Umbraco Permissions Script - Secure Version
Back in May I blogged about how to set Permissions for Umbraco using SetACL to set the appropriate directory permissions based on the installation recommendations.
Recently I have been working on a site for a client who wanted every security item to be locked down as tightly as possible. And so I modified the script based on the Umbraco security best practices, I thought I'd share it with everyone, if I have missed anything, or if anyone has any suggestions on how to improve this, please let me know :)
Please refer to my previous post regarding the SetAcl command line application that you will need.
I suggest you save the following into a batch file called: umbPermSecure.bat
echo off
REM Script to setup the SecurityPermissionsfor an Umbraco site
REM This script will give your machine NetworkService the minimum rights required
REM forUmbraco to work
REM I suggest you update this script to also remove any users who donot need
REM access to the web folders
REM ****Pre-requisites ****
REM You will need to download -> http://setacl.sourceforge.net/
REM Itis assumed that you have stored SetACLin a directory called, C:\SetACL if
REM not, you will need to modify the script.
REM ****Usage****
REM You need to passin the path for the root of your Umbraco directory
REM E.g. umbPermSecure.bat C:\inetpub\umbracoroot
@echo umbPermSecure.bat -Script to setUmbracoFileandDirectoryPermissions
@echo based on the UmbracoSecurityBestPracticesDocument(13thMarch2009)
@echoPublishedbyChrisHouston-19thOctober2009
@echo http://blog.vizioz.com
@echoAdding READ only access
SetACL.exe -on "%1"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\web.config"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\bin"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\umbraco"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
@echoAdding READ and EXECUTE access
SetACL.exe -on "%1\app_code"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read_ex"
-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\usercontrols"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read_ex"
-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
@echoAdding READ, WRITE and MODIFY access
SetACL.exe -on "%1\config"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\css"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\data"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\masterpages"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\media"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\python"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\scripts"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\xslt"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"