Umbraco Permissions Script - Secure Version

Back in May I blogged about how to set Permissions for Umbraco using SetACL to set the appropriate directory permissions based on the installation recommendations.

Recently I have been working on a site for a client who wanted every security item to be locked down as tightly as possible. And so I modified the script based on the Umbraco security best practices, I thought I'd share it with everyone, if I have missed anything, or if anyone has any suggestions on how to improve this, please let me know :)

Please refer to my previous post regarding the SetAcl command line application that you will need.

I suggest you save the following into a batch file called: umbPermSecure.bat

echo off
REM Script to setup the SecurityPermissionsfor an Umbraco site
REM This script will give your machine NetworkService the minimum rights required
REM forUmbraco to work

REM I suggest you update this script to also remove any users who donot need
REM access to the web folders

REM ****Pre-requisites ****
REM You will need to download -> http://setacl.sourceforge.net/
REM Itis assumed that you have stored SetACLin a directory called, C:\SetACL if
REM not, you will need to modify the script.

REM ****Usage****
REM You need to passin the path for the root of your Umbraco directory
REM E.g. umbPermSecure.bat C:\inetpub\umbracoroot

@echo umbPermSecure.bat -Script to setUmbracoFileandDirectoryPermissions
@echo based on the UmbracoSecurityBestPracticesDocument(13thMarch2009)
@echoPublishedbyChrisHouston-19thOctober2009
@echo http://blog.vizioz.com

@echoAdding READ only access

SetACL.exe -on "%1"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\web.config"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\bin"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\umbraco"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"

@echoAdding READ and EXECUTE access

SetACL.exe -on "%1\app_code"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read_ex"
-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\usercontrols"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read_ex"
-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"

@echoAdding READ, WRITE and MODIFY access

SetACL.exe -on "%1\config"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\css"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\data"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\masterpages"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\media"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\python"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\scripts"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"
SetACL.exe -on "%1\xslt"-ot file -actn ace -ace "n:%computername%\NETWORK SERVICE;p:read"
-ace "n:%computername%\NETWORK SERVICE;p:change"-actn clear -clr "dacl,sacl"-log "c:\setacl\log.txt"

Author

Chris Houston

Chris Houston

Chris is the founder of Vizioz and has been working in the field of website development for over 20 years. Chris has been working with Umbraco since 1998 and now spends his time running both Vizioz and QV Offices.


comments powered by Disqus