================================================================== == Protecting Files with Windows NTXP == gE Technologies == == CACLS: A new look at new methods == www.nuketutorials.com == ================================================================== = Last updated : 10th September 2002 by gloBal_enemy/Seremify = = Email : seremify@yahoo.com.au ICQ : 7929694 = ================================================================== Please do not mailbomb me or bombard me with **** as I do not appreciate it. If you have a question; ask me. I'll try to help but remember I'm doing this voluntarily and please give me some credit for even trying to help spread some useful tricks to those who don't know of them. The same applies to viruses - I have antivirus running all the time 24/7 but it doesn't mean that it'll stop me from having to download **** on my 56kbps connection. And I know I have mixed up the words "ATTRIBUTE" and "PARAMETER" a million times here but I hope you can still understand it. DOS ownz j00. ================================================================== LEGAL MUMBOJUMBO: This document is provided 'as is' and is purely intended to be used as a reference document. It may not be redistributed without credit to the original owner -me under the alias "gloBal_enemy". If you wish to publish this article somewhere, please ask me first and I probably won't say NO, its just more of an interests sake. I'm sure Da Vinci would've liked to know that his paintings and work would be some of the most respected/valued works in the world. You may not modify this document in any way and then reproduce it and claim it as your own. You may quote it or use the whole article but PLEASE provide credit and if possible email me (as I enjoy reading emails from people who read my guides on various topics). Make sure to use an accurate subject and speak in English (my skills in Japanese, Malay and Chinese are very limited but I will try my best). If you want to publish this file on your site because you think it is "THAT GOOD" please do; but do not change anything and of course email me. I might even (one day) add a link to all the places that host this file (assuming it ever spreads) onto my own site (which I am yet to have besides NukeTuts). I take NO RESPONSIBILITY for your actions. If you cannot figure out how it works, you can email me and I'll most likely respond (unless I'm away of course) but if you suffer physical or mental problems, or encounter financial difficulties, then it is not my fault. Fair enough? If not, then stop reading. This document does not provide any insight into 'hacking' computer systems but rather how to protect them and what to do if someone has used the technique against you. ================================================================== I will admit I didn't come across this CACLS thing on my own, I had the help of a friend who uses the alias "KKO™" so I thank him for telling me about this. ================================================================== Anyway I noticed on ASTALAVISTA there are many ways to protect stuff in Windows 2000 when your on a shared area and so on; but what if you don't have your own account and you access the generic account (in our case it was "Student" and "Computing"). The tricks of using special characters do not apply if you can still open the folders through Windows Explorer, and the DOS commands for renaming them using a password is too much trouble (not to mention if someone has an ASCII chart they'll find it in not too much time). This method of locking files/folders could be used in conjunction with the ASCII locking but I'm too lazy to use that method. This method is FAR from secure. The only reason why it is; is because there are alot of people who don't even know of it (such as myself) until recently. If you feel that you are in an environment of people who do not know very very advanced (undocumented) things in DOS/Win2k/XP then carry on. This system is mainly for people who do not have much power or priveliges (in our case it was the STUDENT account for the school) and this allows you to protect your work from being deleted by other more ignorant students. ================================================================== ** If you believe this could help you; carry on ** ================================================================== This method "CACLS" uses Windows inbuilt security systems also known as ACLs (Access Control Lists) which determine who can and can't access files. All admins have the power to control this via Windows Explorer but lower level users are likely to not have access to Windows Explorer or Right Mouse buttons, let alone access to the Permissions tab on File Properties. The concept is simple; since you are OWNER you have full permission rights over files. OWNER and ADMINISTRATOR have same level of power for each file; but usually the Administrator is the owner if it is a system file (such as Windows) but if you make a Word Document or a Powerpoint presentation; then this method would prevent other foolish/stupid users from deleting it. To do so, you (as owner) have to block all access to this file (including yourself). This will work because it blocks USERNAMES and not computers or domains. There are ways to block them but it is pointless in my situation so I have yet to explore; feel free to comment on it (and if suitable I can add it to this file). The method of CACLS also shows an "ACCESS DENIED" error (how nice) should one try to modify (that includes EDIT and RENAME), move, delete, or open/run the file. In DOS it will result in an ACCESS DENIED