Archived from groups: microsoft.public.win2000.security (
More info?)
Roger
Thanks for fundas !!!
The Security guide(Securing Windows 2000 Server.pdf)that was downloaded from
http://www.microsoft.com/downloads/details.aspx?FamilyId=9964CF42-E236-4D73-AEF4-7B4FDC0A25F6&displaylang=en
has the following info for each registry(Registry permissions(Appendis B)
given at page 378)
Permissions Apply
Configure & Propagate
Configure & Replace
Do Not Replace
Inheritable/Can Propagate
I could understand all of them but except "Inheritable/Can Propagate"
this is what i was talking about
I mapped "Inheritable/Can Propagate" to
Allow inheritable permissions from parent to propagate to this object checkbox
but felt its ambiguous
as this(Inheritable/Can Propagate) was selected only when "Do Not Replace"
was selected
could u please tell me know where does this(Inheritable/Can Propagate) fit
in DACL Editor
any help will be greatly appreciated
Thanks in advance
Cheers,
ambharish
"Roger Abell" wrote:
> I am not quite sure this will answer you.
> In the NTFS DACL editor one set the inheritance properties
> of an ACE by use of the advance edit view, where one then
> gains access to the dropbox having selections for what the
> highlighted ACE applies to, such as
> This folder, subfolders, and files (i.e. this gets inherited)
> This folder only (i.e. this is not inherited)
> etc.
> Some aspects of the selections in this dropbox control whether
> the ACE is applicable only for objects (i.e. files) or for contaniners
> (i.e. folders) or both.
> There are also two checkboxes that impact the inheritance
> characteristics of the ACLing. One blocks inheritance from
> above, so that any inheritable ACE in the parental chain will
> not inherit onto what is having its ACL edited (or any children).
> The other box causes the ACL being edited to get applied to
> its children, not a direct copy onto, but a "forced" inheritance
> on down of what is inherited. This is different from just
> applying the new ACL and letting it inherit as the case may
> be due to the contained ACEs in that use of this checkbox
> will also clear any points in the child structure where the
> inheritance is blocked and will remove any explicit ACEs
> set in the child structure.
> In SDDL, the inheritace is represented in the OI, CI, and IO
> strings you will see. The best way to become familiar with
> the SDDL representation is to use the Security Templates
> MMC snap-in to define some different ACLs and then to
> save the template and look at it with notepad to see how the
> different choices have been encoded. Learning by example
> is often more direct than by trying to decode the effect of
> what is documented in the MSDN statements of the SDDL
> specification.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "ambharish" <ambharish@discussions.microsoft.com> wrote in message
> news:C0745901-280B-4899-BD55-53C49C2915C5@microsoft.com...
> > I want to use Microsoft Solutions for Security (Securing Windows 2000
> > Server.pdf) securiyt guide to harden my Domain Server
> >
> > I feel this is a fundooo security guide
> >
> > I have a small question about the recommendations for Registries given in
> > appendix B
> >
> > I want to know where does "Inheritable/Can Propagate" fit ?
> > (either in DACL editor or SDDL)
> >
> > Thanks in advance !!!
> >
> > Cheers,
> > Shekar
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>