I’M AN INTERNSHIP AND I HAVE TO BE RESPONSIBLE FOR CREATING SECURITY CONTROLS FOR VULNERABILITIES OF AN ENVIRONMENT THAT WILL BE PCI CERTIFIED.
THERE IS A WINDOWS MACHINE WITH TWO LOCAL USERS: NORMAL-USER AND ADMINISTRATOR.
I NEED TO CREATE ACL RULES IN WINDOWS (IN POWERSHELL) SO THAT THE NORMAL-USER DOES NOT HAVE ACCESS TO C:
BUT HAVE ACCESS TO C:USERSUSUARIO-NORMAL (USER DIRECTORY)
AND ACCESS TO ANOTHER DIRECTORY WHICH WE CAN CALL C:xyz (WHICH IS THE DIRECTORY OF AN APPLICATION THAT WILL BE RUN BY THE NORMAL USER)
I’VE BEEN TRYING TO DO THIS FOR 1 MONTH, BUT I ALWAYS BREAK THE SYSTEM BY RESTRICTING ACCESS.
$logPath = "C:HardeningFixLogs999.txt"
Start-Transcript -Path $logPath -Append
$hostname = $env:COMPUTERNAME
$username = whoami
$ip = (Test-Connection -ComputerName $hostname -Count 1).IPAddressToString
Write-Host "Data: $(Get-Date)"
Write-Host "Nome do Host: $hostname"
Write-Host "Nome do User: $username"
Write-Host "IP: $ip"
$user = Get-WmiObject -Class Win32_UserAccount -Filter "Name = 'NormalUser'"
if ($null -eq $user) {
Write-Host "Status: Erro - Normal User not found"
Stop-Transcript
exit
}
$userSID = $user.SID
$objUser = New-Object System.Security.Principal.SecurityIdentifier($userSID)
$strSID = $objUser.Translate([System.Security.Principal.NTAccount])
try {
$Acl = Get-Acl "C:"
$permissionTypes = @("ReadAndExecute", "ListDirectory", "Read")
foreach ($permissionType in $permissionTypes) {
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($strSID, $permissionType, "Deny")
$Acl.SetAccessRule($Ar)
}
Set-Acl "C:" $Acl
Write-Host "Status: Okay"
}
catch {
Write-Host "Status: Erro: $_"
}
Write-Host "---------------------------------------------"
Stop-Transcript
New contributor
Acauã Tunari is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.