Hack Proofing Windows 2000 Server

Managing permissions is sometimes a difficult task for administrators. Incorrectly assigning permissions can help an intruder compromise your security. Remember that you can assign permissions to every object in Active Directory. In addition to Active Directory permissions, you also need to manage service, share, and NTFS permissions. Even if you think everything is set correctly, sometimes you need to go back and diagnose why things aren t working just right. The tools discussed in this section help you accomplish these goals. The following tools are provided with the Windows 2000 Server Resource Kit:
Service ACL Editor
Permcopy
The following tools are provided with Support Tools:
ACL Diagnostics
DsAcls
Service ACL Editor ( svcacls) is a tool that allows administrators to control the access control lists of service objects from the command prompt. To use svcacls, you must be an administrator or be delegated the Delete, Read Control, and Write permissions to the DACL (discretionary access control lists) of a service. The only file required to use the Service ACL Editor is svcacls.exe.
The Service ACL Editor uses the following syntax:
svcacls [\\<i class="emphasis">TargetComputer</i>\]<i class="emphasis">Service </i>[<i class="emphasis">Options</i>]
Table 12.18 displays the syntax for svcacls.
| Option | Description |
|---|---|
| TargetComputer | The name of the remote computer that you want to control. |
| Service | The name of the service that want to assign permissions. |
| Grant | Adds permissions. |
| Set | Replaces permissions. |
| Revoke | Removes any explicit permissions. |
| Deny | Blocks all access. |