message but ALSO it will allow users into directories but when they try to see whats inside it will be blank. A solution around this is to use the /T switch (explained in ADVANCED section of this file). ================================================================== CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]] ================================================================== For more info try typing CACLS into Win2k/XP Dos/Command prompt for more instructions; or just keep reading for more easy2read instructions. Beware there may be alot of me sidetracking... ================================================================== >From the above you can see there are multiple ways to do certain things and many additional options you can use. The key commands that you need to know (assuming you have DOS access) are; (The example file will always be "happy.ppt" and the directory is called "h:\gEtech"; the username is "Computing" and computername is "C5-01") CACLS h:\gEtech\ - This will result in DOS showing you what the current ACL of a directory is. H:\gEtech\ c5-01\Student:(OI)(CI)F The first part is self-explanatory (that is the file in question) but the latter can be different depending on situation. It says "c5-01" but if you were on a domain it would be the domain name and the second section is the username from either the local PC or domain. In this example ADMINISTRATOR does not have access to the file and they never will; unless they are smart enough to either change the owner (not too difficult) or to login as you and then change the ACL. Both are possible for a 'determined' admin. As another sidenote; the (OI)(CI) mean that all files and subdirectories within will be covered by the ACE. The colon (:) seperates the username from the permissions. More on ACE later... CACLS h:\gEtech\happy.ppt - This will result in DOS showing you what the current ACL of the file(s) is. CACLS h:\gEtech\ /d Everyone - This command is saying DENY access to the folder to EVERYONE; that is ALL USERS including yourself. It will prompt for a 'Y' to confirm it. The (d - DENY) attribute means exactly that. It does not allow any user (when used with EVERYONE) to open the file, rename it, delete it, modify it, or anything. The only user with enough power to change it (besides Administrator) is the person who created it. The person who created it (you I hope) can then apply a permission to it and stop access. CACLS h:\gEtech\happy.ppt /d Everyone - Same as above except to the individual file only. CACLS h:\gEtech\ /e /d MrSmith - This uses the /e which adds/modifies the current ACL rather than totally clear it out and replace it. This works well when you want to give different users different permissions. CACLS h:\gEtech\ /g Lark:R - This uses the (g - GRANT) and the (R - Read Only) attributes. By using this command you would be granting the user LARK to READ ONLY. This means they cannot delete nor modify the file but they have access to opening it and saving it elsewhere. CACLS h:\gEtech\ /e /g Minat:F - This uses (e - Edit) and (g - Grant) and (f - Full Access) attributes. It will give the user MANIT full access to the folder whilst retaining the previous settings for other users. There are other ways of granting and denying as you can probably already tell but those are the most simplified methods. And yes it is possible to do more than one at a time but I prefer to keep it simple and to ensure I don't make mistakes. With the problem of having to try to convert 255character names into 8, making a mistake on CACLS is something you don't want to have to go back to. You can use wildcards to combine files and users but again I don't like making mistakes but if you must, you use *.exe to make all EXEcutable files selected, and Happy.* to make all files with the name Happy but an unknown extension selected. The rest you can figure out.. Don't go locking the whole computer or you might get into trouble. There are plenty of ethic guides to hacking on the net. Read them if you think you may be a script kiddie or n00b of some sort. If you must know more, continue reading; otherwise skip down a bit and read more useful and somewhat relevant stuff. ================================================================== More advanced but somewhat useless commands.. CACLS h:\gEtech\ /t /g Student:F By using /T you are making it apply to all subdirectories. CACLS h:\gEtech\*.exe /c /g Student:F If there were files in that folder (gETech) that were not owned by yourself; then they will not be granted access to. The /C will make it continue processing files even if there is an error. CACLS h:\gEtech\happy.ppt /e /r Computing This uses /R to revoke any rights the user 'Computing' has. It will only work with /E since it modifies the current ACL so all other details/rights are left intact. CACLS h:\gEtech\happy.ppt /p Computing:F CACLS h:\gEtech\happy.ppt /p Computing:R CACLS h:\gEtech\happy.ppt /p Computing:W Above are some examples of /p (REPLACE USER RIGHTS) and I have included a small ASCII (*gasp*) table of the different combos. Rights - what goes after the colon : Name - what its called O - Can it be Opened (the file/folder ACL applies to) Once opened it can be saved anywhere else. R - Can it be renamed? Even if file is READ ONLy you can still copy it elsewhere. M - Can it be moved? (essentially the same as above) W - Can it be written to? (ie. Adding text to a word document) D - Can it be deleted? Even if it can't be deleted, if they can write to it, one user could clear out the whole file (making it empty) and save it. A - Can the ACLs be