Sign in with
Sign up | Sign in
Your question

Inheritable/Can Propagate ?

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
January 27, 2005 9:29:03 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I want to use Microsoft Solutions for Security (Securing Windows 2000
Server.pdf) securiyt guide to harden my Domain Server

I feel this is a fundooo security guide

I have a small question about the recommendations for Registries given in
appendix B

I want to know where does "Inheritable/Can Propagate" fit ?
(either in DACL editor or SDDL)

Thanks in advance !!!

Cheers,
Shekar

More about : inheritable propagate

Anonymous
a b 8 Security
January 28, 2005 11:13:39 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I am not quite sure this will answer you.
In the NTFS DACL editor one set the inheritance properties
of an ACE by use of the advance edit view, where one then
gains access to the dropbox having selections for what the
highlighted ACE applies to, such as
This folder, subfolders, and files (i.e. this gets inherited)
This folder only (i.e. this is not inherited)
etc.
Some aspects of the selections in this dropbox control whether
the ACE is applicable only for objects (i.e. files) or for contaniners
(i.e. folders) or both.
There are also two checkboxes that impact the inheritance
characteristics of the ACLing. One blocks inheritance from
above, so that any inheritable ACE in the parental chain will
not inherit onto what is having its ACL edited (or any children).
The other box causes the ACL being edited to get applied to
its children, not a direct copy onto, but a "forced" inheritance
on down of what is inherited. This is different from just
applying the new ACL and letting it inherit as the case may
be due to the contained ACEs in that use of this checkbox
will also clear any points in the child structure where the
inheritance is blocked and will remove any explicit ACEs
set in the child structure.
In SDDL, the inheritace is represented in the OI, CI, and IO
strings you will see. The best way to become familiar with
the SDDL representation is to use the Security Templates
MMC snap-in to define some different ACLs and then to
save the template and look at it with notepad to see how the
different choices have been encoded. Learning by example
is often more direct than by trying to decode the effect of
what is documented in the MSDN statements of the SDDL
specification.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"ambharish" <ambharish@discussions.microsoft.com> wrote in message
news:C0745901-280B-4899-BD55-53C49C2915C5@microsoft.com...
> I want to use Microsoft Solutions for Security (Securing Windows 2000
> Server.pdf) securiyt guide to harden my Domain Server
>
> I feel this is a fundooo security guide
>
> I have a small question about the recommendations for Registries given in
> appendix B
>
> I want to know where does "Inheritable/Can Propagate" fit ?
> (either in DACL editor or SDDL)
>
> Thanks in advance !!!
>
> Cheers,
> Shekar
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
Anonymous
a b 8 Security
January 29, 2005 10:53:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Roger

Thanks for fundas !!!

The Security guide(Securing Windows 2000 Server.pdf)that was downloaded from
http://www.microsoft.com/downloads/details.aspx?FamilyI...

has the following info for each registry(Registry permissions(Appendis B)
given at page 378)

Permissions Apply
Configure & Propagate
Configure & Replace
Do Not Replace
Inheritable/Can Propagate

I could understand all of them but except "Inheritable/Can Propagate"
this is what i was talking about

I mapped "Inheritable/Can Propagate" to
Allow inheritable permissions from parent to propagate to this object checkbox

but felt its ambiguous
as this(Inheritable/Can Propagate) was selected only when "Do Not Replace"
was selected


could u please tell me know where does this(Inheritable/Can Propagate) fit
in DACL Editor

any help will be greatly appreciated

Thanks in advance

Cheers,
ambharish


"Roger Abell" wrote:

> I am not quite sure this will answer you.
> In the NTFS DACL editor one set the inheritance properties
> of an ACE by use of the advance edit view, where one then
> gains access to the dropbox having selections for what the
> highlighted ACE applies to, such as
> This folder, subfolders, and files (i.e. this gets inherited)
> This folder only (i.e. this is not inherited)
> etc.
> Some aspects of the selections in this dropbox control whether
> the ACE is applicable only for objects (i.e. files) or for contaniners
> (i.e. folders) or both.
> There are also two checkboxes that impact the inheritance
> characteristics of the ACLing. One blocks inheritance from
> above, so that any inheritable ACE in the parental chain will
> not inherit onto what is having its ACL edited (or any children).
> The other box causes the ACL being edited to get applied to
> its children, not a direct copy onto, but a "forced" inheritance
> on down of what is inherited. This is different from just
> applying the new ACL and letting it inherit as the case may
> be due to the contained ACEs in that use of this checkbox
> will also clear any points in the child structure where the
> inheritance is blocked and will remove any explicit ACEs
> set in the child structure.
> In SDDL, the inheritace is represented in the OI, CI, and IO
> strings you will see. The best way to become familiar with
> the SDDL representation is to use the Security Templates
> MMC snap-in to define some different ACLs and then to
> save the template and look at it with notepad to see how the
> different choices have been encoded. Learning by example
> is often more direct than by trying to decode the effect of
> what is documented in the MSDN statements of the SDDL
> specification.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "ambharish" <ambharish@discussions.microsoft.com> wrote in message
> news:C0745901-280B-4899-BD55-53C49C2915C5@microsoft.com...
> > I want to use Microsoft Solutions for Security (Securing Windows 2000
> > Server.pdf) securiyt guide to harden my Domain Server
> >
> > I feel this is a fundooo security guide
> >
> > I have a small question about the recommendations for Registries given in
> > appendix B
> >
> > I want to know where does "Inheritable/Can Propagate" fit ?
> > (either in DACL editor or SDDL)
> >
> > Thanks in advance !!!
> >
> > Cheers,
> > Shekar
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
!