Set-ACL on a System File

[peterlyttle]

Hello,

I've been fighting with this most of the day and hopefully someone can help me out. Basically I'm trying to remove the BUILTIN\Users account from a system file (C:\Windows\System32\arp.exe) but am getting an error.

Exception calling "SetAccessControl" with "1" argument(s): "Attempted to perform an unauthorized operation."

I've launched my editor as Administrator and have full admin on the PC im working on.

Anyone any ideas?

function DeleteFilePermissions ([string]$Filename, [string]$ACLUsername, [string]$Permission, [string]$Allow_Deny){
	$DELACL=Get-Acl $Filename
	$DELACL_User = $DELACL.Access | where {$_.IdentityReference -eq "$ACLUsername"}
	If ($DELACL_User.IsInherited -eq "True"){
		Write-Host -BackgroundColor Black -ForegroundColor Red "Inheritance is ON please resolve this and rerun"
	}
	else{
		If ($DELACL_User.IdentityReference -eq $ACLUsername){
			$DELaccessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$ACLUsername","$Permission",,,"$Allow_Deny")
			$DELACL.RemoveAccessRuleAll($DELaccessrule)
			Set-Acl -aclobject $DELACL $Filename
			Write-Host -BackgroundColor Black -ForegroundColor Red "Account Deleted"
		}
		else{
			Write-Host -BackgroundColor Black -ForegroundColor Red "This account does not exsist"
		}
	}

}
DeleteFilePermissions "C:\Windows\system32\arp.exe" "BUILTIN\Users" "ReadAndExecute" "Allow"

 

[crobin1]

Interesting. On an XP SP3 system with PowerShell 2, where I have full admin, this code worked just fine. On a Windows 7 system, I got an error message that I don't possess the "SeSecurityPrivilege" required for the operation. I am in the Administrators group on the Windows 7 PC, though on Windows 7 that doesn't guarantee everything. What OS are you trying this on?

 

[peterlyttle]

Im trying to do this on Windows 7 / Server 2008 R2. UAC is turned off but im still getting this problem, anyone any ideas?

 

[crobin1]

Doing a little more digging, with the enhanced security in Windows 7/2008 R2 ARP.EXE is a protected file. Even the Administrators group doesn't have full access to that file (or lots of others), but just Read & Execute. That's why you received the "unauthorized operation" error.

Was there a specific reason you were targeting ARP.EXE, or was that just a test case? If you truly want to change ARP.EXE you'll have to take ownership of the file and then change the security such that Administrators has full control.

 

[peterlyttle]

I am looking at hardening a web server so that basically nobody outside Admins has access to these files etc.
I've even tried elevating the priviledges to Full for Administrators but this fails also. (cacls arp.exe /E /P BUILTIN\Administrators:F

Strange as you can add the permission via the gui using the same account!

 

[peterlyttle]

I think taking ownership of the file then changing the permissions then changing the ownership back may work. However im having issues setting the owner to something else (NT SERVICE\TrustedInstaller) even with subinacl.exe

 

[peterlyttle]

icacls and the /setowner switch was used to set the owner to NT SERVICE\TrustedInstaller

Hope this helps someone else!