to close the dialog.

Select Replace existing permission on all subfolders and files with inheritable permissions,

Click OK to close the dialog.

Note: We will overwrite existing permissions, so make sure all permissions are set correctly.

After you define permissions for a file system or registry object, the Security Configuration Tool Set asks you how the object's children should be configured.

If you select Propagate inheritable permissions to all subfolders and files, normal Windows ACL inheritance procedures are in effect. Specifically, any inherited permissions on child objects are adjusted according to the new permissions defined for this parent. Any explicit access control entry (ACE) defined for a child object remains unchanged.

If you select Replace existing permission on all subfolders and files with inheritable permissions, all explicit ACEs for all child objects (which are not otherwise listed in the template) are removed, and all child objects are set to inherit the inheritable permissions defined for this parent.

"%ProgramFile%\ApplicationName" is now listed in File System Objects as shown below.

Right Click on Registry and click Add Key (For Registry permissions.)

Now select the key to which you want to give permissions (If you want to give permissions to HKCU, give it to USERS in MMC) select the appropriate Registry by navigation to the location by Clicking on + symbol.

Select Registry entries to set Permissions and then click OK.

Select Group or USERName for whom you want set the required access permissions.

Set the required access permissions by checking the check box.

Note: We will overwrite existing permissions, so make sure all permissions are set correctly.

Replace existing permission on all subfolders and files with inheritable permissions

Click OK to close the dialog.

Registry Name is now listed in Objects.

Now select Application Name.inf and Right-click on it; select Save.

This process creates a Security template (.inf) file with the security settings.

Security Configuration and Analysis

Creating a Security Database

To automate the process of importing security settings on a stand-alone client computer, you must create a reference database to write to the local security settings. The baseline database is created with the MMC Security Configuration and Analysis snap-in.

The following steps are used to create the Security database (.sdb file). The database uses the ApplicationName.inf file as the template to establish the settings for the stand-alone client computer.

Right-click the Security Configuration and Analysis scope item.

Click Open Database.

Navigate to %WindowsFolder%\security\database (C:\Windows\security\database)

Type a new database name (ApplicationName.sdb), and then click Open.

Select a security template (.inf file) to import.

Navigate to "C:\Windows\security\templates"

Select a security template (Application name.inf file) to import, and then click Open.

In the File menu, click Save As to save your MMC console window.

Choose a location and file name and click Save and Yes.

Note: It is not necessary to save MMC console (it is up to the user to save or not to save.)

This process creates a database file with the security settings that will be used in the automation process. The custom scripts will be used to configure the database, which will configure the local security settings.

Once both the files are ready, use VBscript/batch file to apply the settings from the newly created security configuration files.

Implementing Access Control Rights for users, using Wise Package Studio (WPS)

Start Wise Package Studio then open Installation Expert

Click the on File tab/page

Create the folder structure WINDOWS\security\Database in the Destination Computer (in the application being packaged), if it doesn't Exist

Add the .sdb file (ApplicationName.sdb) which is created from the above steps to
WINDOWS\security\Database folder in the Destination Computer.

In the Installation Expert Navigate to INI file tab

Click on the INI File tab/page.

Create the folder structure WINDOWS\security\templates in the Destination Computer (in the application being packaged), if it doesn't Exist

Select templates folder from the Destination Computer.

Right Click templates and Click On New file.

Following Dialog will appear:

INI file Name: Name of the .inf file (ApplicationName.INF) which is created from the above steps.

INI Settings: Copy the contents of "C:\WINDOWS\security\templates\ ApplicationName.INF" file in the INI Settings.

