Umbraco Permissions Script - Secure Version
Posted
by
Vizioz Limited
on Vizioz Umbraco Blog
See other posts from Vizioz Umbraco Blog
or by Vizioz Limited
Published on 2009-10-20T11:09:00.000-07:00
Indexed on
2010/12/06
17:00 UTC
Read the original article
Hit count: 780
Recently I have been working on a site for a client who wanted every security item to be locked down as tightly as possible. And so I modified the script based on the Umbraco security best practices, I thought I'd share it with everyone, if I have missed anything, or if anyone has any suggestions on how to improve this, please let me know :)
Please refer to my previous post regarding the SetAcl command line application that you will need.
I suggest you save the following into a batch file called: umbPermSecure.bat
echo off
REM Script to setup the Security Permissions for an Umbraco site
REM This script will give your machine Network Service the minimum rights required
REM for Umbraco to work
REM I suggest you update this script to also remove any users who do not need
REM access to the web folders
REM **** Pre-requisites ****
REM You will need to download -> http://setacl.sourceforge.net/
REM It is assumed that you have stored SetACL in a directory called, C:\SetACL if
REM not, you will need to modify the script.
REM **** Usage ****
REM You need to pass in the path for the root of your Umbraco directory
REM E.g. umbPermSecure.bat C:\inetpub\umbracoroot
@echo umbPermSecure.bat - Script to set Umbraco File and Directory Permissions
@echo based on the Umbraco Security Best Practices Document (13th March 2009)
@echo Published by Chris Houston - 19th October 2009
@echo http://blog.vizioz.com
@echo Adding READ only access
SetACL.exe -on "%1" -ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-actn clear -clr "dacl,sacl" -log "c:\setacl\log.txt"
SetACL.exe -on "%1\web.config" -ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-actn clear -clr "dacl,sacl" -log "c:\setacl\log.txt"
SetACL.exe -on "%1\bin" -ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-actn clear -clr "dacl,sacl" -log "c:\setacl\log.txt"
SetACL.exe -on "%1\umbraco" -ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-actn clear -clr "dacl,sacl" -log "c:\setacl\log.txt"
@echo Adding READ and EXECUTE access
SetACL.exe -on "%1\app_code" -ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read_ex"
-actn clear -clr "dacl,sacl" -log "c:\setacl\log.txt"
SetACL.exe -on "%1\usercontrols" -ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read_ex"
-actn clear -clr "dacl,sacl" -log "c:\setacl\log.txt"
@echo Adding READ, WRITE and MODIFY access
SetACL.exe -on "%1\config" -ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change" -actn clear -clr "dacl,sacl" -log "c:\setacl\log.txt"
SetACL.exe -on "%1\css" -ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change" -actn clear -clr "dacl,sacl" -log "c:\setacl\log.txt"
SetACL.exe -on "%1\data" -ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change" -actn clear -clr "dacl,sacl" -log "c:\setacl\log.txt"
SetACL.exe -on "%1\masterpages" -ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change" -actn clear -clr "dacl,sacl" -log "c:\setacl\log.txt"
SetACL.exe -on "%1\media" -ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change" -actn clear -clr "dacl,sacl" -log "c:\setacl\log.txt"
SetACL.exe -on "%1\python" -ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change" -actn clear -clr "dacl,sacl" -log "c:\setacl\log.txt"
SetACL.exe -on "%1\scripts" -ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change" -actn clear -clr "dacl,sacl" -log "c:\setacl\log.txt"
SetACL.exe -on "%1\xslt" -ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change" -actn clear -clr "dacl,sacl" -log "c:\setacl\log.txt"
© Vizioz Umbraco Blog or respective owner