Inheritable/Can Propagate ?

Archived from groups: microsoft.public.win2000.security (More info?)

I want to use Microsoft Solutions for Security (Securing Windows 2000
Server.pdf) securiyt guide to harden my Domain Server

I feel this is a fundooo security guide

I have a small question about the recommendations for Registries given in
appendix B

I want to know where does "Inheritable/Can Propagate" fit ?
(either in DACL editor or SDDL)

Thanks in advance !!!

Cheers,
Shekar
2 answers Last reply
More about inheritable propagate
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    I am not quite sure this will answer you.
    In the NTFS DACL editor one set the inheritance properties
    of an ACE by use of the advance edit view, where one then
    gains access to the dropbox having selections for what the
    highlighted ACE applies to, such as
    This folder, subfolders, and files (i.e. this gets inherited)
    This folder only (i.e. this is not inherited)
    etc.
    Some aspects of the selections in this dropbox control whether
    the ACE is applicable only for objects (i.e. files) or for contaniners
    (i.e. folders) or both.
    There are also two checkboxes that impact the inheritance
    characteristics of the ACLing. One blocks inheritance from
    above, so that any inheritable ACE in the parental chain will
    not inherit onto what is having its ACL edited (or any children).
    The other box causes the ACL being edited to get applied to
    its children, not a direct copy onto, but a "forced" inheritance
    on down of what is inherited. This is different from just
    applying the new ACL and letting it inherit as the case may
    be due to the contained ACEs in that use of this checkbox
    will also clear any points in the child structure where the
    inheritance is blocked and will remove any explicit ACEs
    set in the child structure.
    In SDDL, the inheritace is represented in the OI, CI, and IO
    strings you will see. The best way to become familiar with
    the SDDL representation is to use the Security Templates
    MMC snap-in to define some different ACLs and then to
    save the template and look at it with notepad to see how the
    different choices have been encoded. Learning by example
    is often more direct than by trying to decode the effect of
    what is documented in the MSDN statements of the SDDL
    specification.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "ambharish" <ambharish@discussions.microsoft.com> wrote in message
    news:C0745901-280B-4899-BD55-53C49C2915C5@microsoft.com...
    > I want to use Microsoft Solutions for Security (Securing Windows 2000
    > Server.pdf) securiyt guide to harden my Domain Server
    >
    > I feel this is a fundooo security guide
    >
    > I have a small question about the recommendations for Registries given in
    > appendix B
    >
    > I want to know where does "Inheritable/Can Propagate" fit ?
    > (either in DACL editor or SDDL)
    >
    > Thanks in advance !!!
    >
    > Cheers,
    > Shekar
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Roger

    Thanks for fundas !!!

    The Security guide(Securing Windows 2000 Server.pdf)that was downloaded from
    http://www.microsoft.com/downloads/details.aspx?FamilyId=9964CF42-E236-4D73-AEF4-7B4FDC0A25F6&displaylang=en

    has the following info for each registry(Registry permissions(Appendis B)
    given at page 378)

    Permissions Apply
    Configure & Propagate
    Configure & Replace
    Do Not Replace
    Inheritable/Can Propagate

    I could understand all of them but except "Inheritable/Can Propagate"
    this is what i was talking about

    I mapped "Inheritable/Can Propagate" to
    Allow inheritable permissions from parent to propagate to this object checkbox

    but felt its ambiguous
    as this(Inheritable/Can Propagate) was selected only when "Do Not Replace"
    was selected


    could u please tell me know where does this(Inheritable/Can Propagate) fit
    in DACL Editor

    any help will be greatly appreciated

    Thanks in advance

    Cheers,
    ambharish


    "Roger Abell" wrote:

    > I am not quite sure this will answer you.
    > In the NTFS DACL editor one set the inheritance properties
    > of an ACE by use of the advance edit view, where one then
    > gains access to the dropbox having selections for what the
    > highlighted ACE applies to, such as
    > This folder, subfolders, and files (i.e. this gets inherited)
    > This folder only (i.e. this is not inherited)
    > etc.
    > Some aspects of the selections in this dropbox control whether
    > the ACE is applicable only for objects (i.e. files) or for contaniners
    > (i.e. folders) or both.
    > There are also two checkboxes that impact the inheritance
    > characteristics of the ACLing. One blocks inheritance from
    > above, so that any inheritable ACE in the parental chain will
    > not inherit onto what is having its ACL edited (or any children).
    > The other box causes the ACL being edited to get applied to
    > its children, not a direct copy onto, but a "forced" inheritance
    > on down of what is inherited. This is different from just
    > applying the new ACL and letting it inherit as the case may
    > be due to the contained ACEs in that use of this checkbox
    > will also clear any points in the child structure where the
    > inheritance is blocked and will remove any explicit ACEs
    > set in the child structure.
    > In SDDL, the inheritace is represented in the OI, CI, and IO
    > strings you will see. The best way to become familiar with
    > the SDDL representation is to use the Security Templates
    > MMC snap-in to define some different ACLs and then to
    > save the template and look at it with notepad to see how the
    > different choices have been encoded. Learning by example
    > is often more direct than by trying to decode the effect of
    > what is documented in the MSDN statements of the SDDL
    > specification.
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "ambharish" <ambharish@discussions.microsoft.com> wrote in message
    > news:C0745901-280B-4899-BD55-53C49C2915C5@microsoft.com...
    > > I want to use Microsoft Solutions for Security (Securing Windows 2000
    > > Server.pdf) securiyt guide to harden my Domain Server
    > >
    > > I feel this is a fundooo security guide
    > >
    > > I have a small question about the recommendations for Registries given in
    > > appendix B
    > >
    > > I want to know where does "Inheritable/Can Propagate" fit ?
    > > (either in DACL editor or SDDL)
    > >
    > > Thanks in advance !!!
    > >
    > > Cheers,
    > > Shekar
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    >
    >
    >
Ask a new question

Read More

Security Microsoft Windows