I recently stumbled across the NTFS
Owner Rights security principal. This is an obscure security principal that is used to restrict the rights that the owner of the file has. This can come in handy when hardening endpoints in corporate environments. Frequently, we encounter software that has to be run in the context of a user. However, we might not want the user to tamper with the logs generated by the software. So how do we prevent that?
One method is to use the NTFS
Owner Rights security principal to restrict the user from modifying, renaming or deleting files in the log folder. Using administrative privilege, we will first need to disable all permissions inherited from parent folders. Then, we remove the
Creator Owner and the
User principal from the folder. Finally we add the
Owner Rights principal to the folder and give it the following permissions.
If performed correctly, we should see the following output when running
icacls on the folder. We can then copy files into the folder. These files will be immutable and we will not be able to rename or delete them. We will also not be able to grant ourselves permissions on these files. Perfect for logging integrity! If you are following along, take note that I copied the files. Moving the files will give a different result. That is because a file will retain its original permissions if it is moved to a destination on the same NTFS partition.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Also, do make sure to protect the parent directory as well. We do not want the user moving the entire parent directory and creating a new one with default permissions in its place.
1 2 3 4 5 6