Change the following sections of the .Inf as shown in the Following Dialog

[Registry Keys]
"USER\SOFTWARE\ApplicationName ",2,"D:(A;CI;GA;;;WD)" 

[File Security]
"%SystemDrive%\Program Files\ApplicationName",2,"D:AR(A;OICI;FA;;;BU)"

To

[Registry Keys]
"USER\SOFTWARE\ApplicationName ",2,"D:(A;CI;GA;;;WD)"  = 0

[File Security]
[INSTALLDIR], 2,"D:AR(A;OICI;FA;;;BU)" = 0
[INSTALLDIR], If permissions are to be given to installation directory

If any component is selected then
[File Security]
[$componentName],2,"D:AR(A;OICI;FA;;;BU)" = 0
'componentName' is the name of the component whose directory is same as "%SystemDrive%\Program Files\ApplicationName\myfolder"

Note: Make sure that there are no hard coded entries in the .inf file.

Click the Ok once finished.

Open MSI Script.

Select Execute Deferred tab.

Installation Sequence window click above InstallFinalize this insures that the new custom action is added just before the InstallFinalize.

In MSI Script click on Execute Program From Installation.

Following window will appear. Add the following information:

Custom Action Name: Give proper name to custom action as per standards.

Executable File: [SystemFolder]secedit.exe (i.e Browse for "C:\WINDOWS\system32\secedit.exe")

Command Line Arguments: Select one of the following base on the case

  1. For file permissions
    /configure /DB [\"][WindowsFolder]security\database\ApplicationName.sdb [\"] /cfg [\"][WindowsFolder]security\templates\ApplicationName.inf[\"] /areas FILESTORE
    
    
  2. For registry permissions
    /configure /DB [\"][WindowsFolder]security\database\ApplicationName.sdb [\"] /cfg [\"][WindowsFolder]security\templates\ApplicationName.inf[\"] /areas REGKEYS
    
    
  3. For both File and Registry permissions
    /configure /DB [\"][WindowsFolder]security\database\ApplicationName.sdb [\"] /cfg [\"][WindowsFolder]security\templates\ApplicationName.inf[\"] /areas FILESTORE REGKEYS
    
    

Click Ok to finish.

Now Navigate To Installation Mode Select All Custom Actions.

Double click on the Custom Action Name just created.

Following Window will appear:

Select Location Tab

Ensure that the position of the new custom action is just above InstallFinalize.

Enter Condition as NOT REMOVE~="ALL" (This ensures that the custom action is called only during application installation and repair not during un-installation.)

Click Ok to Finish.

This process will be used in the automation process of setting access control for Users as desired using wise package studio.

Note: Secedit Syntax

Secedit /configure /db <FileName> [/cfg <FileName>] [/overwrite][/areas <Area1> <Area2> ...][/log <FileName>] [/quiet]

The following list explains the parameters of the Secedit.exe tool.

  • /db <FileName> - Specifies the database that is used to perform the security configuration.
  • /cfg <FileName> - Specifies a security template to import into the database before the computer is configured. Security templates are created using the Security Templates snap-in.
  • /overwrite - Specifies that the database should be emptied before the security template is imported. If this parameter is not specified, the policy settings in the security template will accumulate in the database. If this parameter is not specified and policy settings in the template you wish to import conflict with existing policy settings in the database, the settings in the template will apply.
  • /areas <Area1> <Area2> - Specifies the security areas to be applied to the system. If this parameter is not specified, all security policy settings that are defined in the database are applied to the system. To configure multiple areas, separate each area with a space.

Thanks,
Sid

Comments 5 CommentsJump to latest comment

venkateshkumarn's picture

Hi,

This is a good post. Can you let me know whether this method will work for other language versions of Windows OS like German, French etc... I have tried installing the above said MSI with the German language Windows XP, but it is not working giving an error like "Problem with windows Installer package". The same package is working fine with English version of Windows XP.

Thanks

0
Login to vote
piyushnasa's picture

Similar post has been posted before.
https://www-secure.symantec.com/community/article/...
There are some other methods of giving permissions too.

Piyush Nasa Altiris Certified Professional (ACP)

http://msiworld.blogspot.com/

0
Login to vote
LOGRM's picture

Thanks Siddram for explaining things in detail. I found it very useful:-)

0
Login to vote