I am on a site where Administrators and System are given Full Control and Everyone change when a permission needs setting.

As the LocalSystem account is added by default whenever permission are assigned through the LockPemissions I never usually add the System account to the table as it seems a pointless task...



Just wondering if you do/dont add the System account?
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
If you use the LockPermissions table for setting permissions LocalSystem is given full control by default so why bother adding it?
Answered 05/10/2007 by: AngelD
Red Belt

Please log in to comment
0
I don't add it for the same reason, "System" is just an alias. I'm guessing its called that due to historical reasons ..

But if you use LockPermissions (which is imho, a best practice, due to its very clear self-documenting nature .. way better than any setacl CAs) be aware that localized copies of Windows cannot resolve anything else than "Everyone" or "Administrator" .. and then starting from Windows Installer 2.0:

The common user names "Everyone" and "Administrators" may be entered in English and are mapped to well-known SIDs. LocalSystem is given full control in all security descriptors created through the LockPermissions Table. You can use the ComputerName Property, LogonUser Property or USERNAME Property in this field to get the current user. A custom action is required to enter the localized name of any other user or group.


If you do need localization someone has already done the work, have a look at SIDlookup by Andreas Magnusson
Answered 05/10/2007 by: jib
Purple Belt

Please log in to comment
0
But if you use LockPermissions (which is imho, a best practice, due to its very clear self-documenting nature
Wouldn't call it best practice as it will overwrite any existing permissions on existing folder/file/registry.
I would only use it If I'm 100% sure that any of above is only created from my installation, but even then I would use other solutions to "append" the new security permissions.
Answered 05/10/2007 by: AngelD
Red Belt

Please log in to comment
0
Localization isnt really an issue I was just scratching my head as I can only see it creating more work for packagers and testers without any benefits.

The thread was really just to confirm my thoughts.. [8|]
Answered 05/10/2007 by: Tone
Second Degree Blue Belt

Please log in to comment
Answer this question or Comment on this question for clarity