viewed? ============================================================= = Rights = Name = O = R = M = W = D = A = Used with = ============================================================= = N = None = N = N = N = N = N = N = /P = = R = Read = Y = N = N = N = N = Y = /G /P = = W = Write = Y = N = N = Y = N = Y = /G /P = = C = Change = Y = Y = Y = Y = N = Y = /G /P = = F = FULL = Y = Y = Y = Y = Y = Y = /G /P = ============================================================= CACLS h:\gETech\happy.ppt /e /r Computing This will revoke the user Computing's rights. Also note (I just remembered) that there is no mention of domain. You can specify one if you wish but if you don't, then it applies to any user trying to access the file/folder(s) from that account whether they are local or roaming. Revoke just removes any right (makes them a "N") the user has but it must be used with /e as it does NOT change the ACL settings. ================================================================== Want to make a batch file? Or go even further with VB? If you want automation make note of the following; If you wish to use something which does not contain "/E" there will be a prompt. The prompts can be pressed automatically by using the following line; echo y|cacls h:\gETech /g Computing:F Note there is no space between 'y' and | and 'cacls'. This will automatically pipe the pressing of a Y into the cacls program. If you wish to make it automatic but not use a Y, try using the /E (edit) parameter. This does not have a prompt so it works well with VB. This brings me to my next point. I am yet to impliment CACLS properly into Visual Basic - please email me if you do find a way to automatically supress the "Y" without the use of a batch file. If you want to call it; the file is located (CACLS) in; C:\WINNT\System32\CACLS.exe ..so by use of a Shell(c:\winnt\system32\cacls.exe /g computing:f) you should get somewhere. Any further than that I cannot do as I cannot supress the button automatically. ================================================================== If your an administrator trying to fix the problem of someone making your network full of CACLS's stuff then read on; First you need to make yourself OWNER of the files. There are two ways to do this. One is by opening up Windows Explorer (Winkey + E), finding the locked folder/files, right clicking them and then in the tab "PERMISSIONS" or "ACCESS" make yourself OWNER of the file. There are various ways of doing this, or just give yourself FULL ACCESS. If it does not let you gain full access, you will have to make yourself OWNER and that requires a bit of menu navigating but I'm sure you will find it. In Windows XP it will prompt you that you must be OWNER and ask if you wish to make yourself OWNER if you attempt to change anything. "The GUI in File Manager or Windows NT Explorer is currently limited to replacing the ACLs." -Taken from the Microsoft Article on CACLS listed below The second method requires you to login as that user. Whether that means you have to give him a blank password and then login as them or you just get them to do it; this is the more obvious way to do it and is a good way of punishing someone. To unlock the files from here, you just use the above "GRANT" commands to allow access. Note: You cannot remove an ACL as there is always one. ================================================================== ACE - Access Control Entries .. or known as "Container Access Inheritence Flags" This is one of the smarter names used. If the container is locked, you cannot open it. If the container is see through (Folder is allowed to be opened but files inside are not - NP) you can still see whats inside but you can't touch. ACE's come about because certain files (such as files inside your profile) only obtain their ACL or Access Rights because they are located within another folder (or container in this analogy). IO - means "Inherit Only" - it will not affect the current item but it will travel within if other tags are used. This is a good example of a clear container. CI - means "Container Inherit" - if there are smaller containers inside then they will have the same attributes as being set. If used with the IO then of course the insides will be invisible but the outside container will be see through. OI - means "Object Inherit" - if there are any files within this container they will share the same attributes as the file being selected. If you use the IO then of course they will be invisible. NP - means "Non-Propogate" - this means that whatever you set here will not affect the insides in any way. If someone knows the exact path to a file and you use this tag, then they can get access to the file or unlocked folders as they need. For more information see the Microsoft article below; ================================================================== LINKS Microsoft's Guide to ACL/CACLS http://support.microsoft.com/default.aspx?scid=kb;en-us;Q162786 Microsoft's Article on ACE http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q220167& Astalavista http://www.astalavista.com GameFAQs http://www.gamefaqs.com NukeTutorials http://www.nuketutorials.com KazaaLite.com http://www.kazaalite.com ================================================================== The end I hope this proves helpful. Please email me if it does; any comments, suggestions, all are appreciated. Any ideas what to do next? I'm doing PHPNuke stuff at the moment as well so feel free to talk about that. seremify@yahoo.com.au Don't forget to write. ================================================================== Copyright 2002 Jeff C aka gloBal_enemy Do not steal. Plagurism is bad.