Archived from groups: microsoft.public.win2000.security (
More info?)
Well, it was actually setacl that I was thinking about
http://setacl.sourceforge.net/
--
Roger
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:M1eod.548599$mD.183209@attbi_s02...
> Hi Roger.
>
> I don't think NTrights can change service permissions but subinacls can
for
> sure. I did post once that NTrights could do such but was in error I
> believe. Maybe you read my erroneous post or you know something I don't
> about NTrights? --- Steve
>
>
http://tinyurl.com/62xcz -- link to my past post.
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:u%23AommA0EHA.3588@TK2MSFTNGP14.phx.gbl...
> > Hi Rick,
> >
> > I used to think that the most direct until someone pointed out
> > to me the NTrights.exe can alter ACL on services.
> >
> > --
> > Roger Abell
> >
> > "Rick Kingslan [MS MVP]" <rkingsla.cox.net@127.0.0.1> wrote in message
> > news:O6LxCUrzEHA.3488@TK2MSFTNGP10.phx.gbl...
> >> Steve gives you some good pointers. One other thing that you might
want
> > to
> >> look into is the Security Configuration and Analysis Tool. This tool,
> >> loaded with the proper template, will allow you to change the
permissions
> > on
> >> the actual services themselves. This is one of the few ways to change
> >> permissions on services, and by far the easiest.
> >>
> >> CAUTION!! This procedure, though easy, is still very dangerous. You
can
> >> quite easily render your system in a state that you did not intend. Be
> > very
> >> certain that you have a good understanding of what is happening and
what
> > you
> >> are doing before you embark on this.
> >>
> >>
> >
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prdd_sec_fovn.asp
> >>
> >>
> >
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scmwhatis.mspx
> >>
> >> What you need to do is a bit complicated.
> >>
> >> 1. Start > Run > Cmd, then type MMC
> >> 2. In the MMC Console, File > Add/Remove Snap-In > Add, Select
> >> 'Security
> >> Configuration and Analysis' and 'Security Templates'
> >> 3. Add > Close > OK You should now have two items in the console.
> >> 4. Now, we have a bit of a test here. You will need to go to your
> >> %systemroot%\security\templates directory and make a copy of
hisecdc.inf
> > or
> >> rootsec.inf. Open the copy, and remove everything BELOW the line
> >> '%SCEProfileDescription%' Save the file. You now have a 'naked'
> >> security
> >> template.
> >> 5. Back in the created MMC, click on Sec Config Analysis
> >> 6. Create a new database via the steps on the right side of the MMC
> >> console. When prompted, open our naked template.
> >> 7. Follow the directions to Analyze your system.
> >> 8. Once the analysis is complete, navigate to the 'System Services'
> >> 9. Find the service that you are looking for. Right click and select
> >> properties.
> >> 10. Select the 'Define this policy in the database' check box.
> >> 11. Click the 'Edit Security...' button.
> >> 12. In the Security view, remove permissions (except Read) from all
Users
> >> except for Administrators and SYSTEM. Click OK.
> >> 13. Right click on the Security Configuration Analysis line - choose
> >> Configure. Allow this to finish.
> >> 14. Close the MMC. Save it if you desire.
> >>
> >> You will find that the service can still be managed and maintained by
the
> >> system and the Administrator, and the average user will be able to
check
> > the
> >> status of the service, but will not be able to change the state.
> >>
> >> Hope this helps....
> >> "EP" <EP@discussions.microsoft.com> wrote in message
> >> news:4B16B82A-2E56-4E92-A922-F29305009656@microsoft.com...
> >> >I am installing Mcafee personal firewall in windows 2000 Pro laptop,
the
> >> > users need to have a power user account. How I can prevent them to
stop
> > or
> >> > disable the personal firewall.
> >>
> >>
> >
> >
>
>