JohnLaird
JohnLaird

Reputation: 111

How to change Windows ACL 'Group' with Powershell?

Problem: I need to limit access to a WCF service using only Windows account settings. I have a WCF service with security binding element 'clientCredentialType' set to 'Windows'. Can't change this setting. If I understand correctly, anyone with an authentic windows account is authorized as long as they meet the authorization rules set by the file (EXE) that is hosting that WCF service. So I went into Powershell and queried the settings for that service:

Get-Acl MYSERVICE.exe | Format-List

says:

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Blah\Server\MYSERVICE.exe
Owner  : BUILTIN\Administrators
Group  : MYDOMAIN\Domain Users
Access : NT AUTHORITY\SYSTEM Allow  FullControl
     BUILTIN\Administrators Allow  FullControl
     BUILTIN\Users Allow  ReadAndExecute, Synchronize
     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadAndExecute, Synchronize
Audit  :
Sddl   : O:BAG:DUD:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;AC)

Every user in my domain seems to have access.

Question, how do I change 'MYDOMAIN\Domain Users' to a different group in my domain so that every domain user (in that group) does not have access?

I have been able to change the list of accounts and their permissions under 'Access' like this:

$perm = "My Other Domain Group","FullControl","Allow"
$rule=New-Object System.Security.AccessControl.FileSystemAccessRule $perm
$myservice_acl.SetAccessRule($rule)

And can presumably explicitly deny or grant access but how do I change the group it inherits from? Or is this the correct approach?

Upvotes: 0

Views: 4853

Answers (3)

thepip3r
thepip3r

Reputation: 2935

The Windows Security Descriptor(SD) is broken up into four primary parts:

  1. Owner
  2. Group (or Primary Group)
  3. Discretionary Access Control List (DACL)
  4. System Access Control List (SACL)

The Primary Group part of the SD is ignored and has been ignored since Windows 2000 and was preserved for backwards compatability with POSIX operating systems. https://technet.microsoft.com/en-us/library/cc961983.aspx

For your case, the only two fields to concern yourself with are the Owner and the DACL.

  • The Owner has implicit Full Control over the Securable Object.
  • The DACL is a list of Access Control Entries (ACEs) which defines Security Identifiers (SIDs or trustees) that have a level of access rights defined.

In other words, if you are concerned about the SD on your service binary, check the owner and all members of the DACL but not the Primary Group.

EDIT: For the sake of completeness, the SACL is a list of ACEs (trustees and access rights) but instead of governing control, it controls who is audited and for what type of behavior.

Upvotes: 1

Ansgar Wiechers
Ansgar Wiechers

Reputation: 200373

Domain users have access via the local group BUILTIN\Users (joining a computer to a domain automatically adds the group DOMAIN\Domain Users to the group BUILTIN\Users on the joining host). The group property of the security identifier has nothing to do with the access.

If you want to prevent access by domain users in general and allow just a particular domain group you'd remove the DOMAIN\Domain Users ACE and add an ACE for the desired group:

$ace = $myservice_acl.Access |
       Where-Object { $_.IdentityReference -eq 'DOMAIN\Domain Users' }
$myservice_acl.RemoveAccessRule($ace)

$ace = New-Object Security.AccessControl.FileSystemAccessRule ('DOMAIN\Other Group', 'FullControl', 'Allow')
$myservice_acl.AddAccessRule($ace)

Set-Acl -AclObject $myservice_acl -Path ...

If you just want to deny access to a particular user you could also create a deny ACE for that user. However, mixing permissions like that tends to become pretty messy pretty fast, so I wouldn't recommend going this route.

Upvotes: 0

gsky
gsky

Reputation: 111

 Group: The security group of the owner.

only users in following groups are able to reach folder\object:

NT AUTHORITY\SYSTEM Allow  FullControl,
BUILTIN\Administrators Allow  FullControl,
BUILTIN\Users Allow  ReadAndExecute, Synchronize,

you should check only access property to add/remove/query who has access to the folder\file

Upvotes: 0

Related Questions